Why we need to rethink how we view security

Filed Under: Data loss, Denial of Service, Featured, Phishing, Privacy, Ransomware, Security threats

Layered sweaters. Image courtesy of ShutterstockLooking back at the major security stories of the last few months, there's something of a pattern emerging.

While many may seem to be down to a simple flaw in a single layer of security, on deeper examination most actually involve problems with multiple layers, and highlight the importance of an in-depth approach to security.

Target breach

Let's start with the recent, epic Target breach. Their POS systems got infected with malware, which harvested card data and sent it off to the bad guys, to do with as they please.

Sounds pretty simple - their anti-malware let them down. It should have spotted and blocked the malware in the first place.

OK, so there's some truth in that, but anyone who claims (or expects) 100% detection of all malware from any solution is at best enormously optimistic, at worst horribly naive.

There are several other problems here. We know the malware was there, but how did it get put in place?

The details are still a little nebulous and speculative, but it seems like the initial breach may be connected with third-party contractors - possibly maintenance people - who had remote access to Target's networks.

Target logoIf this is accurate, the penetration vector itself breaks down into a number of smaller issues.

The contractors weren't properly audited for their own security policy, so they were likely more open to breaches than Target itself was (or thought it was).

The methods they used for remote access weren't adequately secured, with no two-factor authentication so they could prove it was them trying to log in.

And the networks weren't properly segregated, so the hackers were able to cross over from the systems the contractor needed to access, controlling heating and AC, to much more sensitive systems handling payment card data.

There are still more layers to the breach, ending with the final exfiltration. Huge amounts of card data being sent outside the corporate network is just the kind of thing Data Leak Prevention (DLP) is supposed to watch out for and block, but in this case didn't.

It even seems like Target was warned of potential vulnerabilities, indicating a problem with the chain of command and the passing on of security warnings to the right people.

So, a lot of different problems all converged, creating what has been described as a "perfect storm". Or to put it another way, a nice, easy way for hackers to notch up another record haul of records.

If any of these layers were properly covered, it may not have totally prevented the breach, but it should at least have made things a little harder for the bad guys, minimised the extent of the leak or made it easier for law enforcement to track them down afterwards.

Cryptolocker

Moving on, Cryptolocker is another major headline of late, and again seems simple - again, anti-malware let people down and failed to prevent their systems from being infected.

But that in itself wouldn't have been catastrophic had proper security procedures been maintained by victims.

Backing up vital data is one of the cornerstones of safe computing, protecting against hardware failure and accidental deletion as well as malicious actions.

Had we all stuck to strict backup regimes, there would have been no need for anyone to hand over their bitcoins to any nasty people.

In business and institutional settings, backups should be one of the first things we put in place, so we would certainly not expect a company or police force to succumb to extortion.

SEA hijacks

Another recurring headline-maker is the Syrian Electronic Army and its serial hijacking of websites and social media accounts.

SEA logoThis is mostly being achieved through spear-phishing and social engineering, so it seems like a simple case of inadequate education of staff with sensitive access rights. If they were properly taught how to spot phishes and how to keep credentials safe, these penetrations would never happen.

But there is another side. We can't rely on humans alone for our security, so there should be both technical and policy-level checks in place.

Two-factor authentication systems are available for most social media sites and many website management services, and would do much to mitigate the risk of social engineering attacks.

Mail filters could also be doing a better job of spotting spoofed "From" addresses and so on, making it harder for phishers to assume unwarranted authenticity.

Snowden NSA leaks

Of course the biggest security story of the last year or so is the saga of Edward Snowden and the NSA. Much of the scandal here has been from a privacy angle, but from the beginning it had a security aspect too, sparking concerns about how good our secret services are at keeping their own secrets.

NSA logoThis one also seems simple - Snowden shouldn't have been able to gather up so much information and sneak it out to the world (although many are, of course, glad he did).

Crawling a local network to gather all its files and writing them to a USB stick sounds like exactly the kind of thing DLP should be spotting, but it was either not in place or was easily bypassed. QED.

Once again though, we're seeing other layers of problems. Snowden, it seems, did much of his harvesting using other people's logins, shared with him knowingly.

This is another security basic - you get your login with its associated rights, and that's what you use. If someone else asks you to log in for them, and to let them do things under your name, that should be a huge red flag.

Rights are assigned based on need, and if someone needs access to something they don't have the rights for, it's not for you to decide that they should have access and let them use your account - pass them on to the person who assigns the rights, and let them argue over whether they have been properly assigned.

The affair, like Target, also highlights the dangers of allowing third-party contractors access to sensitive networks without proper vetting, control, and oversight.

How not to join this list

All these major incidents show the importance of defence in depth, and the dangers of overlooking vital security layers. In each of these cases, problems are revealed with what should have been multiple layers of protection.

Security isn't about just installing anti-malware and checking people's ID badges. It should be a vital consideration for any system you deploy and any process you adopt.

