Sunday, December 6, 2015

Back to Basics


You really don’t need to be a sports 'junky' to be aware of the term “defense wins championships”. Being a Philadelphia Eagles fan I’m still waiting on that ever elusive Super Bowl championship …fingers crossed. On the IT security side, CISOs and all high level IT management personnel are faced with the million dollar question …how much money can I throw at IT Security to ensure I’m safe?

In this day and age, we have smartphones that have more computing power than all of NASA back in 1969 when it landed astronauts on the moon. Thanks to competition, technology has advanced at a rapid pace and just as we, the good guys, have access to these massive processing capabilities, the bad guys are also on the same canoe as us if not in a speed boat. Most problems can be easily resolved by throwing money at it. We have bandwidth and storage issues! Well, let’s buy bigger servers, faster routers, and build a secondary data center. When it comes to IT security however, does having the meanest and ‘bad-est’ Firewall or IPS for example equal guaranteed security?
Like my dreams of the Eagles winning a championship this coming season; one can only hope.
Just recently news of a breach at the Office of Personnel Management (OPM) was revealed to the public. While Target was still trying to pick itself up from the huge ‘blow’ it got from hackers, JPMorgan Chase was also hit. 2015 rolls in and then Anthem announces they too were hit. JP Morgan Chase spent over $250 million on cyber security last year, but still suffered from a significant data breach. According to Darkreading.com’s survey results on security spending in organizations, most respondents agreed that they did have adequate tools and personnel to minimize (72%), quickly detect (69%), prevent (65%), and determine the root cause of (55%) data breaches. Being attacked in the cyber age is not a matter of if but when. 

Attacks are going to happen regardless, so the question becomes, are we prepared enough to at the very least find out that we were breached? How many breaches have fallen between the cracks without organizations ever finding out?

Why are we not keeping up?
It is human nature to try to make life easy that’s why we created fire and tools. As we evolve in technology, there’s more and more automation and less and less human interaction. This is a double edged sword, however. Yes, we eliminate the weakest link, humans, but then the computer is only as smart as the coded program. If there are unwanted code lines added to this program will we notice? Unless there are safeguards included in the program during the coding phase, probably not and the computer will simply follow its master’s instructions. It’s like installing cameras and then leaving the door unlocked. In IT terms, adding a firewall or IDS but leaving all unnecessary ports open to the outside world. 
There’s a joke about a guy who had his WiFi SSID (Network Name) named ‘Hack_Me’. The next day the WiFi name was ‘Challenge_Accepted’.
Threats are always lurking and we need to be vigilant of our surroundings and not leave everything to technology. The good ol’ human instinct still has a place in this technology savvy world.

Why are we always a step or two behind the attackers?
For one, bad guys have the time, patience and are even State sponsored. Malware is always being released. You can purchase an Exploit kit from the dark webs. There are too many open source tools and instructions on the Internet for script kiddies and hacktivists to use. Not to sound like the prophet of doom but if we don’t adapt we will surely die!   
A typical Advanced Persistent Threat (APT) involves roughly seven stages:
  •         Recon                       
  •        Lure
  •        Redirect
  •        Exploit
  •        Drop Payload
  •        Call Home
  •        Data Ex-filtration

Our focus will be on the Reconnaissance stage as this is usually overlooked although it’s a crucial stage for the attacker.

Reconnaissance is sometimes one of the easiest elements in this process because the victim provides all of the information you need without even knowing it. Imagine a scenario where you are watching your child at baseball practice. You take out your Android cell phone to snap a quick picture and upload it to Facebook. Unless you’ve locked down your privacy settings, this simple post provides a wealth of information about you, your technology and your location.
While it may seem harmless, this provides more than enough information to an attacker to craft a spear phishing email directed at you. The photo metadata discloses information about the make and model of your phone, enough information to craft an exploit against your specific platform. The geographic coordinates of the picture or the location tag on your post indicate where the practice takes place, allowing someone to identify what league or tournament your child participates in and on what day. This covers the approach: a change to the baseball practice schedule with a malicious calendar attachment, spoofed from the official email address of the practice facility.
Scary stuff …right!?

So how do I prevent this?

Change is the only constant
Implementing information security user education programs to ensure employees are aware of targeted threat methods such as social engineering through spear phishing and watering hole attacks. As users and endpoints become the biggest vulnerability to large organizations, this is one of the most critical steps in preventing attacks.
In addition, expanding security defenses to include technologies that can expedite detection of attacks and therefore close the attack surface.
Leveraging an MSSP or in-house SIEM to monitor the network 24x7x365. These solutions allow for granular customization and correlation of each proposed technology to allow for accurate and rapid response to threats.
While each of these is a step in the right direction, none are as effective without ample testing. It is recommended to conduct security reviews and tests at least once per quarter. This will ensure not only the effectiveness of the defenses, but also the incident response preparedness.

Conclusion
While defense is always a good thing, offense comes into play when it comes to the recon stage. By offense, I don’t mean attacking the bad guy but knowing what Tactics, Techniques, and Procedures (TTP) might affect us and the only way of knowing this is by actually ‘attacking’ ourselves. Using an Approved Scanning Vendor (ASV)  or leveraging Consulting Services will help you know what the outside world can gather from probing your network and simulating attacks.


References:
http://www.solutionary.com/resource-center/white-papers/the-advanced-persistent-threat/

http://www.darkreading.com/attacks-breaches/security-budgets-going-up-thanks-to-mega-breaches/d/d-id/1318714?
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)