Security Today is extremely complex and yet simple to bypass for a willing mind with enough time and computer power to exploit vulnerabilities that may or may not be accounted for per your internal security or IT operations team.
The multi-layered threat, with many mutations within the attack surface, has increased significantly from the Virus age to nowadays application-focused threats. With this in mind we ought to think that the tools protecting us at the endpoint and through our network security devices should have enhanced accordantly, but they have not. We live in a time where awareness is our best way to prepare for most cyber attacks.
The main players today are no longer interested on simply affecting your infrastructure performance with a DDoS attack for example. Today these are attacks targeted to delay specific areas in your organization with the intent to lower your customer’s confidence in the services provided by slowing down your key production services. These targets could be a call center with SaaS based applications or an old, large and fully protected physical infrastructure with security controls and mitigation processes in place. There is an opportunity to have these controls be more adaptive to the threat and more dynamic in reporting and mitigation controls.
As per our attackers, let us establish that if we understand the principles of the Intrusion Kill Chain, the attackers must be successful on every one of the 7 steps on the Kill Chain, we, as security professionals, need to address just one of these 7 phases, that’s good news but we must be aware of all the threats, and vulnerabilities in order to be successful protecting against one of these phases, and to effectively thwart the attack. The attacker, however, needing to be successful in every one of them to compromise an organization’s data structure, may loose interested against a well protected organization because of the increase in time and costs for their attack to be profitable.
For years, we thought that a port based, fully stateful, and packet based firewall would protect us against most of these threats, and whatever wouldn’t be caught by them, we could easily find on IPS/IDS devices inline or surrounding our main security points. Using extended log servers with behavioral analyses were a good composition for our defense against the “threat attack-surface”. Much of this approach has changed but some principals continue to be just an item on a checklist necessary to deploy a “secure basis” in several organization’s compartments.
Software attack surface
Increasingly, the software development community understands that more needs to be done to properly develop software that is not only efficient, but is also secure.
More is being invested on new web applications that are mission-critical touching several data compartments, and yet some basic security concepts are not being applied at the development phase of these web applications.
Most of the known attacks these days are using the same old techniques such as URL injection and Cross-Site-Scripting (XSS).
For some poorly developed applications, a non-parameterized query is all that is needed for a successful attack to pass through at least one of the 7 kill chain phases. Many other code vulnerabilities have been cataloged, and a common security guideline exists today for these application developers to follow (OWASP top 10)
If all corporations and organizations start adopting the OWASP guidelines, they would have increased security awareness and the gain would be to increase the cost of creating or pursuing exploits on these systems. As we increase the cost to the attackers, we reduce their ability to continue their exploits on our applications.
Penetration tests and application validation procedures are always important, but if developers were more aware of the risks and knowledgeable about the Kill chain, I believe they could embed more security “snippets” to their core code and enforce security postures from within their application.
A good starting point would be if developers would disable the amount of code running in the background during core data access tasks.
Reducing the amount of features enabled to users with high privilege access to core data, and disabling these features completely to users with low privileged credentials could be another good approach. Finally, would be interesting if, as part of a common guideline, developers would limit their own code to access data or perform network tasks if the application is made aware of a vulnerability being exploited on their own system at that specific time, some self security boundaries check from within their applications acknowledging other security devices.
Some developers already use the defense-in-depth architecture model and collaborate with Next-Gen security devices that exchange information via XML or an API capable of providing them (developers and their code) with valuable application analysis during run-time.
Network attack surface
Probably the busiest attack surface, and the most popular, is the network attack vector. Even with all standards and RFCs in place and mitigations to all published CVEs (https://cve.mitre.org/cve/), or endpoint IOC databases (http://www.openioc.org/), there are still a lot going on into a TCP packet that needs to be inspected and sometimes blocked.
We have VPNs, SSH connections, and a series of tunnels such as a point to point (PPtP) that are still not enough to contain the threats encapsulated on a TCP/UDP packet and sent through our networks. Not every user wants to be aware of the attack surface or even security in general. Not all Network Engineers and Security Engineers are willing to keep processes and security controls in check. We have created dual factor authentication, and then we created Single Sign On (SSO) and the combination of the 2 make a very secure and complex password portal. This helps to increase the password difficult level and there are Domain administrators applying changes every other 6 months but besides all that, some users are careless to eyes dropping, social phishing and other security key capture techniques used by attackers today.
Many organizations do not enforce job (position) rotation, separation of duties (SoD), or mandatory vacations, as they should according to several standards for detective and administrative controls. These organization’s financial departments are made well known of high costs of these risks, and rather use another administrative security control, they transfer or accept the risk to partially patch the problem. This approach could be effective when a well-balanced finance and security department are in place, communicate, constantly update the risk environment and exchange security controls updates as needed. But this is not always the case and often leads these organizations to take misguided risks which cannot be transferred (to a insurance company for instance) and have to be absorbed by the corporation. The company’s reputation should never be an asset never available for gambling and CSOs and CISOs are often misinformed, not on the risks, but on how they are measuring them and how other departments are electing to mitigate or accept risk. Another detective administrative control that’s not always, or as frequently as it should be applied: The security reviews and audits.
The Network Surface is constantly and dynamically changing. Security controls and user awareness should be as present as common as Human Resources training in place on all these corporations or organizations today.
Human attack surface
To stress why training and security awareness is important is becoming redundant. This should be “second nature” to all users and be made paramount to them how important their data, their jobs, and their own physical safety security are. Today, employees on all levels, especially those in high profile organizations, need to be protected from external groups that are aiming at their organizations. These attackers are investing in diverse network intrusion tactics as well as kidnapping, temporarily hijacking devices, and copying user activity from their devices from their own homes. This can be done by following an unsuspecting user to their home, shadowing their network services while in their houses whether wired or wireless. It is much easier to tap on their cable provider egress than break their SSL key or IPSEC tunnels from the internet.
Many groups copy or tap into user’s home service providers and are able to gather credentials and valuable paths for real data, even if the user does not have high privileged access, to a user connecting to a non-segmented network. For instance, a Pivot Attack would be easier from the user’s remote location than to infiltrate through the corporation’s secure inbound from the public networks.
Installing software, to later be used as a pivot attack source, into that organization is a common practice, but finding the proper people within the targeted organization is key to follow their email threats and work activity. That is enough to open several doors within the organization that other group members can exploit later with a serious agenda and a profitable contract at hand.
So, back to my initial point, in my opinion, security today is relevant, if we all don’t agree on being aware of the risks we are exposed, or we are involuntarily promoting to our employers, and generally some employees think that “its NOT our business”. I would say: Think again, maybe it is NOW our business!
The security of your job, and your company’s data, reputation and its clients, is everyone’s responsibility, even (if not mostly) when employees are not at their work place.