An Overnight Transformation for an Insecure Organization
What is a successful security?
Recently I’ve been pondering the question of how an organization determines whether they have a “successful security strategy”. Product vendors and compliance initiatives repeatedly ask “Are you secure?” as if it were a binary state, touting tools and checklists that will make it so.
But if the largest corporations with the highest security budgets in the world cannot stop the onslaught of breaches, and if even the CIA and NSA can’t stop the steady drip of classified information, then what does it actually mean to be secure, and who actually qualifies?
Security isn’t a binary state. Even if security nirvana could be achieved, it would be short-lived; the next new vulnerability discovered would render that security posture insecure. For every new lock created, a way to pick it will be discovered. Being impenetrable isn’t the goal. More secure is the goal; and that pursuit is worthwhile at any stage of the security journey, even if your organization is just getting started.
Establish a winning Philosophy
When interviewed after a notable victory, athletes will often speak of “having been put in a position to win”, meaning they were provided a situation in which execution would result in a win. In the case of security, a winning philosophy that puts your organization in a position to win looks as follows:
- Acknowledge the threat. Security threats against your organization are real, and a breach can have significant material consequences. It can cost an organization its capital, hard-built brand, and even its entire existence. It can cost its officers and employees their jobs, reputations, and potential careers. Depending on the circumstances, it can have legal ramifications. Take the threat seriously, and that will inform the attitude toward every security decision to be made.
- Security is a way of life, not an event. Security culture is defined by the routine of everyday operations, not by a quarterly vulnerability scan, occasional penetration test, or annual PCI audit. How an organization behaves all day, every day, across every department defines its security posture.
- Make a complete commitment from the top down. Once efforts commence securing an organization, the choice between doing things securely versus insecurely will repeatedly arise. Without buy-in from the top management and a complete commitment to a secure approach, a shortcut will nearly always be taken, usually with the justification that “it was an emergency”. Everything subsequently becomes labeled an emergency, effectively rendering security efforts null and void. This is tantamount to plugging holes in the port side of a boat while water is pouring in through holes in the starboard side. Employing security measures in one area but not others will still sink the whole organization.
A winning philosophy is a foundation upon which a more secure progression can be executed successfully.
Your secret weapon: people
Recent industry surveys typically cite insiders as the number one security threat. I don’t particularly prefer the term “insider threat”, as it carries with it a generally negative connotation of maliciousness. While a malicious employee most certainly would be considered an insider threat, the far greater and more frequent concern under that term’s umbrella isn’t malicious at all: inadvertent behavior, often caused by nothing more than a lack of knowledge. Phishing, malware, and weak password management are the high-percentage causes of security breaches. The truly malicious insider is the plane crash of security breaches – it happens relatively rarely, but gets major media attention because of its severe impact. But regardless, insiders aren’t wildcards. They are your employees, on your team. Rather than liabilities that attackers exploit, turn them into guards on the wall:
- Train your employees regularly. Discerning employees able to identify phishing attacks and avoid malware are like having intelligent, adaptable agents deployed on every system at the organization. Train them! You aren’t going for check-box compliance here, i.e. do not teach theory. Words alone will likely have no lasting value. Conduct live demos of phishing attacks and malware-in-action, showing both attacker and victim sides of the dialog. Employees will better connect their behavior to consequences.
Secure password management is low-hanging fruit. Everyone has heard the speech about using strong passwords, but few have seen first-hand how easy passwords can be to crack. A live password-cracking demonstration might be very illuminating and motivating for employees. In my observation, knowledge isn’t the primary driver of strong password use: convenience is. The ability to quickly recall a password typically dictates a user’s desire to make it complex.
If a password has to be frequently remembered or repeatedly typed, it will tend to be simple. But with a password manager, exceptionally strong passwords that don’t even have to be known by their users can be created and used quickly and easily. Recommend (better yet, provide) password management apps and train on their use, and strong password use will likely increase.
- Focus on hiring trustworthy people. The unfortunate “insider threat” catch-all term leads some to erroneously view all employees as likely malicious threats. Some security departments respond with draconian resource lockdown as if the insider threat could be mitigated by a few more locks on the door. In addition to impeding employee work, this approach can also alienate the same employees you are trying to unite under a common security cause. If your employees are truly perceived as threats, then you don’t have a security problem, you have an HR problem. Stop hiring people you can’t trust. You might not have a 100% success rate, but you can probably get pretty close. Rarely do interviewers probe beyond work experience and technical skills into issues of character. Attackers have good technical skills too. If you aren’t weighing the character of the individual you are hiring, then it is possible that you are walking an attacker right through the front door and handing them the keys to the kingdom. In athletics, if a scout cannot find good recruits, the team loses. Security is no different.
