By David Pearson
Security is an extraordinarily broad and deep field with FUD—fear, uncertainty, and doubt—around every corner. Having been in the field for years, it never ceases to amaze me that it is always the simple stuff that causes big problems. While the proverbial APT and zero day are certainly important, attackers always look for the simplest and most effective way in. Why spend hundreds of thousands of dollars on a zero day when you can get a legitimate user to “give you” their access. With that in mind, there are four principles I’d like to address that are mainstays in the defense of a network (no matter how big or small).
People are fallible
If I were asked to infiltrate a network and get to some meaningful asset, I’d immediately put all of my focus on finding the key users. People are the most difficult part of the equation, as even regular security awareness training often has its blind spots. Think about it—how easy is it to make somebody’s emotions take over in today’s world? In the age of the Internet and social media, finding professional, personal, or political information that can lead to an emotional response is painfully easy. Evoking such feelings leads to behaviors that are often times irrational, and can easily be turned into something that can be exploited digitally. Moreover, as the age of blended personal/professional communications platforms become prevalent, how well does (for example) your phishing security awareness training translate to new mediums?
Worse, we’re still too often relying on antiquated techniques to keep ourselves safe. Passwords (that are often reused and simple to crack or guess) as a one-factor solution still persist virtually everywhere. All too often we still find everyone operating with elevated privileges and access to data they don’t really need to access – just because “we don’t fix what ain’t broken.” Moving to more secure techniques (be it two-factor authentication, password vaults, or other paradigms) is slowly happening, but many of these solutions are extremely intimidating to use for all but the most tech-savvy users. And taking administrative privileges often becomes a political knife fight.
If something is misconfigured, somebody will find it
In the age of automation, of course the adversaries are also taking advantage. When the target isn’t as important on the outset, why not scan everything and discover what’s available? There are numerous public and paid services that allow users to explore the greater Internet pretty much anonymously, looking for misconfigurations that exist on anything from IoT toasters to government cloud instances. It’s no longer a question of if somebody will discover your mistake, but rather when (and more importantly, how long after it’s been exposed). We’ve seen this story play over and over again in the breaches of 2017, and it seems as though a lot of it has to do with users not understanding the importance of authentication, authorization, restricting visibility, nor how network segmentation works.
It’s worth mentioning that misconfigurations are not just missing patches and default settings but network paths that don’t need to exist. For instance, do you really need a network route from your office network to your production databases?
Flaws go unfixed
I can’t tell you how many times I’ve seen a frustrated researcher publicly disclose some true vulnerability after hearing back from the vendor that it’s not a security issue (not to mention the numerous additional times where no vendor response occurs). When these things affect mission-critical pieces of software and/or millions of users, it’s clear to me that the incentives are in no way aligned to support any semblance of a secure platform.
Additionally, when the corporation in charge of updates is not the owner of the piece of code exhibiting a vulnerability, all bets are off. This is perhaps most visible in the mobile device space—how long does it take your cellphone provider to push an update to users after Google fixes an Android security flaw in their OS? Moreover, users aren’t accustomed to installing updates weekly (or even monthly) on their phones—how can we incentivize them to do so?
And while zero-days are still (probably) relegated to a somewhat smaller set of more advanced threat actors, how many times in the past several years have we seen critical vulnerabilities (and many times the exploits) appear somewhere on the Internet? It’s relatively easy for an unsophisticated—but competent—adversary to make the appropriate modifications and be on their merry way. Moreover, when these types of disclosures occur, how long does it take the vendor to create a patch, and how long will it take the companies using the vendor technologies to patch?
The security workforce and skill shortage is a real problem
Perhaps your organization is more invested than many and you actually have a SOC. In that SOC, how do your employees keep up with the barrage of alerts that come in from a multiplicity of sources? It’s quite often that the flow is simply too great, and incidents are missed. Even in scenarios where an event is investigated, how many internal and external tools, scripts, and conversations are needed to get the relevant context? Is the time that would be spent simply unrealistic without knowing whether or not a real incident has occurred? Are the incentives stacked against analysts making decisions that would affect an end user?
Beyond the barrage of alerts and a possible misalignment of incentives, performing this kind of work (especially moving farther up the experience scale) requires someone who is ready to constantly learn about ever-evolving threats, simply updating their view of reality almost daily. Finding and retaining these individuals is key.
In the end, ensuring that the basics are handled is likely the most important aspect of keeping your network secure. However, it’s important to also understand that the basics are not static—mediums change and paradigms shift over time. Focus on the people; employees need to understand their role in securing the environment and how the decisions they make can have large ramifications. You need to know what you are protecting and ensure you have the right controls in place to protect that – said differently if you are trying to protect everything all the time, you end up protecting nothing. Doing this ensures even if mistakes happen, there are mitigating controls in place to minimize impact. And finally, ensure the security teams have the visibility and the tools to execute investigations and response quickly and efficiently.