The State of Information Security by Billy Stanley

Cyberwar&Cybercrime
Cyberwar&Cybercrime

While information security is much better today than it has ever been before; it is far from being in a position to adequately deal with modern-day threats. In order to address the gap, we must dive deeper in to the problem and develop an embraceable strategy for success. It is only when we understand who our adversaries are and what their motivations and tactics are will we be in a position to address the problem. Let’s have a closer look.

The Adversary

Enemies in this type of fight are some of the toughest to identify and virtually impossible to stop. Some are too young to drive a vehicle; while others are your quiet next door neighbor, a college student half-way around the world, an eco-terrorist upset with your company’s policies or a religious extremist defiant to be heard. While the motivation varies, the common themes tend to revolve around the following:

Personal / Pride – Though more of a vintage motivation for launching an attack, this still happens to a lesser degree within the hacking communities.

Geo-Political – A considerable force that is gaining more and more momentum. One of the more recent attacks to be publicized was the state-sponsored Stuxnet worm which targeted centrifuge equipment at Iran’s nuclear facilities.

Terrorism – Over the years, hacking has been observed to both advance terrorist agendas in addition to launching full-fledged attacks.

Financial – This is the largest motivating factor behind hacking activities today. The black market for selling unethical and/or illegal activities is very lucrative for those that have a marketable service.

Attack Vectors

Common attack vectors have certainly changed with time; indicating that we are dealing with a versatile enemy. As we have learned their techniques and deployed our defenses; they have been able to adapt their offensive strategy in relatively short order. A few examples are as follows:

Network-based and noisy – Referring back to the slew of Microsoft RPC and SMB-related vulnerabilities; ultimately resulting in self-propagating malware

Web-based/Drive-by – This vector is one of the most popular in use today and one of the toughest to defend against. Attackers have learned how to bypass vendor validation processes when embedding their malicious code in banner ads for unsuspecting visitors to render.

Email/Phishing – Social attacks are also very popular and tough to defend against. Some phishing attacks are generic and less personalized, while others are relevant to events going on in the victim’s life, and appear to be from a personal friend or co-worker. The latter are typically extremely effective.

Email/Attachment – Refers to miscellaneous attachments that happen to make it through the email infrastructure, which are infected.

Portable Media – One of the most common forms of infection is removable media. People are quick to share flash drives, not realizing that they could be laden with infections.

Device X – The ability to bring your own device to work is causing additional challenges in terms of unmanaged devices and information protection. While it’s fairly easy to ban the BYOD philosophy, does this send the right message?

The Problem

Virtually all protection capability available to the industry today is signature-based, meaning that they are reactive tools by definition. This works fine when the threat is largely predictable and less fluid. The rate of malware production and change today is exponentially larger than it was 10 years ago, yet we have not seen a similar advancement in detection and prevention capability.

Malware authors have figured out how to evade AV by continually tweaking their binaries. They can circumvent content filtering systems by hacking legitimate sites (banner ads, etc.) that users are allowed to access. They flow right by IDPS and Malware Detection Systems through the same type of techniques. Firewalls offer good protection for inbound connection attempts, though the threat vector now consists of an attacker riding back in on legitimate outbound connections.

The tools we have had available to fight this fight are inadequate. We know that signature-based technologies such as anti-virus are, at best, 80% effective after 30 days of malware exposure. We also know that behavioral-based systems have historically had their own issues with regard to false-positives. SIEM’s took a stab at attacking the problem with event correlation, though they’ve never achieved their desired results. Their implementations are burdened by a back-end relational database that makes advanced correlations and historical queries a nightmare.

In addition to inadequate tools, we have also faced the challenge of a coordinated adversary. We’ve seen countless examples of malicious code being shared and/or re-purposed for a different function or group. We also know that they have joined efforts for common goals and that the organization openly communicates via virtual hacking communities, providing a well-established intelligence and support network.

The Solution

As you would expect, there is not any one strategy or product that resolves this problem completely. There is however, a combination of things that can.

Political Adjustment – This is likely to be the toughest item on the list, though it’s the most important. Set the expectation that this is the new norm. There are companies that have been compromised and know it, and there are those that have been compromised and do not. Challenge audits that come back ‘all clear’ and force your teams to dig deeper until they find the results you expect.

Adopt aggressive policies in your environment. From a client perspective, the four most impactful changes you could make are:

  • Do not allow clients to have admin or power user access to their machines
  • Automatically update the operating system and any 3rd party products such as Adobe Products, Java, etc.
  • Enforce policies that prevent users from using external media
  • With regard to the BYOD philosophy in the workplace, strike a palatable balance that allows you to maintain a sound security posture. For example, allow the top ‘n’ number of device types to be brought in and connected to the infrastructure, provided the employee agrees to corporate terms and conditions and allows administrators to deploy administrative policies to the device in order to ensure a minimum level of information and infrastructure protection.

From an infrastructure perspective:

  • Segment and firewall your internal infrastructure, just as though it was directly connected to the Internet without a perimeter firewall
  • Deploy a NAC/NAP product to effectively control who is connecting to your infrastructure

Existing Tools – Continue to use them, and make sure they are being utilized to their fullest potential.

Investigate Click Security’s ASAP Product – Offering real-time security analytics, this product is designed to bridge the reactive gap previously described, through real-time security analytics and defense. The platform also incorporates crowd-sourced information sharing, providing an unparalleled platform of security intelligence.

This article comes from the new issue of PenTest Regular on Cyberwar&Cybercrime.

June 6, 2012

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013