Mike Winslow, Senior Consultant, SecureITsource, Inc.
Years ago, I heard someone say that the only way to perfectly secure a server was to dig a hole, put the server in, and then fill it with cement. Extreme? Yes. Practical? No. The opposite extreme would be to open every port, install every protocol, and grant access to anyone that requests it. Your job as a security specialist is to find the perfect balance between these two extremes. Simple, right? Is it even possible?
Perfect security may not be possible but that shouldn’t prevent you from setting it as your ultimate goal. Every day new threats and attack vectors are introduced. Just as you plug one hole another one appears. It is a rare day where you can sit back, relax, and say all is well. So how do you keep up with the endless security needs of your environment?
First you need to know what your attack vectors are and which ones have the highest probability of attack. If you don’t know what your attack vectors are, it will be impossible to mount any kind of defense. An attack vector is any point through which an attacker could try to enter your environment to deliver a payload or malicious outcome. The attack surface is the total number of such points.
According to Roger A. Grimes, these are the five types of attack vectors you’re most likely to face:
1. Socially engineered malware
2. Password phishing attacks
3. Unpatched software
4. Social media threats
5. Advanced persistent threats
A close examination of these 5 vectors reveals what is probably the weakest link in every company: Employees!
Social engineering requires an employee to be successful. Employees are the wild cards in any security defense. The best trained, security conscious employees will leave the company and be replaced by someone that may not understand fully a phishing or social engineering campaign. Some employees are either oblivious to what is happening or don’t care. Many companies have started sending out their own phishing emails to raise awareness and test their employees but find that the same employees fail the test every time. But once identified, high risk employees can be provided additional training or have their access to potential attack vectors restricted.
The second step required to achieve perfect security is knowledge. Before you can defend against an attack, you need to understand the mechanics of the attack. If you have no clue how socially engineered malware is introduced into your environment, how are you going to defend against it? Knowledge is your best weapon.
According to Brook S. E. Schoenfield, principle engineer at Intel Security and the author of Securing Systems: Applied Security Architecture and Threat Models, “All software has attackable places depending on what access the attacker has and is able to gain. But if you design it well and design it defensively, at least they’re limited to the channels you give them that you know about.” This is true of any attack vector. If you understand how it works you can then build your defense in such a way as to stop or limit an attack via that channel.
Along with knowing the mechanics of an attack, you need to know what, and how many, potential entryways into your environment exist. By knowing how an attack campaign is run and identifying what its entryways into your system are, you can preemptively shut it down before it has a chance to progress. Or at least watch for it and slow it down or stop its progress. Every time you deploy a potential entryway, it should already have mitigations in place to thwart an attack.
Finally, whenever possible, limit the number of potential entryways you introduce into your environment, especially new Wi-Fi and cloud connected devices. Every day the Internet of Things (IoT) introduces new cloud enabled devices. Lights, heating, cooling, doors, cars, mobile devices, and bathrooms are getting connected to the IoT. While the IoT may provide convenience, it doesn’t help your defensive position. Every one of these have little or weak security which increases the potential of easy access into your security perimeter.
In a blog on Threatpost, Michael Chamberland, practice lead for Trustwave SpiderLabs, was quoted as saying, “Most organizations are 10 to 20 years behind in their security practices when it comes to IoT, and they’re repeating the same security mistakes as they have in the past, including storing their credentials in plain text.”
Before you allow new IoT devices or even personal mobile devices such as phones, tablets, and laptops onto your network, make sure you are fully aware of the risks versus the benefits and plan your security defenses accordingly.
There are many security tools on the market that focus on defending against the various attack vectors you face. CyberArk, ForgeRock, SailPoint, Okta, FireEye, and TripWire are some of the market leaders in security solutions and each has a product that can be tailored to address the security challenges you face. But again, before you can deploy a solution you have to understand the problem.
Of course, if you aren’t sure what your attack vectors are, you can always require that your systems are only deployed inside of a concrete bunker!