By Taking The Approach of Assuming You Have Been Hacked, It Can Go a Long Way In Being Proactive About Possible Attacks...
Information security practitioners have always considered "keeping the bad guys out" a core element of their profession, but the flood of highly-publicized security breaches (together with an unknown but likely higher number of unpublicized breaches) clearly demonstrates that we are not excelling at this task, to put things lightly.
Simply put, the bad guys currently have the upper hand in the never-ending game of cat and mouse. Those of us with enough years in the business have witnessed the ups and downs – at times, security technology catches up with the latest threats and provides a good level of protection, and at other times, the bad guys' tools and techniques seem to have the advantage. We are currently living at these "other times".
The reason for the current situation is twofold:
• Increased hacker sophistication and motivation – whether it's financial motivation, or "hacktivism", the rewards for successfully breaching into organizations are higher, which results in more professional and coordinated hackers.
• Increased network and IT complexity – security managers have more on their hands these days than ever before, not only are there more security devices to manage (it seems like "defense-in-depth" gets deeper and deeper), there are more business requirements (such as BYOD) to address.
The traditional knee-jerk reaction of the information security community has been to "throw more technology" at the problem. This is understandable as we have indeed seen some good innovation from security vendors to address new threats such as APT, and organizations should continue to invest in cutting-edge technology to improve their defenses. But I would like to propose an additional way we can improve security, which doesn’t require a dime of investment, but does require a change in how we think.
Assume you've been hacked – and now map out your security policy.
This thinking is often easier said than done. After all, assuming your organization has been hacked is like admitting you have failed in your role to protect it. But like it or not, no matter how good you think your perimeter and endpoint security is, there is an extremely high likelihood that malware is already inside your network. (For some great statistics check out this report from Kaspersky Lab). Would you do anything differently if you knew you were already hacked? If the answer is yes, why not be proactive and take those measures today?
In working with organizations around managing their network security policy, I often observe practices that are not in line with this thinking. Here are just two examples:
• Outbound firewall rules – recent research conducted by Prof. Avishai Wool analyzed Cisco and Check Point firewall configurations. The most common firewall misconfigurations included mishandling of outbound traffic (E.g. allowing Outbound SMTP from over 256 IP addresses). This is based on the false notion that unlike traffic from outside the network flowing in, traffic originating from the inside the network is secure. But traffic from inside the network can include for example, bots that are transmitting sensitive information.
• VPN Connections – Many organizations allow remote users who are VPN-ing into the internal network to bypass the traditional security controls (such as Network anti-virus). The assumption is that since the user has successfully authenticated, the connection is secure. However, mobile devices (both corporate issued and non-corporate issued) are even more likely to be infected by malware, so this assumption basically opens up a vector for all sort of possible attacks.
Don’t simply assume that outbound traffic and VPN connections are trusted. While it may take some rewiring of how we think about security, if you take the approach of assuming you have been hacked I believe it can go a long way to being proactive about possible attacks, and keeping your company's name of the headlines.