Last week in my graduate class “Information Security
Management”, we learned about policies and why they are crucial (legally
binding) documents that a business should use to convey their values, goals and
mission. One of the common policies that new hires encounter is the acceptable
use policy (AUP). This policy requires users agreeing to and signing the
document prior to being granted access to the organizations network or
Internet. If any violations are detected that go against the AUP, an
organization is legally able to discipline the employee to the extent outlined.
Given that humans will always be humans, regular training and visual reminders
like having posters and info-graphics posted on the break room notice board or banners
that pop up on computers can be used to drill the message home.
SANS a well-recognized institute when it comes to
Cyber and Information security published a list titled “SANS top 20
Critical Security Controls” which is basically a list of
recommendations that an organization can use as a checklist or guide when
setting up shop. The focus for this post will be the top 5 checks:
CSC 1: Inventory of Authorized and Unauthorized
Devices
CSC 2: Inventory of Authorized and Unauthorized
Software
CSC 3: Secure Configurations for Hardware and Software
CSC 4: Continuous Vulnerability Assessment and
Remediation
CSC 5: Controlled Use of Administrative Privileges
To see how adopting the above controls can assist an
organization, let’s look at the Target attack and how it occurred. Can a
replication of the attack be avoided if a company followed the control
recommendations?
According to Brian Krebs author of the KrebsonSecurity
blog, Target was infiltrated via a 3rd party vendor who was
responsible for their HVAC systems. Using the stolen credentials from the
vendor, the attackers accessed the Target network using the assigned access
vectors allowed for the vendor. The attackers were later able to move through
the network and access segments of the network that contained customer data; information
like PII and credit card data. Once the attackers were able to access the Point
of Sale systems, they downloaded the malware that would be used to scrape the
memory of these systems. Over a period of time, the attackers successfully ex-filtrated
the data out of the network without Target noticing this move.
With that scenario in mind, if Target diligently
adhered to the 5 critical security controls, these are some of the vulnerabilities
and exploits that could have been prevented:
Misconfigured
and vulnerable systems both on vendor side and Target side –
the attackers were able to access the vendors network based on some vulnerabilities
that enabled them to break in and steal credentials. This also applies to
Target’s network which enabled the attackers to be able to infiltrate it. These
issues are covered by CSC 3 which
outlines how to securely configure both the hardware and software elements of a
network. Hardening the network by for example closing unneeded ports and
services, having up to date and patched systems running can help mitigate
potential threats using this attack vector.
Malware
installed on Point of Sale systems – once the attackers got
in, they were able to install their malware that would be used to infect the
systems and steal the data. This is all covered
by CSC 2, 3 and 5 in that having
secure configurations will help stop exploits as described previously. Inventory
of unauthorized software would have enabled Target to notice the malware once
installed or even prevent it from being installed on the systems in the first
place. Controlled use of administrative privileges would have enabled Target to
keep track of what privileged accounts were doing and this anomaly would have
been caught if any regular auditing took place.
Failure
to respond to alerts by Security systems – Target did not put
much thought to the alerts that were generated by suspicious activity on their
network. Also if Target reviewed their vulnerability assessment reports they
would have caught on to the fact that the networks were not segregated from
each other. The attackers were able to jump from the vendor to Target and
gained access to the customer network segment. Given that sensitive data is
stored on the customer segment, the vendors should have not had capability to
move across these segments. CSC 4 would
have helped Target mitigate this hole.
Data
ex-filtrated from network – the attackers moved a significant
size of data out of the network without raising any alarms. This tells us that
Target did not have any checks in place to stop data ex-filtration. If CSC 3 is adhered to, an organization
can be able to have secure configurations setup on the network that would
generate alarms when data is moved.
Conclusion
While having the proper Tactics, Techniques and
Procedures (TTPs) and tools (technology) may be a step in the right direction
for mitigating potential breaches, the weakest link still has to be accounted
for. If you cannot rally the people to support the Information Security checks
and balances in place, it will fail. The people who interact with the
organization's assets and resources are crucial to the success of any security
measures in place. In my opinion, the main flaw that enabled the Target breach was
the people. It seems that there were minimal checks in place at the very least
but the people who should have checked and validated their effectiveness did
not perform their due diligence.
References:
https://www.sans.org/reading-room/whitepapers/casestudies/case-study-critical-controls-prevented-target-breach-35412
No comments:
Post a Comment