I recently went to a meeting with an experienced security expert who had been dealing with physical security for most of his career. He described in considerable detail how they had systems with a large number of alarms, cameras and other detection systems all networked together and presented to their national operations centre where operatives could view activity from a number of sites. It was an impressive system with shifts rotated so guards did not collaborate, with cameras able to detect movement so they were not continuously requiring monitoring and so on. However, the question was raised as to who monitored the monitors. The complex and vulnerable network along with the sophisticated systems were not themselves being monitored for malicious activity, and meant that these security systems now operated as a potential attack vector for criminals requiring access to the systems being defended.
Physical security is not alone in being the ‘way in’ for many attackers. Target’s Achilles heel was their HVAC supplier who had remote access to Target’s network. Phone systems have allowed toll fraud and remote access as they are now IP enabled. Server support companies can have weak security themselves and so on. This is in addition to the more commonly recognised attack vectors of email, social media, web browsing and USB sticks. All companies are valuable, and if it is not the company’s data and systems under attack then it is their customers or suppliers who are the target.
It leads to considering how companies approach security, it is trailing so far behind where it should be but this has been the siren call for many of my years in the industry. The problem has been that it has appeared – to those in the know – that for too long companies have hidden in the crowd, hoping not to be picked on. Now, the tide is coming in, each day a new attack is reported, with the damage this does to the company compromised and to all their customers who may suffer many years of identity fraud, targeted marketing, social engineering, spam and other crimes. The government is now catching up, with Cyber Essentials and Cyber Essentials Plus, but for too long companies have relied on infrequent and poorly implemented cycles of: • Health checks • Software updates • Patching • Updating anti-malware All of these are important activities; they are the basics without which any network is going to be easy pickings for even the dimmest of attackers. Without the latest updates and patches, new attacks cannot be defended against and without good anti-malware, a company is vulnerable to all the attacks that have happened in the past – and we frequently see old techniques being implemented by attackers as they know these basic approaches are not always implemented. In fact, it can be difficult to know the status of hosts on a network without a rigorous patching regime and regular vulnerability scanning. I hear frequently the mantra about training being The Answer. It is not The Answer, given the current state of defences, no single element is The Answer but for some reason training or education is seen as pre-eminent. However, anyone who has done training will know it is a long and complex business and it costs a lot of money. It needs to be done so well and repeated so often that it can prove a major expense. It is compounded in the time that the personnel being trained are not working at their day job, the money it costs to pay good educators and the effort needed to deliver a programme that puts the message across in an accessible and memorable fashion. I have seen very sophisticated videos costing thousands of pounds delivering the message in a humorous way but like so many good adverts where you remember the joke but not the product, these videos are more notable for their humour than their lasting effect. So education is part of the solution but it isn’t a panacea.
Strategy in 2015
So what strategy should be adopted in the next year? It seems to be received wisdom, this year, to assume that you have been compromised. This is a pragmatic strategy, it does not mean giving up on perimeter security or preaching the perimeter is dead – it isn’t – it is sick and getting sicker, but it is hanging on in there. Your firewall and anti-virus are doing a good job in making compromise more difficult, but it is only too clear from scanning the press that it is far from infallible. For instance, our penetration testers will create new malware for each test that they do as they know that will get them through the firewall and the anti-virus, as the firewall lets email through by necessity, and the new malware will not be recognised by the AV – and in every enterprise there is the person who ‘clicks’. He or she will click on links in emails, on links on dubious websites and on attachments sent by a very nice lady in Skype. Education will help, and running regular tame phishing campaigns means that you learn who clicks and who does not. This helps target those individuals who click, and allows you to work on them. Being compromised is not the end of the World, you still have time if you have hardened your network to investigate how hackers operate. Plenty of white hat hackers are writing blogs on how attacks occur, this lets you know how to defend against them, what to look for and the importance of good policies, procedures and processes. If nothing else in 2015, resolve to stop looking at the next shiny solution from vendors with deep pockets – and hence large mouths – and start with your policies. Derive procedures and processes and only then move to considering how you monitor and control them. You need to know the value of assets in your network, so carry out the risk assessment and know the relative values of the company’s crown jewels. The policies, procedures and processes will help you decide on what you need to deliver them. The issue then is ensuring that they are configured and patched. Staff need time and experience to set up systems securely as they were intended, and one of the many ways-in to any network is looking for badly configured systems. So, once systems are in place, have them tested. Vulnerability scans should be part of the weekly, monthly or quarterly process, both inside and out. The results of these scans should then become a task list to improve security. However, these tests need to be backed up by penetration tests on a regular basis. Vulnerability scans come out with a multitude of warnings, but how can you know if they are actually exploitable? And if they are exploitable, how serious is the exploit? Do secondary measures protect the system, or is the value of any asset accessible through the exploit completely worthless? A penetration test will tell you this. It is a manual process and it is man or woman, not the tools you should be assessing – what qualifications does he have? The right exams are hard, continuous 24/48 hour exams – it gives you an idea of the calibre and dedication of the tester. What experience does he have, who else has he tested and is he reliable and ethical? Lastly, always request a report – see what you are going to obtain out of the test, is it clear, does it provide clear actions to resolve issues discovered? Once the tests are done, holes will have been found in the defences. Policies will need to be changed, new procedures and processes introduced and systems reconfigured and updated to protect the organisation. But you cannot have your tester constantly testing your systems. He or she has limited time to test your systems, but you will know the actual state of the organisation’s security based on facts, not assumptions or opinions. So the strategy is to assume holes that have been missed and adopt a continuous state of compromise. Have a policy of vigilance – too many companies have no visibility of their network, they do not know the protocols being used on their network, or the applications installed or what systems are on their network. So if something changes, or unusual behaviour takes place, it goes unnoticed. Companies are regularly compromised for months without knowing it, they find out only when their data appears on the internet, an intelligence agency lets them know or, worst of all, a supplier or customer tells them that they are compromised. Yet, 84% of all compromises leave evidence in log files. Easily sourced external threat intelligence can identify if communication is happening with servers with disreputable reputations or that files are being transferred illegally. There are so many other attributes that, if being looked for, could indicate that a company has been breached. This early knowledge reduces the time an attacker can stay resident on the network and hence reduce the damage that can be done. There are many systems available to do all that has been described above, and more. It seems, if you are to believe what they claim, that they can actually deliver miracles. The truth is that they do deliver some good results, but no single solution is a cure-all. You need to view your data from a wide range of sources, bring those sources together so that you can take evidence from each source and build the picture. This provides for a greater degree of accuracy in the alarms that are generated but no matter what systems you put in place, you are going to need someone to manage and monitor them – and 24/7 security teams do not come cheap. The issue is that these are the resource you need most, they will probably see trends, if fed the right information, long before the most impressive artificial intelligences. They will work out the best remediation strategy for your network which reduces the impact of the attack and they will be there to suggest modifications to the policies, procedures and processes that will feed back into the continuous improvement that has to be the keystone to your security strategy.
So, what are the keys points to drag out of this to summarise our Cyber Security strategy for 2015?:
1. Know the value of your assets and understand the risk they are under.
2. Work on the policies, procedures and processes that will protect those assets.
3. Choose the technology and intelligence that is going to protect those assets and help you monitor and control those policies.
4. Test the defences regularly using vulnerability and penetration testing so as to identify weaknesses in the system that has been implemented, and know where to focus resources to improve defences.
5. Monitor the system looking for malicious activity and identify breaches before damage is done, or keep the damage done to a minimum.
6. Feed back the methodology of any successful breach back in to the system to defend against similar attacks in future.