Physical Security Controls (week 7)

Photo Credit: Microsoft studios, security-cameras-for-a-business

There is a huge emphasis on protecting data in the Security industry but what about the physical elements that aid in the storage, processing and transmission of these data? In this post we will discuss how Physical Security should not be taken for granted when planning for Information Security within an organization. The logical systems cannot exist if there are no hardware components in place. Even in cloud setups where an organization’s data is 100% stored on the cloud, the business still has to have some hardware on premises that enables them to access this data. If a physical breach were to occur where an attacker gained access to the hardware components that interact with the logical environment, the damage might be irreversible.

Physical security is the protection of personnel, hardware, programs, networks, and data from physical circumstances and events that could cause serious losses or damage to an enterprise, agency, or institution. This includes protection from fire, natural disasters, burglary, theft, vandalism, and terrorism (Rouse, 2005). Physical security entails the controls or steps taken to limit or deny physical unauthorized access to a building, its facilities, the resources within the building, and the information stored there.

There are different types of Security Controls:

Directive controls – these are the administrative controls intended to guide or advise the employees on how to conduct themselves when using the systems or when they are in the business premises.

Preventive controls – these are the steps taken to stay ahead and hopefully stop any actions that may be in contrast with the controls in place. Example would be locked doors and windows.

Deterrent controls – these involved the use of notices and warnings of consequences to security violations. Example would be having CCTV's installed in every room

Detective controls – these are the controls that aid in identifying, monitoring and potentially reacting to security violations. Examples would be security alarms, motion sensors, heat sensors etc. 

Corrective controls – these are the controls designed to react to the detection of an incident in order to resolve and prevent any future re-occurrence.  

Recovery controls – these are the controls used to restore the system/operation back to its normal state after an actual incident occurs.

Different security measures can be implemented to protect against physical threats and they fall under different security controls as described above. These measures can include:

Protecting the premises: the entry and exit points should be evaluated to ensure there are sufficient controls in place for security. Interior partitions like walls, ceilings and floors should be secure enough to prevent any breaches. Man-traps and Turnstiles can be used to prevent piggy backing attempts. Surge protectors and UPS systems should be in place to guard against power related threats, whether inadvertent or planned. Fire suppression systems should be in place and fire extinguishers should be easily accessible in case of a fire emergency.

Locked rooms: the server room or data center is perhaps the most critical of all rooms and should always be located in a central area and access to it should be restricted to only authorized personnel. Locked doors should be used and if possible, 2 factor authentication should be enforced. Surveillance cameras should be installed to monitor activity to and from the data center. If there is a need to have outsiders in the room, like vendors and maintenance staff, access should only be allowed with the presence of an escort.

Other critical devices like switches, hubs, routers should also be locked. Gone are the days where the network equipment like cables were all stashed in the same closet as the janitor’s ‘tools of trade’. If you don’t secure these devices, an attacker can impersonate the cleaning crew and walk into the closet and simply plug into the network and cause havoc.

Secure workstations and laptops: docking stations should have the capability to lock down laptops when users step away from their desks. Workstations should also be secured and the case should be protected using case locks. This will prevent attackers from opening up the computer towers and removing the hard drive.

Laptops and handhelds should be encrypted and bio-metric readers should be used for access. In case of a loss, the organization should be able to remotely wipe out the data on it.

Removable media capability should also be disabled to prevent attackers and rogue employees from downloading information without authorization.

Protecting backups: most organizations plan for the production environment and ensure that security controls are in place to protect this environment, but what about the DR site or their backups? Organizations need to ensure that their backup tapes and/or disks cannot be stolen. These backups usually have the same information that can be found in the production environment, if security controls are lax in this environment, attackers will definitely choose this easier route.

