The most recent and brazen security breaches and attacks at the CIA, US Senate, IMF and elsewhere have shown me one thing. There has been a substantial amount of complacency in the Information Technology and Security fields. There have been many reasons for skating by; budgets are tight, economy’s bad, no time, no resources, no training… Businesses large and small have opted to do the bare minimum required by law or industry, expecting that to be enough to keep them out of the press. I have said it before, and I will say it again, although saying it before has cost me at least one job.
Regulatory Compliance DOES NOT equal Security!!
If you are in the business of securing data that your customers have entrusted you with, and are of the mind that you only need to do what is mandated by Visa, Mastercard, PCI, Policy, or some other established standard on a subset of systems that are directly involved with the sensitive data, you are mistaken, and can expect to spend some time in the media shortly. In an age where attackers are getting organized, popping up like mushrooms, where the greater challenge no longer appears to be breaking in or getting away with it, but finding enough space to post your 300,000 customer records as evidence of your success, you need to have a solid and enterprise encompassing STRATEGY.
Online attacks have taken on a targeted tone, whether to make quick money, prove a political point, or infiltrate high value and supposedly highly secure systems. We have been arrogant and comfortable for far, far too long, thinking things were unbreakable, that our monitoring would be enough of a deterrent. The systems and internetworks are just too complex, too many moving parts, too many variables, too many weak links in the chain. We have all been lucky, swimming in the shark tank, and now it’s a feeding frenzy in the criminal underground.
A big part of the problem is that employees simply have too much access. The best thing we can do to secure the enterprise is the same old stuff we’ve been talking about for years. So what are you doing about these recent attacks?
- Make sure the core assets are identified and thoroughly protected.
- Make sure that all access points to those assets are protected.
- Make sure that all endpoints that will access those assets are hardened and protected.
- Make sure that all access to those assets is authorized and authenticated.
- Make sure that all access requests for those recources are justified.
- make sure that you know what “normal” looks like.
- Make sure that you are monitoring for anomalies.
- Make sure that you know what to do in the event of anomalies.
- Make sure that you know what to do in the event of a breach.
- For god sakes, PATCH! EVERYTHING!
These attacks are going to escalate. Organizations must implement these basic steps in order to make the hacker’s job harder. If the initial probing and basic attacks fail, MOST attackers are going to move on. Dedicated attackers will try everything. Key among their arsenal will be Social Engineering attempts. These can take the form of targeted emails containing attachments or links, phonecalls, snail-mail campaigns, and even site visits or interviews. If they want in bad enough, they could join your organization and operate from the inside.
- Control Access. The best thing you can do is disconnect people from things they don’t actually need. Don’t just offer access to everything, it’s convenient, but sloppy.
- Defense In Depth. Layer your security controls. Put controls in at different layers of the OSI model, or logical locations, or whatever.
- Plan Breach Response. You have scenarios in your distsaster recovery plans for a major storm, or for flooding. Plan now for handling a Cyber-Storm. Consider all of the potential impacts that an attacker bent on hurting your business can bring. Denial of Service, System Penetration, Network Penetration, Data Exfiltration, Data Deletion, Account Compromise, etc.
- Containment. Shutting certain systems down may make it harder for hackers to navigate through your network infrastructure. The harder they have to work, the more evidence they will leave behind. If you can delay them long enough, they may give you time to gather valuable intell, and to get law enforcement involved.
- Admit Fault. Eventually, an attacker will get in. It is virtually inevitable. They only need to find a single weakness, you need to address them all. That’s why you need a plan, and a diplomatic approach to address customers after a breach. Quickly. Engage the right folks, though. Don’t just do this yourself.
- Be Prepared To Negotiate. When you find yourself in surrounded by sharks, and hitting them with the oars isn’t working, it may be time to toss your sandwiches far away from the boat. You should try countermeasures, but if all else fails, you also need social engineering techniques of your own to diffuse the issue and come to agreement. The attacker might end up teaching you where you missed something, or what you might have done better. It may be a difficult and unsavory lesson, but chew on it good and long.
- Stay Up-To-Date. Many of these attacks exploit fairly old or simple vulnerabilities, like default passwords or unpatched software and Web services. Do the basics. Know what applications are present in your environment, and keep them patched.
Good luck out there. I hope your security strategy works for you.