— InfoSec Guides
The ‘New' Security Fundamentals
IANS Expert Tips for Low-Cost, High-Impact Infosec Actions Every Organization Should Take Now
It's among the most frequent — and frustrating — realizations for information security professionals: investing in the latest infosec solution or subscribing to a hot new security service only to find that a few simple process changes would substantially accomplish the same thing at far less cost.
The ninja security tactics described in this guide — a set of reimagined, if not completely "new" security fundamentals — are available to all for free or with minimal investment. They don't come with new acquisition costs, steep earning curves or additional vendor lock-in. All they require is a fresh perspective on existing systems and tools, and the judicious application of already well-known security concepts. So why don't more take advantage of them?
Short answer: the new security fundamentals are not sexy. There is no multi-million-dollar marketing budget to promote the idea of enabling internal firewalls. The concept of application whitelisting doesn't make headlines. Ninjas are cool. Ninja security? Not so much.
What security fundamentals lack in sizzle, however, they more than make up for in substance, and the imperative for employing them has never been greater. One key reason to take advantage of holistic, organic security solutions is the budget resources they conserve. Enterprises now spend record amounts to secure their systems and data. The market research firm MarketsandMarkets estimates global spending on cybersecurity will top $106 billion in 2015 and swell to more than $170 billion by 2020, a compound annual growth rate of 9.8 percent.1
"Global spending on cybersecurity will swell to more than $170 billion by 2020."
IANS Decision Support connects security teams with knowledge resources and leading expert practitioners.
Learn More »
This substantial expense hits certain enterprise security segments particularly hard. Spending to secure cloud resources will approach $9 billion within five years, according to MarketsandMarkets.2 Meanwhile, managed security services are expected to grow nearly 16 percent per year in the same period, raking in $30 billion by 2020, Allied Market research predicts.3 Funding security efforts also affects some vertical industries more than others. For example, financial institutions (the fastest growing non-government security market) are expected to shell out $9.5 billion for cybersecurity products and services in 2015, according to Homeland Security Research Corp.4
Clearly, a significant portion of vital information technology budgets are being committed to security wares, and that alone makes organic, low-cost process adjustments attractive to IT security decision makers. But the best reason to heed the following expert-curated list of security fundamentals is that the suggestions really work. These tips and tricks truly do make our systems more secure; they reduce risk and they mitigate threats and vulnerabilities.
For simple, inexpensive actions that reap big security dividends, here's what members of IANS' expert Faculty suggest:
A majority of IANS Faculty agree that restricting employee access to recently-created Internet domain names can go a long way to thwarting phishing and drive-by attacks and improving overall security posture. IANS Faculty Mike Pinch, Chief Information Security Officer for the University of Rochester (N.Y.) Medical Center and an expert in risk and threat management, suggests never allowing anyone in the organization to visit a site whose domain name has been registered in the past two weeks, saying "99 percent of the time, these new sites are being used in a phishing campaign." Pinch also advises leveraging DNS lookup to trigger an alarm when attempts to access such new domains are made. Those warnings can serve as an early-warning system for the presence of phishing emails in the system.
IANS Faculty John Strand takes things a step further, advocating for Internet whitelisting that puts strict limits on where users can go on the Web. Strand, owner of Black Hills Information Security in Sturgis, S.D., maintains that limiting users to the top few thousand most popular websites, excluding pornographic and gambling sites, creates a good base experience. The initial whitelist process should be augmented with a way for users to submit additional sites for approval.
This system should keep most employees and executives satisfied even as it reduces exposure to Internet threats to a tiny fraction of what it was before the restrictions were enacted. There remains a small risk of compromise through infected sites that slip through the cracks, but even in those cases, the subsequent command-and-control attack elements will fail to connect as a result of the whitelist filtering.
"The goal is not reducing risk to zero, but rather trying to get it to an acceptable level"
— IANS Faculty Member John Strand
"Remember, the goal is not reducing risk to zero, but rather trying to get it to an acceptable level," says Strand. "Also, whitelisting further reduces the white noise that needs to be cut through in most incident-response or hunt-teaming engagements."
Another tip comes from IANS Faculty and IT security strategy expert David Etue, who advises infosec pros to shut down access to all uncategorized domains, or, at least log such access attempts to SIEM for analysis. "The Web filtering vendors classify new acceptable domains pretty quickly," says Etue. "So if you don't know what it is, it's probably bad."