Protecting non-critical devices: even the basic devices and elements like printers, fax machines, phones, trash bins need to be protected. Attackers can gain information through dumpster diving and the organization needs to secure the bins and have locked shred bins which are located in secure areas within the building. Only approved reputable vendors should be used to dispose of the old data (if the company outsources this service). This should also apply to the disposal of the hardware like hard disks and decommissioned appliances.

Another area to look at when it comes to physical security is the undefined perimeter. With more employees working remotely and organizations having sales reps working on the road, the organization needs to account for the physical protection of those devices by having logical controls in place. Policies should be enforced as a guide to help employees adhere to best practices that can help minimize the potential for losses. Employees should not leave their laptops and other documents in visible places in their cars. The business should have a way of remotely wiping the data on the devices like smart phones if they are reported stolen. Hard drives should be encrypted to avoid the exposure of information to unauthorized individuals.  

Conclusion

Just as with logical security measures, physical security controls should adopt the security in-depth approach when being implemented. Just having CCTV’s or security guards on site is not an enough deterrent to an attacker attempting to break in. If they are adamant at breaching the perimeter, they will find a way. Different controls need to be adopted and they can act as complements to each other. If one has gaps, another control can cover that gap. For example, having locked doors with 2 factor authentication requirements to unlock the room and also a security guard or even a receptionist at the entrance can be a better deterrent to an attacker as opposed to simply having locked doors and cameras at the front door.  

References:

Covington, R. C. (2015, June 23). Physical security: The overlooked domain.
     Retrieved January 31, 2016, from ComputerWorld website:
     http://www.computerworld.com/article/2939322/security0/
     physical-security-the-overlooked-domain.html 

Rouse, M. (2005, December). Physical security. Retrieved January 31, 2016, from
     TechTarget website: http://searchsecurity.techtarget.com/definition/
     physical-security 

https://microsoftstudios.com/hololens/wp-content/uploads/sites/4/2015/12/security-cameras-for-a-business.jpg?w=693

Critical Security Controls (CSCs) in Mitigating Attacks

Last week in my graduate class “Information Security Management”, we learned about policies and why they are crucial (legally binding) documents that a business should use to convey their values, goals and mission. One of the common policies that new hires encounter is the acceptable use policy (AUP). This policy requires users agreeing to and signing the document prior to being granted access to the organizations network or Internet. If any violations are detected that go against the AUP, an organization is legally able to discipline the employee to the extent outlined. Given that humans will always be humans, regular training and visual reminders like having posters and info-graphics posted on the break room notice board or banners that pop up on computers can be used to drill the message home.

SANS a well-recognized institute when it comes to Cyber and Information security published a list titled “SANS top 20 Critical Security Controls” which is basically a list of recommendations that an organization can use as a checklist or guide when setting up shop. The focus for this post will be the top 5 checks:

CSC 1: Inventory of Authorized and Unauthorized Devices

CSC 2: Inventory of Authorized and Unauthorized Software

CSC 3: Secure Configurations for Hardware and Software

CSC 4: Continuous Vulnerability Assessment and Remediation

CSC 5: Controlled Use of Administrative Privileges

To see how adopting the above controls can assist an organization, let’s look at the Target attack and how it occurred. Can a replication of the attack be avoided if a company followed the control recommendations?

According to Brian Krebs author of the KrebsonSecurity blog, Target was infiltrated via a 3^rd party vendor who was responsible for their HVAC systems. Using the stolen credentials from the vendor, the attackers accessed the Target network using the assigned access vectors allowed for the vendor. The attackers were later able to move through the network and access segments of the network that contained customer data; information like PII and credit card data. Once the attackers were able to access the Point of Sale systems, they downloaded the malware that would be used to scrape the memory of these systems. Over a period of time, the attackers successfully ex-filtrated the data out of the network without Target noticing this move.

