As technology becomes an increasing presence in our daily lives. The risks have increased dramatically to on both an personal and organizational level. If we step back 6 or 7 years a managed and up to date Windows XP machine with Anti-Virus protection was considered secure. Today this is no longer the case. As threats and malware becomes more sophisticated it is easily side stepping traditional Anti-Virus/Anti-Malware. Even top of the line Next gen Firewalls and Intrusion Detection Systems are not capable of stopping some threats. The risk is moving beyond malware spreading across the network or creating a giant botnet. The new target is the information that is contained within the organization.
Let’s for a moment consider the castle analogy. Not too long ago, the typical approach to Information Security (infosec) was to build the walls high and strong. This meant having a good application aware firewall, multiple intrusion detection systems and depending on the local laws a data loss prevention solution. The prevailing thought of the day was that if the walls were strong enough and if the guards at the top were armed that the castle would be protected. Unfortunately, for the kingdom to be successful and to operate fully the soldiers needed to go in and out of the gate. The soldiers needed armour while outside the castle walls so we gave them some body armor in the form of “endpoint protection” and this worked for a little while until the enemy discovered new weapons.
The first step in moving forward is realizing that you are the target. You are the new attack surface and the easiest way to get the information that the attacker wants is if you give them the proverbial keys to the kingdom. Think about your current situation. If you were an attacker what would you go after in your organization? Would you go after the executives? How about the trusted users? Users with access to protected information. If you are an education institution. How about your teachers? Whatever information is valuable to you is certainly valuable to someone else . Information Security is no longer just the job of the IT security folks but each citizen in the kingdom must understand what is at stake.
Small system.. large consequences
In recent news the giant US retailer Target was breached. While the full forensics of the breach have not been disclosed what we do know about the breach is that it began with a 3rd party contractor who was phished and internal systems were compromised with malware. A seemingly small risk within the Target organization ended up with 110 million people having their personal information compromised.
Retailers with access to credit card info are not the only target. Numerous other types of organizations have been targets. If you have private information you are a target. The University of Chicago was recently breached and both employee and student information was stolen.
The new weapons in the enemy’s arsenal cannot be thwarted by building a stronger castle wall or giving the soldiers better armor. The king and his armies must regroup and come up with a new defense strategy. Defense in depth must be the central theme of this strategy.
Creating a solution
1. Understand your risk
Your new defense strategy must begin with a solid understanding of your risk and what information or services that you need to protect. What information is your organization storing? What information might an attacker find valuable? Is it your employee database? Is it your CRM? How about your unencrypted customer credit card database?
2. Create a plan
What high level changes must your organization make? Do your key leaders have a understanding of the risk and the depth of changes that must occur to mitigate that risk? Once your key leaders understand what is at stake, together you can formulate a new defense plan.
3. Arm your soldiers
Educate your team
Giving your soldiers a set of body armor is fine but an even better strategy would be if you teach them how to fight. Educating your team should be a key part of your defense plan. Consider engaging an outside team that specializing in Information Security training. Make the training fun and engaging so that your employees retain the information long term and refresh the training often. If your team can see the attack coming they will be a lot more likely to resist the attacker and protect themselves and your organization
Arm your endpoints
The shield of ‘Endpoint Security’ is only so strong. Strongly consider implementing a Privilege Management and Application White listing solution. Some good examples of solutions that do this well are Bit9 and Avecto.
- Avecto starts with the concept of least privilege and trusted applications are given permissions to run. Avecto also adds the feature of sandboxing so if you have vulnerable legacy applications you can run them in a contained, separate user space which is transparent to the end user.
- Bit9 offers a different approach to malware protection – you can’t always know what is bad and therefore you don’t look for “known bad” software, (a losing battle); you only allow what you know and trust to execute. Bit9 is a security solution that uses their proprietary dynamic whitelisting service to identify risk and only allow what you have specifically allowed to execute.
Removing admin privilege from the end user is a giant leap forward in securing your organization. It will dramatically reduce the risk of external attacks and threats that detonate from within.
The first step is admitting that you have a problem and that you are new target. Most organizational attacks are targeted and compromised systems occur because we let the attacker through the front gate. The increased presence of connected technology in our daily lives means that the attack surface has greatly increased. A proper defense strategy for yourself and your organization begins when you have an understanding of what needs to be protected and what is at risk. Make sure that your leadership is on board and supports the new strategy. Help your leaders to see the risks and what is at stake. Lastly, make sure that your people have a fighting chance when attacked. Make infosec training fun and exciting and not a boring lecture provided by poor communicators. Give your team devices that are secured and reduce the risk in case they forget.