It will come as no surprise that preliminary analysis of results so far in our latest reader survey (still open here) suggests that corporate networks are going to come under increasing pressure as traffic volumes and patterns evolve. As part of this, it’s clear that most people are anticipating a world in which not just …
Friendly Fire - Senior Management
Unfortunately in many organisations, senior management seem to expect to not have to conform to IT standards. If the CEO demands full access to business applications and internet porn from his laptop then the first line of defence already has a hole in it. Where possible, applications should be designed on the assumption that there are threats already inside the corporate firewall.
(In military terms, the corporate firewall is like the AA defenses around a base - it protects from hostile enemy aircraft but cannot protect from someone rolling a grenade into your tent - to protect against that you need additional security.)
Corporate firewall grenade?
@Duncan Macdonald: "In military terms, the corporate firewall is like the AA defenses around a base - it protects from hostile enemy aircraft but cannot protect from someone rolling a grenade into your tent - to protect against that you need additional security."
Given today's design philosophy, a corporate firewall is as much use as asking people 'are you carrying any grenades' before letting them enter the base.
To continue the analogy, given the accuracy of current missiles, a fixed base is a liability, better to keep the whole army mobile, never in the same place two days in a row and never-ever lets the locals onto base.
Re: Friendly Fire - Senior Management
Yup and bat you away and tell you no when you try to implement simple stuff like disable access to external storage drives
Perimeter defense almost worthless
Saw an enlightening talk by the CTO of Trend Micro a few months back, hoping the org that hosted the event posts the video online, been waiting months and nothing yet.. here is another video with him from another event that is similar (though the talk I saw was ~45min this is ~10)
I didn't learn anything but it was awesome to see the honesty come from someone in his position where he just comes out and says it - if someone wants to get in, they get in. Just accept it. Doesn't matter how much you invest it won't be enough. His summary of the RSA break in was entertaining as well. He admits his own industry is at fault in putting a false sense of security in their customers "just buy this product it will make you safe". At the end he was pitching a new product of theirs but he said on several occasions that it won't protect you against everything.
Here's a PDF from the presentation I was at
Security is not my focus so I don't try to stay on top of everything in that field but his coverage of the bank attack in Korea was quite good too (page 36 of the PDF), nearly 50,000 computers disabled. In all 76 tailor-made malware were used, targeting both Windows and Linux/Unix systems.
I normally skip keynotes and stuff at events(the events that I do attend, which in itself is rare). This guy was just great though.
Perhaps the most ..informative stat(?) he cited is in 2012 the average time an attacker has access to a network before detection is 210 days (35 days longer than 2011).
Seeing that makes me glad security is not my focus, because really those guys are fighting a war they simply cannot win. "Ooh look this new shiny firewall or IDS/IPS!! But we still got hacked......."
I dealt with a hacked system on Sunday, first time in probably 5 years I've been involved in one. System wasn't being managed by anyone, ran a wordpress blog that was out of date. It seems like some worm got in by one of the recent code execution exploits, for some reason it wiped out the data on the wordpress blog itself (seems careless because that's how it was detected almost immediately) and downloaded some files and basically turned the host into a bitcoin mining operation(complete with fake program signatures to make it look like normal processes were running, and a crontab to re-download itself every so often). I don't believe they ever got root as they never wiped any of the logs, the apache error logs clearly showed the exploit in action. The IT folks restored the system from an earlier backup and updated wordpress. Now they want to transition responsibility of this system to me but I want nothing of it. It was an interesting exercise though, took only maybe 5 minutes to determine what was going on, obviously not a sophisticated attack.
In the event on Sunday there was absolutely no fancy security system in place, the incident was picked up on basic monitors within minutes of it happening because the worm/attacker wiped out the data causing the website to return errors.
best security defense
IMO the best security defense you can have is not to be an attractive target to begin with. Obviously not possible for many big organizations.. But for smaller ones, that will get you more than any technology or training or policy.
It usually comes down to the value of your data to other folks, if your data is not that valuable (reality here not what value you put on it personally) then it's less likely to be attacked, there's other more tempting targets.