With that scenario in mind, if Target diligently adhered to the 5 critical security controls, these are some of the vulnerabilities and exploits that could have been prevented:

Misconfigured and vulnerable systems both on vendor side and Target side – the attackers were able to access the vendors network based on some vulnerabilities that enabled them to break in and steal credentials. This also applies to Target’s network which enabled the attackers to be able to infiltrate it. These issues are covered by CSC 3 which outlines how to securely configure both the hardware and software elements of a network. Hardening the network by for example closing unneeded ports and services, having up to date and patched systems running can help mitigate potential threats using this attack vector.

Malware installed on Point of Sale systems – once the attackers got in, they were able to install their malware that would be used to infect the systems and steal the data. This is all covered by CSC 2, 3 and 5 in that having secure configurations will help stop exploits as described previously. Inventory of unauthorized software would have enabled Target to notice the malware once installed or even prevent it from being installed on the systems in the first place. Controlled use of administrative privileges would have enabled Target to keep track of what privileged accounts were doing and this anomaly would have been caught if any regular auditing took place.  

Failure to respond to alerts by Security systems – Target did not put much thought to the alerts that were generated by suspicious activity on their network. Also if Target reviewed their vulnerability assessment reports they would have caught on to the fact that the networks were not segregated from each other. The attackers were able to jump from the vendor to Target and gained access to the customer network segment. Given that sensitive data is stored on the customer segment, the vendors should have not had capability to move across these segments. CSC 4 would have helped Target mitigate this hole.

Data ex-filtrated from network – the attackers moved a significant size of data out of the network without raising any alarms. This tells us that Target did not have any checks in place to stop data ex-filtration. If CSC 3 is adhered to, an organization can be able to have secure configurations setup on the network that would generate alarms when data is moved.

Conclusion

While having the proper Tactics, Techniques and Procedures (TTPs) and tools (technology) may be a step in the right direction for mitigating potential breaches, the weakest link still has to be accounted for. If you cannot rally the people to support the Information Security checks and balances in place, it will fail. The people who interact with the organization's assets and resources are crucial to the success of any security measures in place. In my opinion, the main flaw that enabled the Target breach was the people. It seems that there were minimal checks in place at the very least but the people who should have checked and validated their effectiveness did not perform their due diligence. 

References:

https://www.sans.org/critical-security-controls

http://www.computerweekly.com/feature/Embarking-on-a-voyage-of-asset-discovery

http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/

https://www.sans.org/reading-room/whitepapers/casestudies/case-study-critical-controls-prevented-target-breach-35412

Data Protection (week 5 Blog)

Last month, one of the topics of my blog post was cybercrime motivation, one of the motivators that was discussed was competitive advantage. This motivator is usually associated to expert attackers who are either trying to ex-filtrate company blue prints or personal information of the company’s personnel. “One of the scariest parts of the massive cybersecurity breaches at the Office of Personnel Management just got worse: The agency now says 5.6 million people's fingerprints were stolen as part of the hacks” (Peterson, 2015).

5.6 million people! That is indeed a scary number. How did the attackers manage to get the data out of the OPM network without raising any flags? I am hard pressed and concerned that a government agency of that magnitude does not have safeguards in place to protect its confidential information from ending up in the wrong hands.

So how do we (attempt) to mitigate against data loss?

Data Protection (Data Loss Prevention - DLP)

DLP is a technology that is used to prevent both the intentional and unintentional loss or leakage of information that should not leave a specific network or be disclosed to unauthorized parties. Detective controls alone cannot stop the loss of data, although companies put in place policies and procedures, there is no stating how much of these guidelines are actually followed. Having preventive controls like a DLP solution can assist a company in enforcing the policies (Kanagasingham, 2008). Some of these policies could include who is allowed to handle what data and how that data is to be handled and what systems should be in place to aid in the transmission, usage and storage of that data.

To protect data, we first need to understand what the data is and at what state the data is. The individuals assigned responsibility of the data need to define the data. Some questions to ask include:

What type of data is being protected?

Where should the data reside and where should it not?

Who is granted access to this data?

What policies (like acceptable use) are in place for this data?

