Cyber Security Basics: Protect your organization by applying the fundamentals (2016)
Section Four: Conclusion
“When good people in any country cease their vigilance and struggle, then evil men prevail.”
Pearl S. Buck
Though it might seem complicated at times, a solid InfoSec foundation can actually be built by implementing well-known security best practices. These can be broken down into individual controls and processes which are implemented in a phased approach. As they are used, the three tenets of information security will be served: protect, detect and respond. If best practices are focused on and implemented effectively, an organization’s exposure to attack can be significantly reduced.
At an Enterprise Security web cast on November, 2015, Microsoft CEO Satya Nadella summed up the challenge well: “The core hygiene, which we sometimes take for granted, is so important. Because once you start with the operational security posture, you recognize that more often than not, most of the issues have to deal with the lack of patching and the lack of strong credentials. And it’s so important for us to not only improve the technology but the security posture you have around the basics.”
Good information security is about the basics. Establish a sound foundation for each of the following pillars of information security, then continue to improve on them.
Defenses should be applied both at the endpoints and network to protect against attacks. Adversaries look for the path of least resistance, and for most targets there are plenty of gaping holes and unpatched systems to exploit. If well-known best practices are applied, and a defense in depth approach is followed, an entity will be protected against the majority of attacks. Part of a successful protection strategy is to make the job of attacking the organization more work than what the adversary can gain. If you and someone else are being chased by a bear, you don’t need to outrun the bear, you only have to outrun that other person. In this analogy, the “other person” are other organizations, and we should have an idea of what the bear symbolizes.
The scary truth is that there is probably malicious activity going on right now on your network; you just haven’t found it yet. This is what happened in the infamous attack on Target Stores that cost over $35 million in damages and a few people’s jobs. In this case, Target had employed cutting edge security solutions, but the alerts from the device were never observed.
Implementing detective controls involves more than installing sensors that generate alerts. Sensors need to be integrated with existing processes and solutions, such as a centralized SIEM and ticketing solution, to receive and process these alerts. An established process for responding to issues, and ensuring that the sensors themselves are working, are all part of a well-rounded implementation of information security monitoring. As a result, if malicious activity is found, alerts will be generated, and those alerts will be received and promptly responded to by members of the security team.
When an alert is generated, the receiving party (e.g. the IT security team or Security Operations Center (SOC)), needs to know how to handle the alert. Sensors can generate an almost infinite number of alerts. Most will be ignored as they are triggered by noise of the Internet (e.g. regular low-level scans). Only a handful of these alerts will be actionable security events that require a response.
The appropriate response to events should be determined ahead of time, and documented in a way that it is accessible by all responders. The playbook used should be reviewed periodically to ensure that it continues to provide accurate and relevant information. Reviewing notes taken during the response process is a great way to ensure that a playbook is still effective.
On the rare occasion, a security event will be escalated to a security incident. For this to happen, certain criteria need to be met, and possibly a second opinion or formal approval should first be obtained. Declaring an incident is not a trivial move, as a formal incident response plan is followed. Incident response can involve the entire team, as there are several different roles to be served during the response. It should always be considered, however, that a security incident (such as a DDOS attack) may actually be a distraction from a more significant attack that is also taking place against your organization.
1. “Fidenae.” Wikipedia. 15 April 2015. <https://en.wikipedia.org/wiki/Fidenae#Stadium_disaster>
2. Gegick, Michael and Barnum, Sean. “Economy of Mechanism.” US Department of Homeland Security. 13 September 2005. <https://buildsecurityin.us-cert.gov/articles/knowledge/principles/economy-of-mechanism>
3. Arsenault, Bret. “Enterprise security for our mobile-first, cloud-first world." Microsoft. 17 November 2015. <http://blogs.microsoft.com/blog/2015/11/17/enterprise-security-for-our-mobile-first-cloud-first-world/>
4. Clapper, James. “Statement for the Record - Worldwide Cyber Threats - House Permanent Select Committee on Intelligence.” 10 September 2015. <https://fas.org/irp/congress/2015_hr/091015clapper.pdf>
5.Fox-Brewster, Thomas. “Netflix Is Dumping Anti-Virus, Presages Death Of An Industry.” Forbes.com. 26 August 2015. <http://www.forbes.com/sites/thomasbrewster/2015/08/26/netflix-and-death-of-anti-virus/>
6. “Morris worm.” Wikipedia. 10 October 2015. <https://en.wikipedia.org/wiki/Morris_worm>
7. Goodin, Dan. “Police body cams found pre-installed with notorious Conficker worm.” ArsTechnica.com. 16 November 2015. <http://arstechnica.com/security/2015/11/police-body-cams-found-pre-installed-with-notorious-conficker-worm/ >
8. Harrison, Virginia. “Nearly 1 million new malware threats released every day.” Cnnmoney.com. 14 April 2015. http://money.cnn.com/2015/04/14/technology/security/cyber-attack-hacks-security/>
9. Keizer, Gregg. “Microsoft urges customers to uninstall 'Blue Screen of Death' update.” ComputerWorld. 17 August 2014. <http://www.computerworld.com/article/2491256/malware-vulnerabilities/microsoft-urges-customers-to-uninstall-blue-screen-of-death-update.html>
10. Cox, Joseph. “Encryption and Other Tricks Are Making Malvertising Harder to Hunt.” Motherboard. 09 December 2015. <http://motherboard.vice.com/read/encryption-and-other-tricks-are-making-malvertising-harder-to-hunt>
11. Mimoso, Michael. “Microsoft Revokes Trust for Certificates Leaked by D-Link.” ThreatPost.com. 24 September 2015. <https://threatpost.com/microsoft-revokes-trust-for-certificates-leaked-by-d-link/114804/>
12. Stephenson, Peter. “An unusual and innovative approach to Java security.” SC Magazine. 02 March 2015. <http://www.scmagazine.com/an-unusual-and-innovative-approach-to-java-security/article/398234/>
13. “Securing the Human (STH).” SANS. 29 December 2015. <https://securingthehuman.sans.org/>
14. “What’s an Advanced Persistent Threat (APT)? A Brief Definition.” Damballa. 27 November 2015. <https://www.damballa.com/paper/advanced-persistent-threats-a-brief-description/>
15. Schwartz, Matthew J. “Target Ignored Data Breach Alarms.” Dark Reading. 14 March 2014. <http://www.darkreading.com/attacks-and-breaches/target-ignored-data-breach-alarms/d/d-id/1127712>
16. Paul, Kari. “I Bought Adorable Cookies on the Deep Web.” Motherboard. December 2015. <http://motherboard.vice.com/read/i-bought-adorable-cookies-on-the-deep-web>
17. Shamah, David. “How honeypot tech tricks hackers into chasing their own tails.” ZDNet. November 19, 2015. <http://www.zdnet.com/article/how-super-honeypot-tech-suckers-hackers-into-chasing-their-own-tails/>
18. Iglauer, Philip. “South Korea suffers 110,000 cyberattacks in five years.” ZDNet. 15 September 2015. <http://www.zdnet.com/article/south-korea-suffers-110000-cyberattacks-in-five-years/>
19. Nadella, Satya. “Enterprise Security Webcast.” Microsoft.com. November 2015. <http://news.microsoft.com/security2015/>