Organizations with Immunity to Security Attacks

Organizations with immunity to security attacks

posted Jul 31, 2014, 6:56 PM by Jesse Glidden 

In April of 2014, I attended an ISSA webinar (sponsored by Ixiacom.com) that discussed organizations that seem immune to security attacks. I'll share a few of salient points.

 

Risk Analysis

  • It's not about the resources, it's about a risk-based effort, because you will never have adequate resources

  • Take a risk-based approach.

Ask yourself these three questions:

  1. What is the risk?

  2. Is it the highest priority risk?

  3. What is the most cost-effective method of reducing risk?

  • Threats: offense must inform the defense

  • Risk = Threat * Vulnerability

    • Threat ~ Likelihood

    • Vulnerability ~ Impact

What are the current risks an organization faces?

  • Data Theft

  • Long-term compromise

  • Loss of Command and control capability

  • Loss of Competitive Advantage

What are some of the current threats?

  • Trusted insiders

  • Supply Chain threats (i.e., Target)

What are some of the vulnerabilities?

  • Lack of segmentation (access controls, permissions, etc.)

    • Control and minimize damage by “heavily segmenting" data systems

  • Prevent access to critical data, or more critical data, and identify where that data is

  • Systems not sufficiently hardened

    • For instance, who has direct access to PCI POS systems?

So you need to know a few things:

  • What is your critical data, and where is it located in your organization?

  • What servers is your data on?

  • You need an accurate, current network diagram

Consider this exercise:

  1. Identify all critical data (assets), and the business processes that support it.

  2. List all threats, starting with the highest likelihood of success to your organization

  3. List all vulnerabilities, starting with the highest impact, based on threats that are tied to your critical assets

Number 3 in the above list becomes your action plan, this is where you focus your efforts in the upcoming short-term. [This is what we at RGC consider a risk analysis, with a risk management plan]. 

Targeting

Be sure to differentiate between the source of the threat, and the cause of damage. Many believe that the biggest source of threats out there today are external: foreign adversaries, competitors, etc. Yet, cause of damage is often an “accidental insider”, who is tricked into doing something they would not normally do if they knew the impact of their action, or if they were even aware of what they were doing. Therefore, good organizations can minimize this likelihood with "awareness training". Organizations often overdedicate resources to the external threat, while underdedicating resources to insider, supply chain, internal unpatched systems, etc. type of threats.

What are the classic core characteristics of an attack?

  • Target an individual/system

  • Deliver payload to system

  • Upload files to the system

  • Run processes

  • Survive a reboot

  • Make outbound connections (beacons to C2)

  • Perform internal reconnaissance

  • Pivot into the network

Why are attacks successful? Here are a few reasons:

  • Organizations do not have security devices properly configured

  • Organizations don't understand the difference between a product and a solution

  • Lack of data classification, or segmentation

  • Insufficient logging and correlation

  • Too much data visibility on the internal network

  • Minimal asset management and configuration control

  • Failure to institute least privilege

Here are a few more reasons:

  • No risk management program

  • No employee training

  • No policies

Remember, the source of the damage may be external, but the cause of the damage is internal!

Insider Threats

The deliberate insider the the most difficult threat to mitigate. The most you can do for these threats is to focus on authorization and access policy. For the accidental insider however, you want to focus on 

  • Differentiate between required functionality and optional functionality

  • Typical avenues of attack, such as

    • Exe attachments

    • Macros embedded in Office documents

    • Active scripting

    • HTML embedded content

  • Differences in activity between a normal user and an insider threat

  • Activity patterns focused on data:

    • Amount of data accessed

    • Failed access attempts

    • Data copied or sent to external sources

How do you detect the accidental insider? Because, there are differences in activity between a normal user and an insider threat. 

  • Almost all external attackers attempt to set up command & control (C2)

  • Activity patterns focused on data:

    • Amount of data accessed

    • Failed access attempts

    • Data copied or sent to external sources

  • Focus on outbound traffic

    • Number of connections

    • Length of the connections

    • Amount of data

    • Percent that is encrypted

    • Destination IP address