When designing solutions, the data states need to be accounted for. The different states of data are:

Data at rest – data saved on file servers, computer hard drives, portable drives, offsite backups etc.

Data in motion – when data is being transmitted e.g. through email, through web traffic etc.

Data in use – active data residing in volatile memory (RAM) and is prone to changes e.g. databases, open spreadsheets etc.

Solutions

1. Training

This is a key component of attempting to mitigate the possibility of a user inadvertently exposing data or coming into unauthorized contact with data. With regular reminders, employees are able to adopt best practices when handling data.

2. Defining policies

Policies act as guidelines and can be used as a legal document if the laid out policies are breached intentionally. A policy that can be adapted in preventing data loss is classification of data and having banners attached to all documents. Before accessing any document, an organization can have banners pop up with wording warning users of the nature of the data and the classification of this data. This can be used as a reminder to the users to be more careful when handling data and also act as a deterrent since the banner can be used as legal evidence that the users were notified on the company’s data handling polices prior to their access to it. If the user breaches the policy, they can be held accountable.

3. Incident response plans

Human error is inevitable and organizations need to prepare for when an incident occurs. A team that will be responsible for putting a cap on any data breaches should be in place. Planning for the worst can help prepare the organization and also aid in efficiently mitigating the repercussions that may come from data loss or data leakages. 

4. Technology for monitoring data

Having policies and contingency plans may not be enough if there are no technologies in place to stop the potential loss or leakage of data. Some technologies to adopt may include pattern matching or data matching that can catch specific data like SSN’s or Credit Card numbers leaving the network. Another option can be to watermark documents in order to prevent copyright breaches. Scrubbing devices should also take place as users can store data on their local workstations or laptops for later use or in the case of a rogue employee, offline data ex-filtration.

Conclusion

Data prevention is one of the toughest elements of Information Security; totally eliminating the prospect of data loss or leakage is a myth as it is impossible to be 100% secure but adopting the solutions outlined above can help mitigate the risk. Organizational commitment is needed from the top down and policies should be used to emphasize this organizational goal. The Information Security team should note that one solution may not necessarily apply to all scenarios and they should also be aware that some solutions may handicap the business if aggressively implemented. There needs to be a balance between control and business continuity. Testing and constant reviews should be a routine occurrence to evaluate efficiency of the checks and balances in place.

References:

Peterson, A. (2015, September 23). OPM says 5.6 million fingerprints stolen in
     cyberattack, five times as many as previously thought. Retrieved January
     17, 2016, from The Washington Post website: https://www.washingtonpost.com/
     news/the-switch/wp/2015/09/23/
     opm-now-says-more-than-five-million-fingerprints-compromised-in-breaches/ 

Kanagasingham, P. (2008, August 15). Data Loss Prevention (J. C. Bambenek, Ed.).
     Retrieved January 17, 2016, from SANS.org website: https://www.sans.org/
     reading-room/whitepapers/dlp/data-loss-prevention-32883 

Preparing for an Incident through Defense-in-Depth (week 4)

This week, the topic in my Information Security Management class was planning for contingencies. Unexpected incidents are bound to happen in any organization. They could be man-made like hacking attacks or they could be nature based like tornadoes and earthquakes taking out a data center. Focus this week will be on the preparation phase of the Incident Response Plan (IRP). The IRP is a detailed set of processes and procedures that anticipate, detect, and mitigate the effects of an unexpected event (Whitman & Mattord, 2014, p. [Page 85]).

Nature based incidents are not easy to prevent, the best course of action for those is to have plan B in place, be it a backup data center, multiple locations acting as hot, warm or cold sites. This blog post will discuss different monitoring configurations that can help to prevent a hacking attack or reduce the response timeline necessary in mitigating potential discovered attacks in a network.

Defense in Depth is “a concept used to describe layers of defense strategies. The components at each layer work in tandem to provide one cohesive security mechanism” (Arconati 3).

