14 June 2017
On Friday 12 May 2017, a massive ransomware attack started to hit hundreds of organisations around the world.
At the time of writing this article just days later, the infosec community was still sifting through the evidence following the onslaught, and it was still not known whether the Wannacry virus (also known as WCry, WanaCryptor, WannaCrypt or Wana Decryptor) was state-sponsored, orchestrated by a hacker group, or the work of a lone teenager sitting in a suburban bedroom somewhere.
So should network and data security breaches now be accepted as an everyday part of digital life where enterprises can do little to protect themselves?
“If you rewind a couple of years in IT, there was a mindset of working frantically to put procedures and solutions in place to prevent cyber security breaches,” says Ajay Uggirala, director at Imperva. “Now, there is a trend building toward a tendency for people to accept that they’re going to be breached with the focus shifting to how they minimise the impact of a breach. This is not the answer.”
Steve Armstrong, CyberCPR Architect and principal consultant at Logically Secure, agrees: “The media are regularly reporting how large companies such as TalkTalk and Yahoo, for example, were breached by hackers. The message that many people take from this is that attackers can easily beat big companies who have invested in security.
“Conversely, look at how Hollywood portrays hackers and security experts as being able to defeat firewalls and anti-virus software in seconds. The takeaway here is that these protections are easy to defeat and that attackers can always better your security.
“So then we wonder why users are apathetic towards security. We tell users to have long complex passwords and to change them regularly. But deep down they think ‘why bother? Who will this stop? What have I got to lose that hasn’t been lost already?’ (As a side note, both NIST and NCSC now actually recommend users DON’T time expire passwords).”
In Armstrong’s view, users generally accept breaches do and will happen, either because they think an attacker is better than the company’s security or because they have heard of some new exploit that no one knew about until today. “In fact, in explaining how they got breached, many a CEO will use the phrase ‘advanced attacker’ or ‘APT’ – it’s their way of saying we couldn’t stop it and customers accept this, even though it’s usually a lie.”
While few would disagree that we will ever be completely secure from breaches (at least for the foreseeable future) it would be wrong to assume that there’s nothing worthwhile organisations can do to maximise their defences.
For instance, Brian Chappell, senior director, enterprise and solutions architecture at BeyondTrust, believes accepting the inevitability of a breach is actually the first step toward limiting its scope. He says breaches should always be a fundamental consideration when building and expanding security solutions but adds that protection is only part of the solution.
“We need to ensure that the impact of a breach (via a previously unknown vector) is also limited within the solution and that we have the ability to detect when this has happened. This is a natural outcome from good security practice but it still needs to be a focus to ensure we can be confident it’s covered.
Encode Group MD Graham Mann supports this view. He says organisations and individuals have to recognise breaches as a part of normal life and become more informed. “Organisations can’t simply continue to harvest data without understanding what’s really needed, how long they need to keep it, how secure should it be, who should have access. Data has to be treated like any other physical asset and boards need to recognise this and take the lead. You wouldn’t leave your office, plant or factory open to intruders so why leave your data exposed?”
Why indeed. But with the cyber criminals seeming to grow ever more sophisticated, are enterprise IT security platforms only ever going to be ‘best effort’ solutions?
Ian Parker, professional services consultant for Axians UK, is very decisive here. “It is a very simple answer: no. If the IT department or third party is implementing the device/platforms/service/solution, and they understand what the vulnerabilities could be, then there is no excuse if the systems are compromised.
"This is an arms race and has been ever since the internet was born. It is nothing new. And when cyber criminals have worked out a way to exploit a vulnerability, a manufacturer fixes that vulnerability. So begins the cycle and it will continue until we are long gone.”
Once again, this seems to imply a certain degree of futility. In some way, it seems rather like the little Dutch boy in the children’s story who uses his finger to plug a hole in the dyke only for another leak to spring elsewhere. After all, and as McAfee’s director of government relations Gordon Morrison points out, organisations have added layer after layer of defence to stay ahead of the latest attacks and should therefore be better protected now than ever before.
Or at least that’s the theory. Instead, security teams are drowning in tools and interfaces. Citing Forrester’s Mastering the Endpoint report published earlier this year, Morrison says organisations now monitor, on average, 10 different security agents and switch between at least five different interfaces to investigate and remediate incidents.
Stephen Coty, chief cyber security evangelist at Alert Logic, adds to this by saying that most technologies that are used as part of a corporate security strategy are capable of catching even the most sophisticated hacker.
But the problem is not with the technology – it’s with the implementation. As a result, he says making sure that you’re using the right tool for the right job and that the technologies are deployed in the most efficient way in the organisation’s architecture are all crucial.