That doesn't protect you against worms/viruses which don't discriminate on who they attack of course but those things can often be effectively blocked by traditional security measures IDS/IPS/firewall/AV/etc etc..
If you can build it...
You can knock it down.
If you create something.
You can destroy something.
If you can code it.
You can hack it.
It's fact and bleeding obvious, I fail to comprehend how we have got here, people don't get all suprised when their car gets stolen or house gets broken into, "Um, I had windows and an Alarm! WTF?!" so why are people so blind to this fact when talking IT, I can understand a technophobe to some extent maybe but the problem is much wider. :(
Does raise the question though, how much SHOULD you spend on security?
How long is a piece of string I guess.
Perimeter security is insufficient
The problem with perimeter security is that once people are in, they can move freely. A much better way of thinking is to assume that you are already compromised and actively monitor for bad behaviour. Regard the perimeter security as something that keeps the volume of intrusions down rather than something that stops them completely.
A big problem with detecting bad behaviour is that you need to know what good behaviour is first. This can be a daunting thing to define in a corporate network. There's a company called DarkTrace that have developed a Bayesian machine learning thing which can differentiate good from bad for you (http://www.darktrace.com/) and I'm willing to bet that this is where the future of security lies.
Virtual perimeter network ..
"most people are anticipating a world in which .. external parties will be accessing applications from both inside and outside the physical organisation boundary."
Design your system so as there *is* no inside, everyone accesses the system through VPN running off of a hardware token, and a full and irrevocable audit trail at the server end.
We lock down our perimeter systems as well as the next man but we have had two breaches to TS servers. (with clients who had no 2 factor)
In each case we discovered the breach within 24 hours but, although we had full logs, in once case a full TSrecord of the activities as well as a snapshot of the VM - we could not get the case looked at by a policing force.
On tape (as it were): Somebody hacked into a system (using an RDP exploit) changed the language to japanese and then logged onto their live.com account, facebook account and google account. They then downloaded ddos software from a premium file share account and proceeded to ddos a handbag manufacturer whilst google adwording their own and false clicking in facebook using something <odd>
We had all this + his facebook, google and MSN account details and NOBODY in the UK was interested. Not the police, not facebook, not microsoft. not google.
In the other instance they had a look around couldn't get anywhere on the network, couldn't install anything and so left a sa remote app running.
It also astounds me that companies tout UTM or full solution capability, when, whilst they might well be sourcing alternative detection and removal methods from 3rd parties they are not a single solution at all. In 30 odd sites we run 2 different AV's on the firewalls + lookups, 1 different AV on the desktop and STILL many things fall down to malwarebytes on the desktop. And in some cases MS essentials / defender. It astounds me a) how users can do this. b) how 4 layers of protection costing upwards of £200 per user can let this shit in for it to be smitten by a £20 malware scanner, (Who are gracious enough to say they are not an AV replacement) and I know malware is a different category, but sophos, trend and Symantec all claim to defend against it, I guess that's why they spam OEM machines.
That doesn't even take into account the real human problems of receptionists handing out internally routable wifi keys rather than guest passes or letting people sit at their seats for 5 minutes to check gmail... with their pen drive...
Like the government, we have resorted to spot checks, random changes and ensuring many many backups exist/
And from foot+gun
We have had no break-ins, no internal cyber-attacks.
But I did get confused about whether I was on the main or backup SAN when I did a factory reset (oops)
ps. it wasn't my fault, the login to the backup failed (which is why I needed to reset it) so the management console closed the window on the backup and dropped me to the already logged in console window on the main!
pps. This is why you always set the desktop background on the production server admin account to red and the backup to green
- ASTEROID'S SHOCK DINO-KILLING SPREE just bad luck - boffins
- BEST BATTERY EVER: All lithium, all the time, plus a dash of carbon nano-stuff
- Stick a 4K in them: Super high-res TVs are DONE
- Review You didn't get the MeMO? Asus Pad 7 Android tab is ... not bad
- FTC to mobile carriers: If you could stop text scammers being jerks that'd be just great