Security hackers got you scared? Focus on fundamentals, not hype

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://thenextweb.com/dd/2013/12/27/security-hackers-got-scared-focus-fundamentals-hype/#!qK4Kb

You see them all over the news – reports of high-profile data breaches and
computer attacks. This is a result of increased dependence on computers and
increasing sophistication of the threats. Organizations and individuals who
rely on computers, whether they sit in the boardroom or the family room,
are wondering how they can protect against attacks, both old and new.

As technology evolves, so do the threats. While there have been significant
improvements in software development, the complexity of modern systems, the
demand for rapid software delivery and the improved organization of cyber
criminals (along with the development of an underground hacker economy)
have led to more and more attacks.

Criminals have figured out how to monetize the exploitation of software
vulnerabilities, resulting in large amounts of theft of both financial
assets and intellectual property. Now, hacking is big business, with losses
measured in the billions of dollars. Some of these threats have been
categorized with a relatively new label: Advanced Persistent Threats (APTs).

Sneaking in with zero days

The term “APT” is used so frequently it’s become a buzzword. It’s a threat
that uses advanced technology, typically zero day exploits that take
advantage of a previously unknown software vulnerability. This makes them
extremely dangerous because there is no fix and anti-virus and intrusion
detection systems, which rely on signatures of known exploits to work,
aren’t able to detect zero days.

APTs are persistent because once attackers are inside a target network,
they install remote control software, typically “Remote Access Tools,” to
maintain control of the system and access other computers in the
organization where account log-in credentials and intellectual property are
stored.

Firewalls and intrusion prevention systems, which consume so much of the IT
department’s time and budget, don’t effectively detect these kinds of
attacks. Once an attacker is in the network all bets are off.

The fact that perimeter-based security can’t prevent criminals from
compromising internal systems should be reason enough for organizations to
aim for a balance between preventative and detective security controls. If
you can’t stop all attacks, you need to be able to detect attacks so they
can be contained and to minimize loss of data.

However, as detailed in the 2013 Verizon Data Breach Investigations Report,
most organizations are not successful in detecting intrusions. Nearly 70
percent of the breaches were discovered by law enforcement, third-party
security monitoring providers or others and not the victim.

It’s also interesting to note that a majority (78 percent) of the data
breaches included in the Verizon report were a result of intrusions that
were considered easy. This seems at odds with the widespread focus on APTs.
If the majority of data breaches are resulting from easy intrusions, how
can organizations possibly expect to manage the much more sophisticated
targeted and advanced attacks?

Phishing for APT victims

One of the most common compromise methods is phishing, where victims are
lured into clicking on malicious email attachments or URLs.

Chances are greater than 50 percent that a link or attachment in an email
sent to three employees will be clicked by at least one of them, according
to research conducted by ThreatSim, as detailed in the Verizon report. With
success rates as high as this, attackers don’t need to use advanced methods.

Statistics like these have led to a bunch of new anti-APT products.
Security conferences are full of vendors making exaggerated claims that
they can prevent APTs. While many solutions may in fact be valuable tools
in an organization’s arsenal, they aren’t adequate on their own.

Without a strong risk-based approach, an organization won’t have much of a
fighting chance of managing the potential loss of data and other
consequences from an attack, even with the latest APT tools.

So, how do you build a strong, risk-based information security program?

Frameworks focused on risk that have been around for awhile, such as
ISO-27000 and NIST SP-800-53. They are fairly straightforward, but their
implementation can be challenging, especially for information security
teams that are already very low on resources and overwhelmed by the
challenges of maintaining their existing controls and compliance program
requirements.

20 Critical Controls

One way to solve this problem is to adopt a methodology that includes
controls that have been proven to be effective at reducing the risk of real
threats. The 20 Critical Security Controls does, plus it’s appropriate for
organizations with mature risk programs and those with less mature programs.

They were first published by the Center for Strategic and International
Studies and later maintained by the SANS. They have recently transitioned
to the newly formed international organization, The Council on
CyberSecurity.

Currently in their fourth major release — version 4.1 – the controls are
updated as necessary, based on international collaborative research on
current threats and effective measures at preventing attacks. The 20
Critical Controls include 15 technical security controls that lend
themselves to automation and five foundational controls that may require
manual validation.

The fact that most can be automated is significant. Information security
vendors have thrown support behind the controls and are working to provide
automated tools to implement them. Because it’s a community-driven effort
it’s likely to thrive.

This project is seeking input from all parties. I recently attended a
summit in Washington D.C. on the 20 Critical Security Controls that was
extremely productive. A similar summit was held in London this past spring.
This collaborative effort seems to be gaining traction among organizations
as a common sense approach to the challenges and evolving threats they face.

Many information security professionals are excited about the potential for
improving their information security programs by using a prioritized,
flexible methodology. It’s important to know that it does not replace
ISO-27000 and NIST SP-800-53, as the controls include mappings to both.
Instead, the controls provide an approach that allows organizations to
prioritize control implementation in a way that can be tailored to fit
their needs.

While APTs present a very real threat, the terms we use to describe current
threats will change over time. Today, we are talking about APTs and
phishing. In the past we’ve faced worms, viruses and trojans. Who knows
what the threats of tomorrow will be?

The key to improving your organization’s information security posture is to
adopt a risk-based approach that balances preventative and detective
capabilities, with extensive automation and flexible, proven controls.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.