We were somewhere in the second half of 2016 when the breaches began to take hold. I remember saying something like, “I feel we’re losing the security battle; maybe I should choose a different profession, one which isn’t cloaked in failure…” Suddenly, there were bats, music swelled loudly and a heard a familiar English accent: “Why do we fall? So we can learn to pick ourselves up”.
I’d fallen asleep watching "Batman Begins" again, and apparently the medication I’d taken for my cold had me on edge.
Beyond the movie, though, the security concerns I had were real. The steady march of companies getting breached continued throughout the year. There were plenty of shiny boxes, cool widgets, and even ‘pew pew’ maps, all designed to help companies be more secure – and yet the breaches kept happening.
Ransomware, DDoS, password dumps, privacy breaches, third-party failures, critical infrastructure, and many more security-terms crept further into the mainstream lexicon with every new incident.
Many widespread security issues stem from poor architecture and include a lack of segregation, critical dependencies on legacy systems, and non-existent network diagrams or asset inventories. At the other end of the spectrum, a lack of user awareness and education often becomes a root cause of system compromise.
However, re-architecting systems, or re-training users, can be a bit like advising a zoo-keeper not to shoot a gorilla dragging a 5-year-old child – these are tasks that are easier said than done. In addition, replacing or upgrading legacy systems can be as challenging as getting the Titanic to perform a three-point turn.
This whole situation paints a grim picture, one which brings to mind the words of famed English poet William Wordsworth: “We poets in our youth begin in gladness; but thereof come in the end despondency and madness.”
However, IT security is not poetry, and despondency and madness need not overtake the reality that many breaches could have been prevented, or their impact minimised. This can, in fact, be accomplished by sticking to some of the fundamentals of security operations (SecOps) that have been practiced for many years.
Segregation of Duties
Segregation of duties goes beyond simply splitting a workload in half. You’re probably familiar with Uncle Ben’s phrase, “With great power comes great responsibility.”
The problem with this quote is that, in real life, people often can’t handle this responsibility. Power seems to have a strange effect on people. I’m perhaps one of the laziest people when it comes to fixing or decorating anything around the house. However, hand me a power-tool and I become a solution looking for a problem. My wife often reminds me that I “only pretend to be responsible when I'm around the kids", but this illustrates the need to have boundaries in place to control individual behaviour.
This is a well-understood phenomenon, and is one of the reasons why no-one likes dictators, because nothing can stop them from abusing their power. The potential for mis-use is also why missile launches are controlled with many layers of checks and balances, cumulating in two soldiers having to simultaneously turn their respective keys to activate a launch.
However, having properly segregated accounts and roles would not only prevent, say, a junior bank teller from making large financial transfers, but it would also limit the amount of damage that a criminal could do if they were to take over an account.
Rotation of Duties
Similar to segregation, but a more useful strategy for spotting insider threats, is rotation of duties. This can be a tough control to implement, however, especially in smaller organisations that have fewer staff to rotate.
The principle at work here is that if you force a break in an employee’s regular job, either by temporarily moving them into another role, or forcing them to take a mandatory minimum number of consecutive days off, it can bring to light any wrongdoing that that employee may be involved in.
In larger organisations, change management can often be viewed as an overly bureaucratic overhead. However, it can also be an essential tool in safeguarding the integrity of the environment.
What you quickly come to realize is that even the most mundane of changes have an impact on security; if you’re lucky enough to be on the change approval board, then you need to be able to look at a change from all angles to make sure it doesn’t negatively affect the current security setup.
Once a colleague of mine received a change request which seemed simple enough on the surface - moving an application from one server to another. It seemed to be a capacity issue so it was approved and implemented. Only after we started seeing one application after another become unavailable did we realize that something wasn’t quite right. Turns out, the old server had deeper links to the application running than anyone had anticipated. This was the old days of NT4.0 and there were lot of scripts with hardcoded information, so this "simple" change had much more serious consequences.
It’s not always the big changes that one has to worry about, though those are typically the ones that get all the attention. When making a change to your payment platform, for example, everyone is aware that security is of paramount importance and therefore will focus on it. It’s the smaller changes that often trip people up, though, so it's important to have tools to log, monitor and manage all changes.
Change management is also very useful for spotting when a change should not be occurring. If a change to the environment occurs with no corresponding change record, then it could very well be a sign that an attacker has gained a foothold into the network and is working their way through.
The principle of least privilege is to give people only the minimum level of access and rights needed for them to carry out their job. Like segregation of duties, this limits the amount of damage that can be inflicted if a user account is taken over.
Least privilege usually works in a manner similar to being on a bad diet. You cut out all the crap from your daily food intake and survive on lettuce, a thin slice of grilled chicken and bottled water because according to some Dr. at some university, that’s the least amount of food that you need to survive. But after a few days, the cravings begin. The chocolate, crisps and fried chicken seem ever so appetising and despite your best intentions, you fall into the trap and abandon your diet. The same thing often ends up happening with least privilege. An administrator might accept it at first, but then think that if only they had access to that extra terminal or function, it would make their life so much easier and let them get things done so much faster. Changes are made and the dividing lines are soon blurred, undermining the controls in place.
This is why it is important to regularly review access rights and privileges to ensure that the controls in place are the most appropriate. This may seem like an additional burden, but having such a system in place can hamper or fully deter an attacker that manages to get in.
Monitoring and Auditing
In today’s day and age, it is relatively simple to pick up a technology that will unify logs and give an overview of all activity in the environment. The basic principles of monitoring remain the same though.
First, you need to be clear about what you’re looking for, and once you’ve found it, you need to know what to do with your alerts. I was once at a company that was suffering an attack. Someone was asked to look at the IDS logs; people started looking at each other, blank looks were exchanged and heads were scratched. Their portal had been online for over 2 years and had IDS sensors deployed, but no one had ever looked at them. In fact, no one even knew how to access the logs!
In addition to this, you have auditing. This is almost identical to monitoring, except it’s done at a later date. Auditing is about going through the systems and logs to make sure everything is working as intended. It’s more of a Colombo-style activity, where an auditor will look at samples of logs, check procedures and interview administrators.
Having suitable monitoring and auditing processes in place would perhaps have allowed many companies to detect and respond to breaches long before they become public.
What Does 2017 Hold?
As Sarah Connor tells us, “The future is not set, there's no fate but what we make for ourselves.”
2016 was pitted with many security failures, but history doesn’t have to be an indicator of what the future will hold. If we're always preoccupied with chasing after the next big thing like a kitten trying to catch the red dot of a laser pointer, it can become easy to forget, or overlook entirely, the basic security operations fundamentals that are essential for building and maintaining a strong foundation.