Perimeter defences are no longer enough to keep data safe, and most security experts believe security strategies should be based on the assumption that attackers will get inside the firewall.
Getting through is remarkably easy, as information security leaders heard at the inaugural meeting of the CW500 Security Club.
Martin Jordan, who heads up the cyber response team for KPMG, demonstrated an attack using a weaponised PDF document. The attack was created in just two days by an intern, who was a geography graduate with little computer knowledge, using free, easily-available software.
Jordan showed that by encouraging a user to click on the PDF document delivered by email, an attacker is able to get control of the victim’s machine without their knowledge to install software such as a keylogger.
Keyloggers are common tools used by attackers. They record anything entered using the computer’s keyboard – providing useful information such as usernames and passwords for corporate IT systems.
“The attacker is able to open up communications with the targeted machine through port 443 or port 80, but to the firewall it just looks like the PC connecting to the internet,” said Jordan.
CW500 Security Club speakers
Click on the names below to watch a video interview with our speakers.
“Attackers aim to collect as much information as they can about the people they target, including details of their friends, family and online accounts,” said Jordan.
Businesses are facing attacks that are much more sophisticated, by well-resourced cyber criminals who are making a lot of money from the information they steal, he said.
Most business networks have firewalls, anti-virus, intrusion detection systems and other traditional defences, but in security assessments, Jordan’s team regularly discover an array of hidden malware.
Most of this malware is designed to steal information, accounting for roughly 80% of all malware discovered by KPMG investigators. These include some that are difficult to detect and remove.
Recognising the problem
The problem is not all businesses recognise that malware is getting past their defences and is active on their network, said Jordan.
“The first part of recovery is recognising the problem,” he said, but many organisations do not have the ability to recognise they are under attack.
Anti-virus is essential, but it is not enough, said Jordan. Businesses need to look beyond anti-virus and other traditional defences to augment them with different techniques to find what is on the network.
Also, by adding systems to detect newly-registered domain names, for example, organisations can block attacks using dynamic domain name generation techniques to evade defences that rely on blacklisting known bad domain names.
“Dynamic domain names are the delivery weapon of choice for botnets and other malicious activity on networks,” said Jordan. “Having an ability to detect and block these instantly will offer much faster and better protection than relying on anti-virus systems to pick it up eventually.”
However, Jordan said investigations by his team have revealed that businesses generally make it easy for attackers to infiltrate their networks.
“We are still seeing common failings, and worst of all, we still see these in every single incident, even in organisations that are ISO 27001 certified,” he said.
Shared accounts and weak administration passwords are one of the most basic things organisations are failing to do.
“Once attackers have the passwords, there is little or no indication they are on your network, unless you do auditing and logging,” said Jordan.
But few organisations are analysing their logs, even if they have them. They spend vast sums of money on auditing tools, but do not use them, tune them or tweak them, and have user IDs like “admin 1” that cannot be tied to any specific person.
Common security failings, according to KPMG
- Shared accounts
- Weak passwords
- Lack of effective network monitoring
- Lack of effective web monitoring
- Absence of logging
- Absence of log analysis
- Little control of data assets
- No forensic incident response plan
Network monitoring is also often overlooked by organisations, but IT security professionals can tell a lot by how traffic flows in a network, said Jordan. By profiling a standard desktop on a network, it is relatively easy to identify anomalous behaviour that is often indicative of malicious activity.
It is all about being prepared for incidents, which just about every organisation is likely to experience. But the effect of the attacks can be mitigated and recovery times reduced by being prepared, said Jordan.
“Know what data assets you have and where they are located, ensure you have a forensic incident response plan, make sure it is easy for incident investigators to find and access logs, prepare a holding statement for senior managers and press if necessary, and have someone who knows about incident response,” he said.
A private sector viewpoint
Offering a view on tackling the problem from the point of view of an information security leader working inside a private sector company, was Matthew Lord, chief information security officer at business services firm Steria UK.
In today’s user environment, he said, there are three main actors: technology, people and process. These are all evolving, bringing new security challenges, but according to Lord, the complexity of these has not really changed since they first emerged in the 1980s.