- Hire security experts with software development knowledge (preferably experience). Years ago when I began focusing on security, a well-known industry expert told me: “Most of this industry comes from a system administration background, and they are desperately trying to learn how to program. You have a leg up on all of them — you’re there already. It is a lot easier to teach a software developer network security than it is to teach a sysadmin application security.” I have found this to be an ever-increasing understatement. Expert software developers likely already have a base of network knowledge. Also, a network can be perfectly secured and still be wide open for the attack via tunneling through software communication protocols.
Without understanding software development, how the software uses computer memory, and how protocols are constructed, it is weak footing to protect, detect, and respond to attack. So when hiring, be aware that there’s a big gap between knowing how to configure firewall rules and how to read packet captures, detect malicious web traffic, and identify code vulnerabilities. Even with expensive tools which automate some of these tasks, your security expert absolutely needs the skill-set to get their hands dirty and diagnose problems by hand.
Shore up your defenses
Security endeavors can easily die on the vine due to budget constraints. But you’ve already acknowledged that there is a threat too serious to ignore, and a complete commitment was made to a secure direction. It’s time to clean house, without any expenditures on commercial security tools.
- Self-audit and document your firewall configuration. These are your primary outer sentries. They aren’t going to stop all attacks, but they will stop some; and they reduce the number of pathways through which attacks can travel, which aids in intrusion detection. Deny all, allow few. No commercial tools needed.
- Self-audit and document your DNS configuration. These are the information booths which direct visitors to your endpoints. Misconfigured DNS can be a primary source of information leakage, or it can aid attackers in spoofing attempts which promote password theft and unravel defenses. Eliminate invalid entries and unnecessary zone transfers. No commercial tools needed.
- Self-audit server passwords. Employ strong passwords, eliminating redundant credential use across systems, which makes it far easier for an attacker to pivot through your networks should they compromise one system. No commercial tools needed.
- Harden servers and employee desktops. Each flavor of the operating system has its own nuances of security hardening. Establish a hardening strategy for each, and implement. Virus protection can be considered an aid to hardening systems, but keep in mind that virus protection is primarily a countermeasure to user behavior. Deploy virus protection (of which there are a number of free varieties available), but address the primary issue first: user behavior. No commercial tools needed.
- Scan for and remediate vulnerabilities. Public vulnerability databases catalog reported software design and configuration flaws. These are the common openings which attackers search for and seek to exploit, and they need to be closed. Systems and web-apps need to be scanned for vulnerabilities. There are a number of scanners out there, but OpenVAS (http://openvas.org), Nmap (https://nmap.org), and Metasploit Framework (https://github.com/rapid7/metasploit-framework) are excellent free tools that will get you started. Remediate vulnerabilities reported. Update vulnerability definitions in your tools and scan regularly (at least weekly).
Once scans report no vulnerabilities, your systems will no longer expose the most common weaknesses that attackers are seeking to exploit. No commercial tools needed.
With tightened defenses, your organization is already more secure, a milestone from which defenses can be improved upon over time.
Go on offense
Defenses are now in place, so go on offense. Viewing your security perimeter through the lenses of an attacker will give you a more critical eye to spotting potential weaknesses. Offensive measures include:
- Learn how attackers are currently exploiting systems. Attacker methods and targeted assets seem to follow trends, probably because as certain vulnerabilities are exploited to significant impact, other attackers jump on the bandwagon and attempt the same. Monitor daily security news, and follow the trends of attack methods and private assets being targeted. Reassess those areas of your organization’s defenses.
- Study how attackers think. Attackers don’t view your systems the way your organization does, down departmental lines and areas of responsibility. They view your systems as a means to an end: pathways to the assets they are seeking, regardless of your org-chart. Study security researchers’ articles and blog posts, bug bounty reports, and HOW-TOs for hacking, and you can learn a lot about how attackers think. This is like getting a copy of their playbook and gives you a defensive advantage.
- Be better offensively than your attackers. An organization with more offensive skill than the real attacking threat should be able to outwit their opponents. Such an organization can run continual realistic attack simulations to improve defenses and hone intruder detection capability.
Invest in offensive capability. Being smarter than your opponent yields a major advantage in the struggle to secure an organization. If you can secure against your own offensive capability, your organization will fare well against external attackers.
Regardless of available resources, no organization on the planet is immune from the changing security landscape; all must adapt. Every day, new software ships, new vulnerabilities are found, and new attack vectors are discovered.
An organization should aim to become more secure every day, which is an attainable target regardless of budget or manpower. Even if just getting started, your organization can be more secure by the day’s end, and the cycle repeated tomorrow.
About the Author
Brad O’Hearne is a 25-year career software architect/developer, application security expert, and independent security researcher. He resides in Gilbert, AZ and enjoys cycling, soccer, reading, and spending time with his family. He is available for consultation and can be contacted at email@example.com.