“To make the technology you have as effective as possible, you have to ensure that the security content and correlation logic are constantly being updated to match the ever evolving threat landscape. Also, you need to make sure that the security content is on the technologies that you actually utilise, and that it does not have unnecessary signatures or rules using up resources that can be allocated to more efficiently protect your environment.”
Imperva’s Uggirala also points out that while the cyber attacks are becoming more sophisticated, so too are the solutions to protect against them. For example, he says more machine learning technology is becoming incorporated into cyber security and this will help IT teams with manual tasks such as sifting through alerts, deploying patches and permissions management.
But ultimately, there’s no such thing as 100 per cent security, and for Mann it’s always been about ‘best efforts’. Having said that, he believes that all too often organisations aren’t deploying best efforts. Far from it.
“There are loads of new solutions flooding onto the market from innovative startups. The issue is few people know about them and even less are willing to purchase them. If we are to have any chance of defending ourselves against cyber attacks, we have to implement innovative solutions from wherever we can. Using a single supplier for security is no longer the answer. The cyber security tendering system is broken and needs to be replaced urgently.”
Chappell agrees that we are not doing the basics well. He says almost every successful hack starts with a vulnerability and then moves on to exploiting excessive privileges. More worryingly, he says the Verizon Data Breach Investigations Report regularly shows that “ancient” (in IT terms) vulnerabilities still exist and are still being used.
“BeyondTrust investigations have shown that only a small percentage of discovered vulnerabilities are ever used in attacks (less than five per cent on average). That’s almost certainly due to the widespread use of attack toolkits which have a defined collection of exploits, and it’s unlikely to change significantly in the increasingly commoditised world of cyber crime.”
The human factor
Despite what seems to be a never-ending tale of doom and gloom, businesses are not helpless in the face of such threats.
Axians recommendation is to look at the existing network, ensure that the design is future focused, and consider the type of services customers will be demanding over the next 3-5 years.
“It’s essential to factor security in from the very beginning and not just throw money at firewalls,” says Parker. “Security can be seen as an onion; it requires many layers to be secure, not just a perimeter firewall. More visibility is needed from a security perspective as the world is now run by applications rather than online services. So application visibility with UTM functionality is almost a basic requirement.”
David Emm, principal security researcher at Kaspersky Lab, advises enterprises to establish a baseline of “normal behaviour” in regards to network traffic, access and operations: “Knowing what’s normal will give visibility to irregular behaviour or anomalies. A business must look for patterns or trends in unusual behaviour, and security teams must be constantly prepared for the unknown. No one thing is going to protect your organisation – the key to success in identifying breaches is not so much the tools used but the processes and policies which are in place.”
In addition, Emm speaks for many when he says that to avoid attacks and mitigate any that breach the outer defences, companies should follow strict security policies.
These include internet protection, applying security updates as soon as they become available, restrictions to prevent users running unknown applications and, perhaps most importantly, employee education. “After all, if staff are aware of the dangers, they can work individually and together to protect data and may have a better chance of detecting any abnormal activity on the corporate network as it happens,” he says.
When it comes to network and data security, the human factor comes up time and again.
For instance, Chappell says that once the IT team has first tackled the vulnerabilities with known exploits and established control of privileged accounts, all other employees should be made standard users with a single account giving them appropriate access.
“The tools are there to do this and it’s not difficult," he says. "As our studies have shown, over 80 per cent of the known vulnerabilities in Windows 7 are effectively mitigated by removing admin privileges from users. It’s basic activities like these that will help make cyber crime less lucrative as access to rich data will be ever harder to gain.”
What becomes clear at this stage is that building an environment that safeguards an organisations’ digital assets in an appropriate manner isn’t just about network security. As Encode’s Mann says, that’s only part of the solution. “Boards have to become savvier and to a certain extent ditch the risk appetite. Organisations have to think smart and develop a strategy that extends into every aspect of their operation. Yes, that includes IT, but it also includes physical security, business unit managers, HR, legal, marketing, operations, sales, etc. All have a part to play.”
All that becomes even more significant when you consider Parker’s view that the most successful cyber attacks are directed at staff in non-technical departments (i.e. finance, HR, sales, etc.) by relying on their lack of IT knowledge and understanding of the potential dangers around clicking on an attachment in an email, for example.
“Very few intelligent attackers take on the IT professionals in an organisation by trying to compromise the network at the front door of their network,” he says. “The IT professionals do this day in day out, and are often more knowledgeable than the attackers, so they would have protected the internal network from traffic sourced from the outside world. But then the cyber criminals can very easily piggyback on traffic that can simply pass through their security barriers and attack from the inside where it is a trusted environment.”