“If you look at the heart of cyber incidents in the past two years, it hasn’t really changed, so dealing with them is all about the basics. If we need to recognise anything, it is that basics matter,” he said.
What is changing, said Lord, is the cost of incidents and the speed at which things happen. The organisations that are getting hit are suffering more simply because they have lost focus on getting the basics right.
First, is confidential data. “Protecting confidential data is key. In our organisation, one of my drivers is putting in the basic security controls, but when it comes to confidential data, we drive that hard,” said Lord.
Many organisations outside the security or military world however, struggle with data classification. For this reason, Steria has established a four-step process to help identify confidential data.
“Security awareness is vital; a process will help you only so much, and my observation is that when you get to a security incident, it has always been a breakdown of process and someone forgot the basics,” said Lord.
In terms of awareness, Steria has taken the approach of using company people in poster campaigns and talking about issues that are most relevant to staff.
The company has also established what Lord terms “security baselines” and worked towards making security a part of business-as-usual (BAU). Otherwise, it is seen as something out of the ordinary and too difficult to do, he said.
“We have moved our security baselines significantly in the past year, and it was testament to it becoming BAU when the head of internal systems came to me and said, ‘People are acting on these reports’. So it wasn’t the security guy saying: ‘I am not happy with compliance,’ it was effectively our internal CIO saying it,” said Lord. One of the roles of security professionals, he said, should be creating the data for their peers to act on.
- Protecting confidential data is key – not all data
- Security awareness is critical – process will only help you so much
- Establishing strong security baselines is vital – try to make it business as usual
- Risk management systems help – knowing what to protect is key
- Matrix management is vital – you cannot manage security alone
- The basics count – failure to do them is what most often lets you down
Risk management systems are helpful, said Lord, to know what it is necessary to protect and where to spend additional time and effort.
“As a security person, when I call out something as high risk, I need to balance that against the business, and if the business wants to go somewhere else, we need to formally acknowledge that, so one of the principles we have is a running risk register that is focused on the true business risks. It is written in a business tone and a business language,” he said.
According to Lord, maintaining the register and presenting it to the executives on a quarterly basis helps awaken their conscience and they do not delegate responsibility to IT. “I am very much delegating it back to them to empower them to make the decisions,” he said.
Matrix management is vital because IT security managers cannot do it all alone, said Lord. At Steria, there are delegated security representatives throughout the organisation. “The security team, which is small, provides the expertise and the knowledge to empower those individuals to go out and make things happen in a way that works for them,” he said.
And finally, making sure the basics are covered is vital. “Often, in my experience, failure to do the basics is what lets organisations down,” said Lord. But at the same time organisations have to recognise that in an interconnected world, everyone needs to work securely.
“Think about protecting key data and systems and controlling access to those, but don’t forget you have a partner network out there too; you need to acknowledge them and give them different methods of access,” he said.
In summary, Lord said, technology will only solve one piece of the puzzle. “It has always got to be an equal mix of technology, people and process,” he said.
However, IT professionals need to evolve their approach to security to meet the demands of new cyber risks. “We can’t just set highly-prescriptive policies; for me a more flexible, objectives-based approach works better,” Lord said, to make it easier to apply to ever-changing projects.
Improving public sector information security
The importance of improving information security in both public and private sector organisations was underlined by Mike St John-Green, former cyber security and information assurance advisor to the UK government.
He referred to remarks by UK foreign secretary William Hague at the launch of new cyber security guidance for companies early in September.
Hague said that over the past few decades the pace of technological change has been blistering and this change has been a huge boon to the UK, with 6% of GDP generated online and with online retail sales set to top £50bn this year. However, he warned that as online access becomes easier and more people spend time online, it is creating a fertile environment for cyber crime, cyber espionage and the activity of hackers.
Hague said the flip-side of the speed and breadth of this technological advance is that while we have embraced the good, we have not always done everything we might to prevent the bad, and at least one in five FTSE-listed companies has been compromised.
