Looking back at the major security stories of the last few months, there’s something of a pattern emerging.
While many may seem to be down to a simple flaw in a single layer of security, on deeper examination most actually involve problems with multiple layers, and highlight the importance of an in-depth approach to security.
Sounds pretty simple – their anti-malware let them down. It should have spotted and blocked the malware in the first place.
OK, so there’s some truth in that, but anyone who claims (or expects) 100% detection of all malware from any solution is at best enormously optimistic, at worst horribly naive.
There are several other problems here. We know the malware was there, but how did it get put in place?
The details are still a little nebulous and speculative, but it seems like the initial breach may be connected with third-party contractors – possibly maintenance people – who had remote access to Target’s networks.
If this is accurate, the penetration vector itself breaks down into a number of smaller issues.
The contractors weren’t properly audited for their own security policy, so they were likely more open to breaches than Target itself was (or thought it was).
The methods they used for remote access weren’t adequately secured, with no two-factor authentication so they could prove it was them trying to log in.
And the networks weren’t properly segregated, so the hackers were able to cross over from the systems the contractor needed to access, controlling heating and AC, to much more sensitive systems handling payment card data.
There are still more layers to the breach, ending with the final exfiltration. Huge amounts of card data being sent outside the corporate network is just the kind of thing Data Leak Prevention (DLP) is supposed to watch out for and block, but in this case didn’t.
It even seems like Target was warned of potential vulnerabilities, indicating a problem with the chain of command and the passing on of security warnings to the right people.
So, a lot of different problems all converged, creating what has been described as a “perfect storm”. Or to put it another way, a nice, easy way for hackers to notch up another record haul of records.
If any of these layers were properly covered, it may not have totally prevented the breach, but it should at least have made things a little harder for the bad guys, minimised the extent of the leak or made it easier for law enforcement to track them down afterwards.
Moving on, Cryptolocker is another major headline of late, and again seems simple – again, anti-malware let people down and failed to prevent their systems from being infected.
But that in itself wouldn’t have been catastrophic had proper security procedures been maintained by victims.
Backing up vital data is one of the cornerstones of safe computing, protecting against hardware failure and accidental deletion as well as malicious actions.
Had we all stuck to strict backup regimes, there would have been no need for anyone to hand over their bitcoins to any nasty people.
In business and institutional settings, backups should be one of the first things we put in place, so we would certainly not expect a company or police force to succumb to extortion.
This is mostly being achieved through spear-phishing and social engineering, so it seems like a simple case of inadequate education of staff with sensitive access rights. If they were properly taught how to spot phishes and how to keep credentials safe, these penetrations would never happen.
But there is another side. We can’t rely on humans alone for our security, so there should be both technical and policy-level checks in place.
Two-factor authentication systems are available for most social media sites and many website management services, and would do much to mitigate the risk of social engineering attacks.
Mail filters could also be doing a better job of spotting spoofed “From” addresses and so on, making it harder for phishers to assume unwarranted authenticity.
Snowden NSA leaks
Of course the biggest security story of the last year or so is the saga of Edward Snowden and the NSA. Much of the scandal here has been from a privacy angle, but from the beginning it had a security aspect too, sparking concerns about how good our secret services are at keeping their own secrets.
This one also seems simple – Snowden shouldn’t have been able to gather up so much information and sneak it out to the world (although many are, of course, glad he did).
Crawling a local network to gather all its files and writing them to a USB stick sounds like exactly the kind of thing DLP should be spotting, but it was either not in place or was easily bypassed. QED.
Once again though, we’re seeing other layers of problems. Snowden, it seems, did much of his harvesting using other people’s logins, shared with him knowingly.
This is another security basic – you get your login with its associated rights, and that’s what you use. If someone else asks you to log in for them, and to let them do things under your name, that should be a huge red flag.
Rights are assigned based on need, and if someone needs access to something they don’t have the rights for, it’s not for you to decide that they should have access and let them use your account – pass them on to the person who assigns the rights, and let them argue over whether they have been properly assigned.
The affair, like Target, also highlights the dangers of allowing third-party contractors access to sensitive networks without proper vetting, control, and oversight.
How not to join this list
All these major incidents show the importance of defence in depth, and the dangers of overlooking vital security layers. In each of these cases, problems are revealed with what should have been multiple layers of protection.
Security isn’t about just installing anti-malware and checking people’s ID badges. It should be a vital consideration for any system you deploy and any process you adopt.
So any time you’re installing a new system or piece of software, setting up or redesigning a network, hiring a new staffer or contractor, defining a new process or protocol, getting involved with a trendy, new communication method, or anything that affects you or your users/customers/clients/friends/family/colleagues, think about the security risks and what can be done to mitigate them.
Go back over all your old stuff and think the same thought. Think about it every time you use these systems and processes too.
Any gap in our security thinking can be leveraged by the bad guys, and multiple gaps can lead to massive incidents like these.
To be effective, security needs to be everywhere.