With most attacks entering the network via the back door opened by an unsuspecting and naïve employee, Parker says the end users are the ones who need to be trained and made aware of what is a legitimate email and what should be reported to IT. He believes this would reduce exploitations considerably.
Thus, the human is still the most vulnerable part of a security strategy and, according to ANSecurity, the weakest link in any IT network are its users. “User error is often where the mistake has been made” says the company’s technical director David Peters. “That’s why solutions such as endpoint and email security are good systems to have in place to try and minimise the opportunity for users to open that malicious attachment or click on that malicious link from phishing emails that are becoming more sophisticated.”
While all that sounds simple enough, educating staff will remain difficult until cyber security is seen as an important part of the business fabric. Until then, Chappell says organisations will just regard security as “noise” and largely ignore it unless it’s impacting their ability to do their jobs.
Gareth Niblett, chairman of the BCS Information Security Specialist Group, agrees. He says employers and organisations in general are not doing enough to educate their staff as cyber is still thought of as an IT or security issue. “It’s not easy, but a lot of things can be addressed through culture and support from the top of the business. Get the basics right and you will stop most attacks. Going beyond the basics should then be prioritised based on risk rather than latest cool security technology.
“A security lifecycle that covers in-depth defence, detection, response and recovery, combined with a strong focus on policy, people, and technology are the best ways to defend an organisation. Tools should follow, not lead.”
Know your onions
So assuming the different parts of an organisation that have been traditionally siloed are all working more closely together, and cyber security is placed front and centre as a core business function, what next?
For Niblett, it’s about understanding what assets you have that need to be protected – and this includes people, processes and services, not just boxes and wires. “Without knowing what you’re protecting it will be impossible to determine the best way how. This should include (as far as possible) known unknowns, such as shadow IT, cloud/SaaS, BYOD, which may introduce additional exposures.”
Many infosec specialists believe effective cyber security is about creating simple layers which result in a whole that is greater than the sum of its parts. Each layer should be easy to design, easy to manage and easy to monitor. And just like physical security, this layered approach also gives more opportunity for detection of abnormal activity.
Chappell says the first key solutions using such an approach would be effective vulnerability management systems (VMS) and privileged password management (PPM).
“The VMS should help target the vulnerabilities with known exploits first and foremost, those are the low hanging fruit and the most likely points of entry into your systems. Regular scanning and remediation are essential along with effective reporting that demonstrates progress, otherwise you find yourself in the ‘nothing happened’ scenario where it’s hard to show where the cyber security budget is delivering benefit.”
He continues by saying PPM enables control of shared privileged accounts and actively manages their passwords, eliminating the need for users to know the password. This also means the passwords can be of maximum length and maximum complexity, preventing brute-force and rainbow-table attacks. Furthermore, PPM ensures that any cached password hashes are out of date almost as soon as they are created.
“Starting with these two layers will lay a solid cyber security foundation on which to build the next layers, like ‘Super User Privilege Management’ (also known as ‘Least Privilege’) so we can eliminate direct privileged account use completely. Effective reporting capabilities at each layer is essential as is an overarching SIEM to bring the picture together with inter-related events producing clearer signals for actionable alerts.”
Kaspersky’s Emm is likely to agree here. He points out that it would be unwise for any organisation to assume that perimeter defence alone is sufficient to block attacks.
“What’s required is a defence in-depth approach that includes protection at all layers. It should also include effective network management (not routinely giving employees admin rights to their computers, segmenting the network to limit the impact of a breach, etc.) as well as anti-malware and other technologies. Security is no longer about protecting corporate endpoints, networks and traffic with a robust solution – it’s about a deep, multi-layered, tailored and continuous approach.”
The end game
As businesses change their IT infrastructure, the security requirements to secure that infrastructure also changes. And as Imperva’s Uggirala highlights, enterprises with a good security strategy will make cyber criminals life harder and make them look somewhere else to achieve their agenda.
But industry experts such as Axians warn that the biggest vulnerability to cybercrime is not applications, software or the devices we use to access the information super highway, it is the people using them.
Furthermore, as Thomas Seidling at Cybersmart points out, while progress and open sourcing of advanced tools mean attacks will become increasingly advanced, most of today’s breaches are actually not that sophisticated because they don’t need to be.
“In the majority of cases, attacks are successful because of systems not being patched (such as the recent NHS Wannacry attacks, for example), or people not having received relevant training. If all companies today implement basic cyber security, such as the government’s Cyber Essentials scheme, over 80 per cent of cyber attacks would be stopped overnight.”