St John-Green, previously deputy director of CESG, the information assurance arm of GCHQ, said this strident message is being heard outside the UK – secretary of the US Department of Homeland Security, Janet Napolitano, said threats to US cyber infrastructure were “one of the most serious and rapidly evolving threats” the nation faces.
He said Napolitano concluded with a challenge: “Together we can – we must – maintain a cyber space that is safe and resilient, and that remains a source of tremendous opportunity in the years to come. To that end, we need the private sector to establish baseline cyber security practices for the nation’s core critical infrastructure. We need the private sector to support capacity building for cyber security at a level that gives us confidence that the measures being implemented will achieve the desired effect."
It is widely held that taking existing straightforward advice can help a company to guard against 80% of the known cyber threats, said St John-Green.
“This is good news. There is a choice of what constitutes that good advice and foreign secretary Hague, along with the trade secretary and minister for the Cabinet Office, launched a booklet with top 10 tips on 5 September,” he said.
By dealing with the 80% completely, he said, we are also making the other 20% harder. “We tip the scales, even for the most advanced attacker, within the 20%. Clearly, their task is made harder by removing the easy routes,” said St John-Green.
We need the private sector to establish baseline cyber security practices for the nation's core critical infrastructure
Mike St John-Green, former government cyber security advisor
By improving the hygiene of the environment, he said, we reduce the ambient noise and make it harder for any attacker to hide. “We force those who want to attack our systems to move much more slowly and quietly, taking days and weeks to traverse our defences. And if our systems are criss-crossed with trip wires, we improve our chances of detecting them.”
St John-Green said that organisations also had to recognise that attackers are not necessarily outsiders. “They may be insiders, willing, deceived or coerced, or outsiders operating as proxy insiders, with privileges that allow them to pass through any boundary controls on the edges of the networks we control,” he said.
This realisation drives a different mentality of finer-grain security. “The fortress concept went a while ago, as we recognised that our dependence on close interaction with our supply chains extended our interests well beyond the edge of our own systems,” said St John-Green.
But, he said, more change is on the way. “For the future, we can no longer get the right security, by design, at the outset, and then leave it, like an unmanned burglar alarm, waiting to be woken in the night in the event of a potential intruder,” he said.
Therefore, organisations need to look for anomalous activity inside their systems. This may require better tools for systems and network managers and the time and encouragement to use them, he said, but it is certain that bad things will happen happen inside networks.
This means that networks can no longer be built to avoid this outcome, he said, particularly as there are other forces that make it impossible to have a fixed design with fixed defensive measures.
The fact that supply chains will continuously change and adapt, particularly with cloud-based services, and the fact that businesses want to harness social media and accommodate bring your own device (BYOD) programmes, will add further volatility and further reduce control over systems, said St John-Green.
“I argue that in order to deal with some of these forces, we must relax our controls and increase our detection and verification measures. We need a less rigid and brittle architecture with greater flexibility and greater monitoring. This is active risk management as distinct from risk avoidance. We need more active measures to deal with the balance of 20%,” he said.
St John-Green concluded by asking: Whose problem is this anyway? What role is government and what role the private sector?
In answer, he returned to quoting Hague, who said “It is not an issue that governments alone can address. In fact, nothing would be more self-defeating than the heavy hand of state control on the internet, which only thrives because of the talent of individuals and of industry within an open market for ideas and innovation.”
St John-Green said he believes that government does have a role to play, but in creating the environment for the market to operate and providing the framework of rules where the market is unable to operate safely without them.
“We all lack the instincts to manage and balance our risks in the same instinctive way we do when we cross the road or conduct other prosaic daily tasks. In most circumstances, we do not know what 'good enough' looks like in cyber security. We need to consolidate and simplify the confusing array of standards. As Janet Napolitano said, this is not government’s job alone,” he said.
But market maturity will come, St John-Green said: “I believe that those companies who can develop a brand associated with being safe, trusted and competent in this environment will benefit. We have seen over the past year or two, the public are increasingly intolerant of disruption and loss of service or data. I see an opportunity here for those companies that can get cyber security right and be seen by the market to do so."
This was first published in October 2012