Cybersecurity is by no means the only profession that struggles with the question of how to best manage risk with limited resources. Consider medicine. I once asked my family doctor how he decides what to look for during a physical exam. “I’ve got 20 minutes,” he replied, “so I’m looking for what’s most likely to kill you in the next year.” Security professionals should incorporate a similar approach into their risk management activities.
Considering the major security breaches that have occurred over the last few years, there appear to be four deadly threats to corporate information systems: Vulnerable web applications, inadequate authentication for remote access, administrator endpoint compromise, and malicious insiders.
Web application vulnerabilities continue to plague the IT landscape because developers poorly architect web applications. All input must be validated and constrained to expected parameters (including character set and length). System design should take into account that the web application may be compromised.
Instead of providing web applications with a single set of database credentials and requiring the application to perform privilege management functions, user authentication and privilege management should be delegated to the database or a second application tier. The common two-tier architecture (web application and database) fails to adequately protect sensitive information. Compromising a web server should not result in unrestricted access to the database.
Some of the largest data breaches began with inadequate remote access authentication. The initial penetration of Target’s network occurred using credentials stolen from an HVAC subcontractor that had worked at a number of Target locations. Employees, subcontractors, business partners, and service providers often require remote access. Strong two-factor authentication should be considered a hard requirement for all remote access. Apple, Amazon, Google, and Microsoft all offer customers the option to use multi-factor authentication. There is a good reason; they all recognize that passwords are too easily guessed and stolen.
Confidential corporate data published on the Internet strongly suggests that some intrusions were accomplished by compromising an administrator’s PC. In the recent case of the Hacking Team breach, the intruder published approximately 400 GB of client files, contracts, financial documents, internal emails, and source code, tweeting the URL from Hacking Team’s own twitter account. It is highly unlikely that multiple data sources were compromised using separate vulnerabilities. It is far more likely that the intruder compromised an administrator’s PC and leveraged the privileged access.
Directly targeting system administrators is a reliable attack vector. Once an attacker succeeds in placing malware on an administrator’s PC, keystroke recording and remote control capabilities deliver the keys to the kingdom. These attacks will continue to succeed until system administrators stop performing tasks requiring elevated privileges from the same PC on which they surf the web and read email.
Perhaps the most difficult threat to address is the malicious insider. Notwithstanding how one may feel about his motivations, the Snowden case clearly demonstrates the volume of sensitive data an insider can exfiltrate. Combating the insider threat requires a multidisciplinary approach. From a technical perspective, the ability to monitor and audit user activity is essential. It is simply unacceptable that many organizations are unable to log events such as files retrieved from internal servers. New approaches to monitoring, auditing, and detecting questionable user behaviour are required.
Improved personnel security measures are also required. Employers sometimes contribute to their own personnel security problems by treating employees unfairly. Programs to improve employee morale, ensure that employees with grievances feel heard, and assist employees with personal problems are a worthwhile investment. However, ultimately employees who are disgruntled, hostile, or present security risks should be terminated, especially if they are in a sensitive role.
While these four areas obviously don’t include every possible compromise scenario, significant progress can be made by working to mitigate these four deadly threats.
Have a security question you’d like answered in a future column? Email firstname.lastname@example.org
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…