Connect with us

Hi, what are you looking for?

Web

Year of the Hack

2014 will be remembered as the Year of the hack. Sony, Target, Home Depot, UPS, even Victoria couldn’t keep herself Secret.  The list of breaches is depressing.

year of the hack

How do you avoid being the next? This article will answer that question.  But, if you’re looking for a quick fix, move along.

What’s Been Tried Before

Firewalls / Intrusion Detection

Firewalls won’t stop someone who has credentials, won’t stop attacks within the interior of a network.

“Myth: Firewalls make your data secure.  In fact, 40% of Internet break-ins occur in spite of a firewall being in place.

Data Security Challenges – Oracle9i Security Review

Stong Authentication / Multi-factor Authentication / Single Sign-on

Often bad things are committed by those who already have the proper credentials.  Ask Home Depot who was victimized by hackers using a third-party vendor’s userId and password.  Do not base the entire defense on the front door.

“Neither top secret clearance, sophisticated authentication nor the most advanced encrypted information systems can necessarily stop an intended breach action. These security procedures are not designed to detect real-time actions and anomalous business processes from authorized personnel. These practices are just the “moat around the castle” approach upon which most current cybersecurity technologies are based. Current national security breaches clearly show we need to do more.”

Is Cyber Security an Inside Job? – Larry Karisny – Digital Communities

Antivirus Software

Doesn’t stop attacks in-flight.  By the time a new virus signature is identified, two more have been created and taken root elsewhere.

In the bigger picture, furthermore, the anti-virus software was irrelevant, contends Chester Wisniewski, a senior security advisor at anti-virus vendor Sophos. “A smart attacker in a targeted environment will always bypass your anti-virus,” he says, and especially if they’re trying to take down a retailer the size of Home Depot.

Analysis: Home Depot Breach Details – Mathew J Schwartz – Bank Info Security

I’m not saying these practices are invalid, but they are insufficient.

What’s Missing

A determined attack will gain access to its intended target.  It’s impossible to harden every entry point sufficiently to prevent all attack vectors.  You must have a way to minimize damage once the inevitable unauthorized entry occurs.

“Organizations should stop thinking about breach prevention, accept their going to be breached, change their mindset, and think about how they will protect and store their data.”

Stop Worrying About Data Breach Protection – Info Security Magazine

Strong Authorization

The authorization controls commonly used today do not counter the threat of a determined attacker.  Let’s take a prime example.  How did a low-level, government contractor download terabytes of highly sensitive data from the NSA?  The answer: inadequate authorization controls.

Organizations that lack these controls are vulnerable to attacks waged by individuals who have legitimate accounts on the network but seek to misuse their access for malicious purposes. This risk, known as the “insider threat” is one of the most insidious causes of data breaches.

How to avoid the five most common causes of data breaches – Mike Chappel – Certification Magazine

Audit trail

If an operation is important enough to be guarded with a policy enforcement point, it should be tracked.  This lends integrity over operations.  You can answer who, what, when, and where.

“The most important step that you can take to protect your organization against improperly configured access controls is to perform regular auditing.”

How to avoid the five most common causes of data breaches – Mike Chappel – Certification Magazine

Periodic Review

Circulate daily reports of access requests to sensitive resources.  Think about the results.  Devise heuristic algorithms to detect anomalies automatically.  If Home Depot conducted regular reviews perhaps it wouldn’t have taken five months to detect illegal activity in their networks.

Confidentiality

Encryption enabled should be the default setting for network connections – even (especially) test environments.  Buy new servers to handle the increased load.   Manage the keys wisely.  Consider the added cost cheap insurance.

“In the aftermath of security breaches at Target, Home Depot, and JP Morgan Chase, executives are reexamining their data breach risks. Hacksurfer reports on a recent survey of IT professionals that found 53 percent of organizations were investing more in data security after these high-profile cyber attacks.”

In Data Security, Compliance Isn’t Enough – Max Schleicher – TechInsurance

Secure Coding

This drum is beaten elsewhere so I won’t here.

There is no Silver Bullet

Ask Staples – the easy button doesn’t work.  Be wary of those who tell you otherwise.  The good news: it’s not complicated.  It requires a focused effort across the following:

  • Strong Authorization – Add mandatory policy enforcements to all access points accessible over the network – even those downstream of ‘secured’ interfaces.
    • Use declarative policy enforcement mechanisms like SELinux, PAM, sudo, ModAuth, Java EE security to safeguard the infrastructure.
    • Use programmatic, fine-grained access control to safeguard data access within the applications.
    • Use centralized Policy Decision Points (PDP) capable of efficient data access (it will be busy).
  • Cryptography – encrypt data in-flight, sensitive data at rest.  Hash all passwords.
  • Audit – track access requests to objects, operations along with subject, location, time, date and result details.
  • Review – conduct regular reviews of policies and audit logs to verify compliance.
  • Secure coding techniques – employ these practices while still in development.  Conduct code scans of applications already in production.
    • Use automated testing to verify security functionality.

Will these measures guarantee that your company’s systems won’t be breached?  No, but you won’t look like a big, juicy, red Target either. 🙂

Written By

Systems architect, security guy, open-source advocate and avid cyclist.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You May Also Like

Tech

Mac users used to be the underdogs. They were often teased by PC users for their computer preference, while proudly expressing their loyalty to...

Tech

It’s an indisputable fact that the amount of electronic equipment we use is increasing by the year, so it’s not surprising that the amount...

Web

With so many high-profile computer cracks in the news, small business owners are increasingly concerned they may be next. The problem for many of...

Featured

Once upon a time, all you had to worry about in terms of protecting your personal data was to make sure not to give...