By Taking The Approach of Assuming You Have Been Hacked, It Can Go a Long Way In Being Proactive About Possible Attacks…
Information security practitioners have always considered “keeping the bad guys out” a core element of their profession, but the flood of highly-publicized security breaches (together with an unknown but likely higher number of unpublicized breaches) clearly demonstrates that we are not excelling at this task, to put things lightly.
Simply put, the bad guys currently have the upper hand in the never-ending game of cat and mouse. Those of us with enough years in the business have witnessed the ups and downs – at times, security technology catches up with the latest threats and provides a good level of protection, and at other times, the bad guys’ tools and techniques seem to have the advantage. We are currently living at these “other times”.
The reason for the current situation is twofold:
• Increased hacker sophistication and motivation – whether it’s financial motivation, or “hacktivism”, the rewards for successfully breaching into organizations are higher, which results in more professional and coordinated hackers.
• Increased network and IT complexity – security managers have more on their hands these days than ever before, not only are there more security devices to manage (it seems like “defense-in-depth” gets deeper and deeper), there are more business requirements (such as BYOD) to address.
The traditional knee-jerk reaction of the information security community has been to “throw more technology” at the problem. This is understandable as we have indeed seen some good innovation from security vendors to address new threats such as APT, and organizations should continue to invest in cutting-edge technology to improve their defenses. But I would like to propose an additional way we can improve security, which doesn’t require a dime of investment, but does require a change in how we think.
Assume you’ve been hacked – and now map out your security policy.
This thinking is often easier said than done. After all, assuming your organization has been hacked is like admitting you have failed in your role to protect it. But like it or not, no matter how good you think your perimeter and endpoint security is, there is an extremely high likelihood that malware is already inside your network. (For some great statistics check out this report from Kaspersky Lab). Would you do anything differently if you knew you were already hacked? If the answer is yes, why not be proactive and take those measures today?
In working with organizations around managing their network security policy, I often observe practices that are not in line with this thinking. Here are just two examples:
• Outbound firewall rules – recent research conducted by Prof. Avishai Wool analyzed Cisco and Check Point firewall configurations. The most common firewall misconfigurations included mishandling of outbound traffic (E.g. allowing Outbound SMTP from over 256 IP addresses). This is based on the false notion that unlike traffic from outside the network flowing in, traffic originating from the inside the network is secure. But traffic from inside the network can include for example, bots that are transmitting sensitive information.
• VPN Connections – Many organizations allow remote users who are VPN-ing into the internal network to bypass the traditional security controls (such as Network anti-virus). The assumption is that since the user has successfully authenticated, the connection is secure. However, mobile devices (both corporate issued and non-corporate issued) are even more likely to be infected by malware, so this assumption basically opens up a vector for all sort of possible attacks.
Don’t simply assume that outbound traffic and VPN connections are trusted. While it may take some rewiring of how we think about security, if you take the approach of assuming you have been hacked I believe it can go a long way to being proactive about possible attacks, and keeping your company’s name of the headlines.
More from Nimmy Reichenberg
- In Automation We Trust! (Or Do We?)
- Improving Security via Proper Network Segmentation
- Understanding IT Risk from the Business Perspective
- PCI-DSS 3.0: Three Things to Know to Ensure Compliance, Security and Business Agility
- Things to Consider Before Migrating Business Applications to the Cloud
- Four Tips for Designing a Secure Network Perimeter
- Extending the DevOps Model to Achieve Operational Excellence and Improved Security
- Steps to Migrate Your Security Controls to Private Clouds
Latest News
- Researchers Discover Attempt to Infect Leading Egyptian Opposition Politician With Predator Spyware
- In Other News: New Analysis of Snowden Files, Yubico Goes Public, Election Hacking
- China’s Offensive Cyber Operations in Africa Support Soft Power Efforts
- Air Canada Says Employee Information Accessed in Cyberattack
- BIND Updates Patch Two High-Severity DoS Vulnerabilities
- Faster Patching Pace Validates CISA’s KEV Catalog Initiative
- SANS Survey Shows Drop in 2023 ICS/OT Security Budgets
- Apple Patches 3 Zero-Days Likely Exploited by Spyware Vendor to Hack iPhones