The following monitoring services can be employed to ensure that different areas within a network are covered in terms of preventing breaches:

Firewall

A firewall is a critical security control for controlling ingress and egress traffic. As such, it can have visibility to an attack in potentially multiple areas. By leveraging IP reputation and geographic features in next generation firewalls, attacks may be mitigated. Additionally, monitoring for suspicious ports and traffic sizes and volumes can indicate malware beaconing or command and control traffic, as well as any data exfiltration.

Intrusion Detection System (IDS) / Intrusion Prevention System (IPS)

An IDS or IPS, either host or network based, may detect suspicious activity surrounding a possible breach. Signature detection for early stages of reconnaissance can led to firewall blocks or defense against the IP indicators. Modern IDS/IPS solutions also provide vast detection around exploitation of desktop and server software such as Java or Internet browsers. Even if attackers leverage a zero day for exploitation, command and control signatures may provide insight into attack activity.

Behavioral Malware Detection

Behavioral malware detection solutions are a newer market but have had huge growth recently. These systems provide far more accurate detection and protection than traditional antivirus products due to their ability to dynamically execute and evaluate portable executable (PE) files. This provides for dynamic detection of even the most advanced and customized malware. By leveraging learned behavior of traffic patterns, an advanced malware solution such as this can be used to detect things like malware payload drops regardless of the entry point.

Operating System

Operating system monitoring is a key component of many compliance and regulatory standards due to the wealth of information available. By monitoring the operating system, an organization can have visibility into information such as login attempts which can be used to identify unusual login hours or user behavior. Additionally, this level of monitoring can provide key insight to system or policy changes leveraged by malware to gain persistence.

Database Application

Database level monitoring can provide key insight into the types of activity and access happening on critical and privileged tables in the database. Structured databases usually require login information and special privileges. As such, suspicious and large volume queries can be indicators of compromise and early stages of data exfiltration.

Anti-virus Application

Anti-virus solutions provide signature and heuristic detection of possible infection or suspicious behavior at the endpoint. Top AV vendors such as Symantec, McAfee and TrendMicro can be leveraged to flag suspicious files before propagation on the network.

File Integrity Monitoring (FIM)

Similar to operating system monitoring, FIM is a key component for standards such as PCI-DSS. By leveraging a FIM solution, an organization can have insight into changes on a compromised endpoint through looking for payload drops after exploitation, password dump tools and file movements associated with data exfiltration. FIM can also be used to capture key changes to the registry if an attack is conducted in a Windows environment.

Application Whitelisting

Application whitelisting is an often overlooked element of security that can provide robust protection. While the effort is very high in comparison to other defenses, it can render malware and malicious tools ineffective by preventing them from ever being deployed or executed on a system. If a file is not part of the system baseline, it will be instantly blocked, therefore, malicious files are blocked before they can run on the network.

Data Loss Prevention (DLP)

Data loss prevention systems provide content aware monitoring of endpoints and the network. By leveraging a DLP solution, an organization can have visibility into the data being moved around and out of their network by identifying patterns in the data such as personal information. This can be considered as a last resort in terms of preventing a breach and potential data exfiltration, but even at this stage, ample protection against the data ever leaving the protected network can be provided.

These solutions may be costly and most organizations may not be able to implement all of them due to budget or personnel issues but thinking about different attack vectors and planning on how to prevent the attacks from occurring should be on the minds of Security Professionals. The universal mindset of “failing to plan is planning to fail” always comes to fruition if we don’t adhere to that concept.

References:

Whitman, M. E., & Mattord, H. J. (2014). Management of information security (4th
     ed.). Stamford, CT: Cengage Learning. 

Arconati, Nick. “One Approach to Enterprise Security Architecture.” 14 Mar. 2002.

SANS Information Security Reading Room. SANS Institute. 7 Sept. 2004.

http://www.sans.org/rr/policy/approach.php