So any time you're installing a new system or piece of software, setting up or redesigning a network, hiring a new staffer or contractor, defining a new process or protocol, getting involved with a trendy, new communication method, or anything that affects you or your users/customers/clients/friends/family/colleagues, think about the security risks and what can be done to mitigate them.

Go back over all your old stuff and think the same thought. Think about it every time you use these systems and processes too.

Any gap in our security thinking can be leveraged by the bad guys, and multiple gaps can lead to massive incidents like these.

To be effective, security needs to be everywhere.


Image of layered sweaters courtesy of Shutterstock.

, , , , ,

You might like

7 Responses to Why we need to rethink how we view security

  1. Stephen H · 164 days ago

    This article fails to note that while the NSA has tried everything possible to paint Edward Snowden in the worst light possible, many of its claims about him have been totally disproven.

    He has denied using anyone else's access, and given the NSA's record so far on this whole affair, I find it much more likely that the NSA had abysmal security systems in place than that Snowden needed to trick his fellow workers.

    In fact, didn't one of those fellow workers deny the idea that Snowden used other people's accounts?

    The NSA is getting too much of a hand up from some media outlets keen to run the "spying" line and not so keen to look at the details. I would be surprised and disappointed if Naked Security joined that cadre.

    • I'm not trying to give comfort to the NSA here, quite the opposite - whatever techniques Snowden may or may not have used, the fact that he got this information out at all is a clear sign that, as you say, the NSA's data security was pretty poor, with more than one severe problem.

      • Stephen H · 163 days ago

        John, apologies if my first comment was rather too blunt. My concern is that blame needs to go in more than one direction.

        In Target's case, the blame can be shared by Target, the outsourced provider, whoever maintains the POS terminals, and the OS manufacturer (Microsoft).

        In the case of Cryptolocker, the blame can be at least in some part attributed to OS producers. It should be reasonably easy to sandbox whatever a web browser downloads (Sandboxie does it). Even easier at the OS level, but in the meantime there are a lot of companies that make money by claiming to protect you from bad guys. They need to put my money (since I am one of hundreds of millions of people paying for security software) where their mouths are. Again, sandboxes - or perhaps implementing rules about not allowing executables to run from your download folder. But that would be more sensible as an OS measure.

        What is really annoying about Cryptolocker(s) is that the successors require AV database updates, which take time. We need solutions to the underlying problem, not to the immediate exploit.

        The Snowden affair will (hopefully) be creating noise for years to come - but it is only a symptom of a broader problem, and is really not an IT security issue at all. The problem is that governments are supposed to operate with the consent of the governed, and that is not happening at the moment.

        In summary (quite a long "summary"), all of these problems are symptoms, and our responses to them have been reactive. Unless and until the underlying problems are addressed, similar cases will occur.

        POS hacks (or hacks of the Internet of things).

        Cryptolocker (or software that uses permission it shouldn't have in order to do something nasty).

        Governments being exposed doing things they shouldn't and are not elected to do, and trying to shoot the messenger (strangely, this is more a problem of how our media works than of how technology works - because too many media agencies value their relationship with the US government over their relationship with their readers and with the truth).

  2. The target stuff is a nightmare. I'm still using a netspend card, while it has dumb fees, it's the only thing I could find that offers me text messages for EVERY transaction my card makes, and lets me remotely disable or report the card stolen via SMS. At this point I think 2FA for all card transactions might be a good idea for a bandaid fix until we have a reasonable method of preventing this type of thing.

  3. I couldn't agree more ! - The sad part is, even as Target et al are clearing up their issues, hundreds if not thousands of other government and private sector organisations are doing nothing to sure up their multiple layers of defence or even to apply controls against the stated and known vectors of attack. Instead, they are applying a "it happens to some other company - not us" attitude, or worse, "we will deal with it when something gets reported or hits the media". This shows to me that those companies have a total disregard for their customers.

    • EugeneOS · 163 days ago

      This is a sad truth related to a generic business goals short termism.
      All organisations, public or private, have pressure to reduce the running costs.
      Knowing that an average tenure is about 3 years, most of the managers drive the costs down accepting associated risks hoping that they will be out of the door when an incident occurs.
      A next person comes, and forced to accept the existing risks having the same pressure to drive the costs down. All repeats until a breach occurs. Security budget grows, controls and measures are implemented.
      Then, the next budget cycle all repeats again.

      We should start to consider security in a broader context business cycles to effectively protect the data. Investors who bought TJX shares after its customer credit card data was stolen in 2007 – one of the biggest heists of its kind then -- are up more than 300% now.

      As such, the security professionals should work with the business achieve compliance only and to minimise the losses during the incident.

  4. It is time to change our whole thinking about the Internet.

    It was built as a place to come back to.
    Now it's a place where your identity and your privacy get stolen or abused.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

John Hawes is Chief of Operations at Virus Bulletin, running independent anti-malware testing there since 2006. With over a decade of experience testing security products, John was elected to the board of directors of the Anti-Malware Testing Standards Organisation (AMTSO) in 2011.