Let me begin with a story. This is true story. However, I will be changing the names of people and the organization(s) affected, because what I am about to say is wildly embarrassing to any company that has a ‘passable’ Information Security practice.
John works at an e-payment company. He handles customer information, payment queries and settlement information. He uses a company issued laptop to access an internal portal, where he goes about his work on a daily basis. One day, John receives an email called “Proposed Pay Hike” or something with an attachment. He opens up the attachment, finds nothing, but ignores it and goes about his work. A few months later, his company is the victim of a data breach, where massive sums of money have been transferred to unknown accounts. Turns out that John and several colleagues were victims of an attack.
The attackers used phishing to deliver emails laced with malware. This malware exploited weaknesses in John’s browser and regularly shipped out pictures and video feeds of John’s activities on a regular basis. John’s company with several others have been victims of this massive malware-driven cyberattack that has cost billions of dollars for companies all over the world.
What you heard above, is not a story that is new to the world of Information Security. If you read about the Carbanak Attacks and the recent Dyre Wolf attack, you would find that these attacks (human oriented, persistent threats or HOPTs as I call them) are rising. They are everywhere and they seem to manifest in some of the most secure companies in the world.
Let’s examine the story again, with a slightly different perspective. John is a critical member of the epayments division. His company has invested millions of dollars in Network Security, Application Security, Data Leakage Prevention. In fact, once when John tried to send some information by mistake to a service provider, the Data Leakage prevention engine red-flagged it and dropped the message. Pretty Secure, eh?
However, John is a finance guy. He’s typically not exposed to high-tech, high-security stuff. He gets trained once a year on password security, physical security (mostly about USB sticks and the like), phishing (stuff like the Nigerian scams, Tax scams and so on). The training is the same every year. He needs to pass a security quiz, which is pretty much the same thing every year. He passes of course, with flying colours. His HR manager gives him (and most others) a Green Tick for Security Awareness Training.
John also uses a Windows 7 Laptop and is forced to use IE8 because his application does not work on any other browser. John uses Firefox or Chrome on his home PC and hates using IE8, but has no choice. Its slow and clunky, but that would have to suffice if he has to work on his applications.
Now, hopefully you would have started to see some red flags with this story. In my opinion, this “secure” epayments company was asking to get hacked. They, in all likelihood, “looked” really secure, but had clearly forgotten some weird “small things” that led to their eventual downfall. The unfortunate thing here is that even after the breach, this company would probably forget about the small things that actually caused this breach and focus on central, non-human preventive controls that would straitjacket the wrong entities and cause more damage than good. Anyway, here are the 3 weird things that John’s company should be doing to prevent breaches like this from happening more often.
Browsers
When I ask CIOs, CISOs, etc to explain their browser security strategy, they usually draw a blank. Their expression is one of “Why the fudge should I bother about the browser? Thats what people use to surf websites. I am more worried about the OS. Thats where all the attacks happen.” At that point, my eyes cannot help but roll relentlessly and my incredulity is writ large on my face. Most of the “security conscious companies” that I have spoken with or sometimes consulted with use IE7 or IE8, and some even (gasp) IE6. Their only ostensible reason for doing so is that IE can be controlled via the Active Directory. Not to pick on IE or anything, but my point here is simple. Your Browser is the new OS.
Your employees use web-based (internet, intranet) applications way more than anything in a modern environment. So, its only natural that you must take browser security seriously, very seriously. Things like malicious extensions, Backdoor Javascript, Browser hooking techniques are now the raison d’être of the cybercriminals. All major human-centric attacks target the browser at some level.
In addition, modern browsers come with a host of security features including Phishing protection, Cross Site Scripting prevention, etc. If I may say so myself, Chrome’s Phishing protection is pretty top notch * (not a product plug). To add to all this, several browsers can be administered centrally with Active Directory. I certainly know that Chroma and Firefox can.
Browser Security is one of those weird, but highly probable ways you can get pwned!
Human Security
I rail against the current state of Security Awareness Training, every.chance.I.get. It sucks. If it were less important, I wouldn’t have bothered, but its exactly the opposite. Its exceedingly important. Most training I see in companies today follows a standard pattern. 1) Set Strong Passwords 2) Maintain a Clear Desk and Clear Screen 3) Report dodgy people or incidents to your management 4) Stay away from phishing emails like the Nigerian seamsters or other pretty unsubtle things like Internet Banner ads (which are so 90s) and for financial folks, the all important 5) Anti-Money Laundering.
Companies have equated security awareness training to the school librarian. You have to only see her once a year, during exams. They go out of their way to make it a “checkmark” training that is NOT interesting and NOT important. Its only important because of their “policy” and this can be easily remedied by going through some power points and answering some questions on a quiz. This is depressing. Simply because Information Security incidents are happening all over the world at a furious pace. Including them in the training programs and regularly keeping things interesting is the only way you can hope to protect your company against HOPTs and so on.
So stop looking treating Security Awareness like the Step-sisters treated Cinderella and give it a rejig. You need it. Big time.
Detection
The market is rife with talk of Prevention. Everyone from CISOs to Product companies are offering a silver bullet that would prevent this or prevent that. One thing is for certain. Some of the largest companies have been constantly getting hacked over the last few years. Surely, these companies have had some pretty sizeable security budgets. From personal experience, I have seen several companies have massive security budgets and they focus all their energies on acquiring the latest and greatest in preventive control. Two Factor this and Data Leakage that…. Guess what? This has failed. An over-emphasis on prevention has reduced the focus on detection and correction. Imagine trying to do everything to prevent cancer but completely neglect identifying that weird mole on your arm and getting it checked out?
While companies have invested in fancy log management systems and correlation engine, their impetus is to constantly reduce the stress (or Events per second) because preventive technologies should be “doing their job” anyway. If John’s company had invested more time, resources and efforts in endpoint and network *detection* they would have noticed weird image and video streams transmitted on egress to systems outside their network. If they had identified normal and abnormal behaviours, they could have profiled, detected and cut off possibilities for further incursions. An over-emphasis on prevention makes a company fragile to newer and more unconventional attacks. Signature based prevention systems will turn a blind eye to shell code that “looks different” from the typical stuff it sees. Attacks like Carbanak and Dyre Wolf are anything but conventional, but to confuse them for “sophisticated” might be a stretch.
Prevention is great, but detecting attacks is equally important.