Secrets are the enemy of a good security defense

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.infoworld.com/article/2909219/security/secrets-are-the-enemy-of-a-good-security-defense.html

Companies frequently call me to assist them after they’ve suffered a big
hack. Often, the company turns out to be a major corporation, with the hack
resulting in a big leak of customer information -- which may even surface
in news cycles for a week or two. Usually, several security teams are
involved, but everyone's goal is to make the company more secure and reduce
risk of another, similar compromise.

I always ask, "How did the hack occur?" I'm astounded by how few of the
project team members know and how many hacked companies don't want to share
the answer. I'm here to tell you that secrets don't help defenses. How can
anyone really help you reduce risk if your biggest risks are unknown?

In an earlier life, I was an EMT paramedic. Every good emergency care
provider learns to ask the patient what's wrong or what hurts -- even when
the illness or injury appears obvious. For example, I once arrived on a
scene where a 17-year-old teenager had driven her car into a stationary
vehicle. She was sitting in the front seat with her legs dangling out of
the open driver's door. As I walked up, I could see a fractured femur bone
sticking up through her jeans.

Still, I asked her the question, "Where does it hurt?"

A few of the firemen behind me laughed, and one said, "I can tell where it
hurts!" Actually, I too fully expected her to say that her leg hurt, but
she didn't. Instead, she said, "My stomach hurts." With that, I got her
into the ambulance as quickly as possible without spending a lot of time
splinting the leg and started an IV. I told the ambulance driver to hurry.

She began to cough up copious amounts of blood. Her blood pressure dropped
and she became unconscious, due to internal tears and bleeding. They were
able to save her life, thanks to the early IV, a fast trip to the hospital,
and emergency surgery.

Even though you think you know the answer, asking the obvious question is
key to saving the patient. The same applies to cyber forensics and defense:
I can’t do my job to the best of my abilities if I don't know what hurts
the patient the most.

Most companies are compromised because of unpatched software or social
engineering. Yet you'd be surprised how many of these same companies focus
on other factors. Instead, they spend most of their energy and money
installing better event monitoring tools, hardening computers, deploying
better firewalls, and adding stronger authentication.

When I ask if any of these actions would have prevented the hackers from
breaking in, the question is often met with stony silence -- for good
reason. Those measures would not have helped.

Unfortunately, more than likely I won't have a clue about which
countermeasures will or won't work because the company wants to keep the
details of the hack a secret. Usually, they tell only a small, select group
of people. Everyone else is on a need-to-know basis, with the presumption
that they don't need to know.

I'm not sure why this attitude is so prevalent in companies that have been
hacked, but I suspect it's an attempt to limit public outcry and to keep
the details from reaching other potential hackers. I get that; it's a
laudable goal. But when the people trying to help you don't know the
biggest problems, they can't assist you beyond a certain point.

If I don't know the reasons why a company was hacked, the best I can do is
look at all the risks, take my best guess as to what the biggest risks are,
and ask the company to fix them. But I have no way of knowing if my
recommendations will help repair the vulnerabilities that were exploited.

Sometimes such secrecy is so pervasive that even the people supposedly in
the know don't really know. I was at one company that recently discovered
it had been hacked, but no one had the authority to tell me how the hackers
did it. I asked to the point of annoyance. I was eventually referred to the
CIO, and although he was resistant to sharing, he eventually relented and
said I could talk to two of his project heads and learn the details.

I talked to them individually and got two wildly different stories.

The first guy I interviewed said the hackers were run of the mill. They did
nothing to differentiate themselves from every other hacker group he had
ever read about. The second guy, the head of computer security, said these
were incredibly sophisticated hackers, using techniques he'd never heard of
before. He said they moved about and did things without making a mistake.
He said they typed in long, complicated directory names like they did it
every day. He said it was obvious that they had been in the system for
years.

Two of the people with a supposed common set of facts were living in
totally different realities. How can you most efficiently address the
threat if you can't agree what the threat is? This company was keeping a
secret from itself.

I'm sharing these personal stories for a nonpersonal reason. If you're
trying your best to recover from a big hack, refusing to share information
isn't helping you. More likely, it’s hurting your recovery and future
defense. Conversely, if you're asked to participate in a project to reduce
the risk of malicious hacking after the fact, make sure your first question
is, "How did the company get hacked?" The answer quite often makes all the
difference.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!