Risky Business

From a recent security talk by IANS Faculty member John Galda at the November ISSA meeting in Boston.

Security programs should be based on risk. However, if you do not have any information on current threats and vulnerabilities, it is difficult to prioritize and allocate scarce resources. Unlike many less volatile professions, those who work in security have to be highly vigilant, continually scanning the horizon for new information and using it to adjust their defenses.

Because of legal, reputational, and other concerns, people are reluctant to share the details of their shortcomings and breaches. So any time good data is available, it is worthwhile to take a look at it to see how it aligns to your current thinking. There is no sense in spending money, time, and sleepless nights on areas that are no longer primary threats.

First, let’s review: 1) Who the current threat actors are, 2) What they are after, 3) Where they are from, 4) When they happen and 5) How they are most likely to attack.

1) Who

Who is behind it? The United States is a leader in global technology and finance. Foreign agents are a growing and persistent threat to US economic security. Recent data shows breaches are mostly from outsiders. Breaches from insiders tend to be less frequent and usually accidental; often due to lost laptops, removable storage devices, email transmission or network storage. Loss from foreign outsiders is increasingly a political and national security issue since every time something of value is stolen, it reduces our economic vitality and our ability to achieve a strong recovery.

2) What

What are they doing? Yes, they seek to compromise systems, but only as a stepping stone to achieve the ultimate ends which is to steal information and money. It is a generalization, but foreign governments seek intellectual property (IP) and strategy data, while criminals go right for the money. Most IP theft is coming out of China, and most financial fraud comes out of Eastern Europe and the US. Bank account information and credit card data is a prime financial target. However, secondary targets such as credentials and personal information (SSN, etc.) are taken and used as stepping stones to get to the financial sources. Increasingly, email is a target, not just as source of better phishing, but mailboxes are used for fake password resets and the email address itself is widely used as an account name on many public sites (Netflix, Facebook, etc.) getting the criminals one step closer.

3) Where

Where are attacks directed? Attackers seem to losing interest in broad based Spam and infected email. Instead they are using stolen data to target their attacks (spear phishing and whaling) luring people out from behind hardened corporate networks to malicious websites or legitimate websites that have been infected.

4) When

The timing of attacks usually follows a couple of phases for a short period of time (weeks or days) the bad guys do reconnaissance and vulnerability scans. This can be turned to an advantage if you are looking for and responding to those who are “casing the joint” prior to attack. However, once the attack is underway the time it takes for the data stores to be found is usually measured in hours. Using robust corporate networks, large amounts of data can be exfiltrated in seconds or minutes. When do people find out? Unfortunately, you are not always the first to know. The time to discovery usually takes months. Often the discovery comes from outsiders like partners, customers, or law enforcement. The ability to contain and remediate a breach usually stretches into weeks and months. Frquently this isn’t a “one-and-done” cleansing. The good hackers have contingency plans and so they may pop up somewhere else in the network leading to a frustrating game of “whack-a-mole”.

5) Why?

Without deeply probing human nature, each threat actor is trying to fund and further their own agenda at your expense. Different motives usually lead to different targets and methods of attack. But all are affected by the “invisible hand” of the market which also applies to illegal economies. New automated tools mean more criminal competitors can enter the marketplace. New crimeware technologies lower the time and effort to steal credit card and bank account data. This results in increased competition among criminals resulting in lower costs to the “consumers” of this illegal data. Providers must then increase their reputation and strive to new and offer better products and services to maintain their own revenue flow by better serving their criminal customers.

6) How?

While novice criminals, aka “script kiddies,” are increasingly depending upon broad based port and vulnerability scans, more sophisticated actors are moving away from such approaches since they are so “noisy” and inefficient . Instead, they are targeting specific protocols and ports that correspond with remote access communications tools and gaps. Direct network attacks on infrastructure and network devices have waned in favor of attacking the many flaws found in web applications and the greater ease of getting to underlying database servers. Users are also being lured out from behind firewalls by targeted emails and malicious web links.

Security “Brick Wall”

Now that we have a general sense of current threats and vulnerabilities, how do we defend? With a security “Brick Wall.” Each line of defense in the security brick wall is based on one of the six major attack vectors: web applications, server and infrastructure, work stations, vendor/cloud locations, insiders, and remote access. Each brick in each line of the wall represents a need for a related investment in technology and people to block or reduce risk in that vector. Perception of risk determines which line and which brick is addressed first. Each remaining gap becomes a security project to create a new brick.
Behind the brick wall, is the data that we are protecting. This should also be reviewed. It is essential to address the risk profile created by data retention. Eliminating old records (e.g. detailed financial payments) and “neutering” personally identifiable information (e.g. replacing SSNs with account numbers) vastly reduces what can be lost. You can never breach what you don’t have.