A core dilemma for IT today is how to properly protect the organizations' information systems and assets given security tools often seem like a black hole sucking down both time and money. But a strong defense doesn't have to be expensive, and a good place to start is assessing what information is publicly available and figuring out how to safeguard it from attack.
It's easy to get caught up in the hype around who might be attacking organizations and why, which leads to misconceptions about the requirements and costs associated with effective security. Companies need to approach security more fundamentally and strategically. They should also be looking at it from the attacker's viewpoint, trying to identify what there is to steal and how to go about it. Those answers should be the guide for an organization's defense system planning.
During a panel discussion at the ISSA Los Angeles (ISSALA) Security Summit in May, BeyondTrust CTO Marc Maiffret gave a good example of how media and vendor messaging both fuel and respond to trends and public interest in security, and in turn, can influence how organizations view risk and evaluate their security needs.
As Maiffret noted, distributed denial-of-service (DDoS) attacks get the media's immediate and focused attention because the events are visible to the public. The world takes notice when a prominent hosting provider, financial institution, or social network service goes offline due to a DDoS attack. The event is easy to spot, the result of the downtime is often newsworthy, and the human nature aspects of the event appeal to the masses.
As public and media attention get soaked up by the who and the why of the equation, vendors capitalize on the hype by tapping into the consumer fear factor and by shaping their product messaging around what's hot in the news. Such marketing tactics draw in even more media and public attention, and so the hype cycle continues, building and building like a snowball. All this noise scares organizations into investing to fight off the bad guys.
But what good to an organization is any security program -- expensive or not -- if the organization doesn't even know what it needs to protect or how vulnerable to attack they are to begin with?
Every organization's security needs are unique -- as are the capabilities of every security product -- and so the same product that works well for one organization may be completely useless to another. And, while each organization does have its own unique circumstances, all organizations still share in common the simple fact that any publicly accessible information they have is also readily available to attackers. No security product in the world can change that reality, no matter what a vendor's messaging may suggest its product can do.
Certainly, organizations have to ask a lot of tough questions if they are to properly protect their systems, business data and intellectual property. But while the answers to the questions of who would attack their systems and why are extremely important for building out successful security programs, these two questions should only be addressed after determining what attackers would target and how.
This theme crept into many of the sessions at ISSALA. Among the speakers who covered the topic was McAfee's Security Research and Communications Director David Marcus, who discussed at length how hackers can leverage open source intelligence (OSINT) as a means to gain insight into an organizations' infrastructure, technologies and operations.
During his session, Marcus provided a healthy list of tools used by these innovative and collaborative adversaries, including Twitter, Pastebin, SHODAN and Metasploit. Presenting results from the use of these tools, Marcus showed the audience how easy it is to identify, capture, share and use public-facing information to extract knowledge which could be used to attack an organization.
To further illustrate the point, Marcus described how these same methods could be used to attack the critical infrastructure -- more pointedly, the seemingly forever-vulnerable SCADA systems.
For example, the public Pastebin clipboard could be used to search for the tag words #SCADA and #IDIOTS to find public information about SCADA devices around the world, including publicly visible IP addresses of already identified vulnerable SCADA systems. The resulting search information, which was likely uploaded by attackers and hactivists, could then be dumped into a Google search to find up to 15 times more SCADA sites that are vulnerable to the same or similar exploits, according to Marcus.
Marcus also described how one could authenticate as an administrator to these sites, completely unfettered. Once connected, one could read the contents of the system databases, change the configurations of the devices, install malicious code, and even reboot the systems with the click of a button.
So, how do we break out of this rut of focusing on the who and the why driven by media and vendor messaging? This is where the old saying "the best defense is a good offense" comes in. That's what SANS Institute's Director of Research Alan Paller told the audience at the ISSALA conference. Marcus shared these five tips:
1. Embrace and operationalize OSINT -- use tools such as Twitter, Pastebin and SHODAN to identify and capture public-facing information about your own organization and systems. This open source, publicly available information has a lot to teach us. It can provide an organization with its own insight as to how the enemy views its infrastructure and operations.
2. Don't make decisions based on industry or marketing buzzwords -- don't worry about advanced persistent threats (APTs) so much as understanding what the prize is and how an attacker could gain access to this prize.
Marcus says to "go for the basics." All of the SCADA systems identified and accessed by Marcus failed the basic security measures during Marcus' demonstration, even though the operators of the systems likely had intrusion prevention systems (IPS), intrusion detection systems (IDS), and other APT-fighting technologies in place to guard against attack, as most organizations do today. "These protections likely weren't configured properly or simply weren't capable of guarding against the well-known vulnerabilities," said Marcus.
3. Move beyond the penetration test -- leverage red teams. There is a big difference between red team actions and penetration test results. A red team will take a system down when and where it really matters to the business, whereas a pentest will pretty much only point out that "there is a vulnerability that needs to be fixed."
Concerted efforts to move from traditional pentests to security programs that incorporate red teams should be made by organizations that truly care about securing their environments. Organizations really need to figure out what the real vulnerabilities are within their environments. "Shake it and make it bleed. ... break it and own it," says Marcus.
4. Have an extensive internal CERT team. It is important to bring in trusted security partners and solution providers that an organization already relies on for protection technology. Marcus says "don't just view your vendor as the AV DAT guys -- they know a lot about malware and other attack methods. Leverage their knowledge, expertise, and manpower."
5. Establish partnerships for information sharing. The next big boom in cybersecurity will surround intelligence and attribution. It will be critical for organizations to not only detect they are under attack, but to also know who wrote the attack such that the authorities can then locate the source behind the attack.
Information is golden, though many organizations fail to utilize the information they (and their adversaries) have available. It's clear, a strong cyber-defense can be gained from leveraging open source intelligence. This begs the question, when was the last time your organization checked to see what the public knows about your environment?
Sean Martin is a CISSP and the founder of imsmartin consulting. Write him at firstname.lastname@example.org.