In a domain-related suggestion, Etue also recommends tagging all emails that originate from outside the organization with the phrase "[EXTERNAL]" appended to the subject line. "This will make all phishing attacks impersonating an internal user obvious to the recipient," Etue says.
AppLocker as a First-Line Defense
Several IANS Faculty stress the importance of using AppLocker, Microsoft's built-in tool for creating and managing advanced software restriction policies. With AppLocker, admins can create rules that control which apps can run where based on identifying characteristics of both files and users. AppLocker provides granular control of executable files (.exe and .com), scripts (.js, .ps1, .vbs, .cmd, and .bat), Windows Installer files (.mst, .msi and .msp), and DLL files (.dll and .ocx), as well as packaged apps and packaged app installers (appx).
With both hackers and penetration testers easily bypassing modern antivirus controls, Strand suggests ditching the legacy blacklist model for an application whitelisting strategy starting with AppLocker. "You can start by defining what directories are allowed to run various programs," Strand says. "For example, you can restrict applications to run from the Windows and Program Files directories. There are ways to bypass this, but the overall improvement to the security posture of an environment is extensive."
IANS' Pinch agrees, adding that organizations should eschew Bit9-, Lumension-, Bromium-style tools until they've implemented AppLocker whitelist policies. "This stops 99.9 percent of malware dead in its tracks with no signatures and no antivirus for zero dollars."
"This stops 99.9 percent of malware dead in its tracks with no signatures and no antivirus for zero dollars."
— IANS Faculty Mike Pinch
"If I had to choose AppLocker or traditional AV, I would choose AppLocker every time," Strand adds. "This is not something that is product-specific. It is something you probably already have in your environment with no need to purchase another expensive tool."
Along similar lines, IANS Faculty Mike Saurbaugh, director of technical alliances at PhishMe in Leesburg, Va., and longtime security chief in the financial services industry, favors the use of Microsoft's Enhanced Mitigation Experience Toolkit (EMET), a free, Windows-based tool that supplements defenses for potentially vulnerable legacy and third-party applications.
EMET prevents exploits through the use of several mitigation techniques including: data execution prevention; mandatory address space layout randomization; structured exception handler overwrite protection; export address table access filtering; anti-return oriented programming; and SSL/TLS certificate trust pinning.
"Out of the box, EMET provides exploit protection for things like Office files, PDFs, and browsers," Saurbaugh says. "The admin customizes which applications need EMET running against them and specifies the applications path. This is a viable alternative to other endpoint solutions."
Firewalls for All
Firewalls at the perimeter are de rigueur in most organizations, but IANS Faculty recommend finding a home for the tried-and-true network security technology internally as well. While the built-in firewall in Windows leaves much to be desired in terms of manageability and ease of use, IANS' Strand advises turning it on anyway and setting policies that allow PC access from tightly controlled admin VPNs and server subnets, but not from workstation to workstation.
"There is no good reason to have workstations talking to each other over SMB (Server Message Block). Users should not be sharing files in this way, ever," says Strand. "Basically, you want to treat your internal network as hostile, because it is."
Bolstering the organization with internal firewalls provided by Windows — or built into many AV products — gives admins a pre-deployed, centrally-managed option that can stop an attacker from pivoting from machine to machine using pass-the-hash attacks or token impersonation. That will thwart the majority of attacks that depend on the ability to move through client devices on the network searching for one with a local privilege escalation vulnerability or sensitive data to steal.
"Attackers may still be able to access file servers and critical services, but those communication paths are known and can be monitored far easier than trying to monitor every communication between every system," Strand maintains.
Another tactic to thwart attack pivoting comes from IANS Faculty Bill Dean, director of security assessments and digital forensics for Sword & Shield Enterprise Security, who advises creating a different local administrator password for each Windows-based client device.
Of course, externally-facing firewalls also remain an effective tool for securing the network, and their traditional position at the perimeter gives them some additional capabilities for creative IT security practitioners. IANS' Saurbaugh suggests leveraging existing firewalls to pull double duty on data-loss prevention without the expense of a dedicated DLP solution.
"In the firewall logs, look at events such as egress access other than 80/443 (e.g. SSH, FTP) from computers that should not be making this outbound connection," Saurbaugh suggests. "Then look at file transmission size and foreign country destinations. When you add all of this up, you get something like, ‘the call center agent established an outbound FTP connection and attempted to move large files to Russia.'"
