Wednesday, 31 October 2012

Cyber Security Part III - Enterprise Protection

This is the third part of the cyber security series (Part I, Part II), with this week focusing on enterprise protection.  Any device connected to the internet is open to attack from either highly complex botnets right through to an individual port scanning for on line ftp or database servers.  Corporate networks are no stranger to being specifically targeted, or infected with malware that is delivered via the public network.

Attack Vectors and Entry Points


Firewall & Network Perimeter - Historically, enterprise security was often viewed with an 'us and them' mentality.  Everything on the internal LAN was safe, anything past the DMZ and on the internet was potentially bad.  The main attack vector in, was through the corporate firewall and any other perimeter network entry points.  The firewall was seen as the ultimate protection mechanism and as long as desktops had anti-virus software installed, that was as much as many organisations needed to do.

USB - Desktop PC's where the end goal and they were attacked either through HTTP payloads from websites of dubious origin, or malware was often distributed via email, in attachments such as Excel spread sheets or files containing macro's.  The profileration of USB devices also assisted in the distribution of malware, as large files were often easier to copy offline.

BYOD - Whilst those issues still exist in many organisations, cyber threats have evolved significantly.  Smartphones are omnipresent in the enterprise, whether via Bring Your Own Devices (BYOD) or via internally managed hardware.  This brings another dimension.  Not only is malware common across a variety of smartphone operating systems, but the smartphones alter the perimeter of the 'safe' internal network.  Smartphones will have separate data network access, either via 3G/4G or wifi, for access on unsecured networks (or at least unmanaged from the corporations perspective).  Add to that fact that they can also be used as network 'hotspots', bringing a smartphone to work, could easily be creating a un-firewalled, un-managed router on every desktop.

Social Media & Social Engineering - The onset of social media has also brought different angles.  Not only are the numerous social media sites used for malware distribution and botnet control, they also give an attacker a new level of information when it comes to spear phishing or targetted attacks.  Publicly held information about senior individuals within an organisation, makes social engineering attacks more sophisticated and more likely to succeed.

Basic Defence in Depth


Cyber protection (like any information security protection) is best applied when done in depth.  Having one secure layer of protection, no matter how complex, will be breached at some time in the future.  When it is, it's imperative to have several obfuscated layers underneath.

Network Security - The network perimeter needs protecting.  No doubt about that.  Next-generation firewalls provide high and low level OSI stack scanning.  Gone are the days of simple port blocking rules.  Intrusion detection systems are also a default for many larger organisations.  The recent concept of advanced evasion techniques, brings in to question the ability for the current batch of network perimeter devices, to be able to detect complex network delivery configurations, that help to distribute malware payloads.

General network asset management and scanning is also important, not only to help identify smartphone related hotspots and 'leaks' out to the internet, but also for unauthorised devices, especially those configured to use IPv6 on IPv4 only networks.

Access Management - A long time problem for larger organisations, is the constant provisioning and de-provisioning of user accounts.  The use of least privilege is a must as is regular certification (the checking of existing users and their access levels).  Role based access control can also be a major benefit, especially when it comes to the user on-boarding process, however this can be complex to implement.  Device level access should also be well managed.  Root or administrator equivalent access should be restricted, a long with restricted file system access, with device management and configuration changes not permitted.  Unless it's required for the individuals role, policies should be restrictive but not inhibitive.

Patching - The age old issue of patching.  Software of course should be updated to the level recommended by the vendor.  The simple reason, is that from a management perspective, the best support will be received from the vendor or partner, if the most recent patches and service packs are installed.  Zero-day attacks are now common practice, with vulnerabilities being exploited before a patch has been provided.  In this case, there is a counter argument, to say that newer software could well be more 'buggy' and vulnerable to attack, as it had less time in real world implementation environments.  From a simple risk management perspective however, applying patches as soon as possible, can help to get the vendor to accept some of the recovery process, if a breach or issue has occurred.

Anti-virus and URL Scanning - Anti-virus is again an age old issue from a management perspective.  From the initial anti-virus installation and build, to the distribution of new definitions and then the scanning of machines and recording of infections, anti-virus is key, but also a major headache.  You're only as strong as the weakest link and it takes only one machine not to be covered to cause an issue.  Virus protection must now cover a range of devices, from laptops, smart phones and print devices, to routers, firewalls and switches, if they're sophisticated enough to have a basic operating system.

Metrics for coverage rates and infection rates are important, as it not only helps with issue detection, but can also provide return on security investment data too - which will help fund projects and build business cases.

URL scanners are also popular.  This is more about the new concept of reputation based analysis.  By using data from other infected parties, databases can be built that can check a formed URL to see if it has been involved with malicious activity or malware distribution.  The same concept can also be applied to public subnets.

Offense and Response

A key message from any CISO to the management board of an organisation, is that they will be attacked and breached as some point.  There is no such thing as total protection.  The same can be said of risk management.  Risk's of a great scale can never be removed entirely, simply reduced or transferred.

Incident Response - With that said, a strong process and control centre for data breach and cyber attack recovery and incident response is important.  That should include both technical forensic tools and the correct people and processes in place to make them effective.  An incident should be properly assessed, with an understanding of the impacted parties and the scope of the attack.  Once a full understanding of the attack has taken place, some 'stop the bleeding' style actions should be taken to limit the impact and exposure.  This could include tactical short term fixes or changes.  Following this should include a detailed root cause analysis phase, with more strategic remediation steps.

SIEM, Logging and Forensics - For an incident response to take place, that requires the detection of an incident in the first place.  In order to detect an attack requires several interlinked and correlated pieces of security data.  Security Information & Event Monitoring (SIEM) tools should be used to centrally store and manage logs from multiple devices.  Signature based analysis can certainly help with the scanning of known attacks, with behaviour profiling technologies helping with the unknown.  Forensics style analysis for post-incident management is also popular, with secure duplication of logs and files often hashed to confirm a snapshot has taken place.

Conclusion

I think the main overriding aspect for enterprise cyber protection, is that as a large scale organisation, you will be attacked at some point.  That maybe a virus infection, data theft, or a defaced website, but both proactive and reactive measures must be in place to make risk management of the situation effective.  Those measures must also be both technical and personnel related.