"Are the source countries from the U.S. or are they from foreign countries that you do not do business with?"
— IANS Faculty Mike Saurbaugh
While this may not provide prevention per se, it does mimic the response of the vast majority of DLP solutions that are deployed in "audit only" mode, Saurbaugh adds. And working with firewall logs and rules serves as a good primer, helping organizations get their feet wet before moving on to more advanced DLP solutions to address encrypted traffic, for example.
Similar insights can be gleaned from logs of VPN connections. "Are the source countries from the U.S. or are they from foreign countries that you do not do business with?" Saurbaugh adds. "This can be a good indicator that credentials have been compromised."
Little Things Add Up
Many IANS Faculty urge infosec practitioners to embrace as many simple but substantive changes to tactics and policies as possible; the kinds of actions that move the security-posture needle without busting the budget. Recommendations include:
- Disabling password lockouts in Active Directory and moving the detection of brute-force attacks to SIEM. "User satisfaction goes way up and password changes (and costs to the helpdesk) go way down," says Pinch. "Nobody brute forces anymore anyway."
- Pinch also recommends focusing detection and mitigation efforts on well-known vulnerabilities. "You'll be exponentially more effective at preventing vulnerability exploits by addressing the ones that have pre-packaged exploits available in MetaSploit and ExploitDB," Pinch says.
- Finding outliers that indicate trouble using free network security tools such as Security Onion's BRO, which can inventory all user-agent strings passing through it to identify abnormal UA occurrences. Why would this be helpful? "If all your systems are Windows 7 to 10 and you see a Windows XP user-agent string, it could be a UA string for a piece of malware," says Strand. "Or it could be a very out-of-date system that needs to be eradicated."
- Consulting with marketing to see if they are buying Internet intelligence services for your brand. "Those same companies might provide threat intelligence as part of that feed already," advises Etue. "Or you may be able to upgrade for a very small price."
- Etue also suggests setting up Google Alerts for your company, key executives, and other brand-specific keywords for results that show up on pastebin.com and other popular data-dump sites. "It's free data-breach detection for a number of hacktivist actions," he says.
The IANS Faculty are independent, hands-on practitioners and thought-leaders in the information security community.
Learn More »
There's no getting around it: securing information technology assets in the modern enterprise is a complex pursuit. As systems grow in capacity and functionality and become more distributed and decentralized, ensuring the safety and integrity of IT assets and critical data consumes a greater amount of an organization's blood and treasure. Still, there remain a few basic steps every infosec professional can take to improve the security of their organization without costly and time-consuming implementations of complicated commercial solutions.
These "new" security fundamentals are based on real-world experiences of IANS' Faculty of expert security practitioners and represent effective — if occasionally contrarian — approaches to the challenges security pros face everyday. Properly implemented, these low-cost, high-impact security tactics can help you reduce risk, and mitigate threats and vulnerabilities in your own organization right away.
In support of these basic security building blocks, IANS' John Strand says it best: "Antivirus and IDS/IPS are all security theater. They provide an illusion of security that was never there. We need to get beyond them. We need to understand that attackers will bypass them, because they will. We need start building our networks accordingly."
Checklist: IANS New Security Fundamentals
Our faculty of information security experts share their best low-cost, high-impact tips for improving the security posture of any organization. Take advantage of these infosec action items and keep track of your organization's efforts.
1 Cyber Security Market by Solution (IAM, Encryption, DLP, Risk and Compliance Management, IDS/IPS, UTM, Firewall, Antivirus/Antimalware, SIEM, Disaster Recovery, DDOS Mitigation, Web Filtering, and Security Services) — Global Forecast to 2020. (2015, June 1). Retrieved from http://www.marketsandmarkets.com/Market-Reports/cyber-security-market-505.html
3 Global Managed Security Services Market -Deployment Mode, Organization Size, Application, Verticals, Trends, Opportunities, Growth, and Forecast, 2013–2020. (2015, April 1). Retrieved from https://www.alliedmarketresearch.com/managed-security-services-market
4 Banking & Financial Services Cybersecurity: U.S. Market 2015 – 2020 Report. (2015). Retrieved from http://homelandsecurityresearch.com/2014/10/u-s-banking-financial-services-retail-payment-cybersecurity-market-2015-2020/