Perimeter
6/29/2017
10:00 AM
Kirsten Bay
Kirsten Bay
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
0%
100%

Why Enterprise Security Needs a New Focus

The WannaCry ransomware attack shows patching and perimeter defenses aren't enough. Enterprises should combine preventative measures with threat detection tactics.

WannaCry appeared to be the catastrophic global cybersecurity breach we've long been expecting, but despite the damage caused, the full possible magnitude of the threat was never realized.

True, the ransomware worm infected 200,000 computers in over 150 countries — causing issues for organizations as diverse as FedEx, the UK's National Health Service, and Russia's interior ministry — but it could have been so much worse without the almost accidental triggering of the kill switch.

The most disturbing aspect of WannaCry was the speed with which it spread, and the failure that allowed this to happen was human and organizational in addition to technological. Despite Europol director Rob Wainwright's advice for enterprises to "patch before Monday," the rapid proliferation of the ransomware illustrates why patching — and any solution that focuses on defending network perimeters — isn't enough to combat the threat from cybercriminals.

Why are patching and perimeter defenses no longer enough, and how should enterprises refocus their approach to prevent future attacks from spreading so quickly?

Patching: Mission Impossible
In the wake of WannaCry, many wondered why so many organizations failed to update systems with the MS17–010 patch, which was released by Microsoft two months before the attack to resolve vulnerabilities exploited by the attackers. While maintaining patch cycles is a well-acknowledged element of basic network hygiene, any CISO responsible for vast and highly complex environments knows keeping up to date with a seemingly endless stream of patches is easier said than done.

Attempts have long been made to streamline patching, with CISOs instituting auto-patching standard operating practices on their workstations, and Microsoft introduced "Patch Tuesday" to provide regularity. In reality, however, updates are frequently released outside of the standard cycle. With enterprise environments encompassing an ever-growing ecosystem of vendors, installing updates in a timely manner is problematic, especially when patches are delayed, as with Microsoft's February updates.

Patches can cause glitches, for instance. MS16-072, released last year, created problems with user group policies and had the unfortunate impact of hiding application shortcuts and network printers. The "Recall Thursday" phenomenon, where Microsoft fell into a pattern of withdrawing patches as soon as they were released, encourages CISOs to wait until issues are ironed out before making updates, or only install patches they view as essential. With the rise of all-or-nothing updates, CISOs often choose not to patch in order to minimize business disruption.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

No matter how rigorous enterprises are about software updates, machines can always slip through the net, perhaps because they sit low in the stack or aren't seen as business critical. In many organizations, outdated but functional systems operate behind the scenes. A recent study indicates 6% of companies have more than half of their computers running on out-of-date operating systems, while 24% have over half running out-of-date browsers. It was precisely these types of systems the WannaCry ransomware was designed to target.

Edgeless Networks: Mission Creep
In addition to software updates, CISOs have another, even more challenging ticket to deal with. As IT departments spread their remit from desks and traditional office equipment to bring-your-own-device, mobile, and Internet of Things technologies, CISOs have been subject to an element of mission creep.

We now operate in a world of edgeless networks, where as many employees work outside of the firewall — on laptops, tablets, and smartphones — as within it. Even though over 60% use two or more mobile devices for work, less than 30% of these have security functionality installed, providing countless points where cybercriminals can ride traffic into the network.

Focus Shift from Prevention to Detection
The rise in edgeless networks has made fully protecting network perimeters virtually impossible, and segmenting networks can only limit the spread of attacks rather than stopping them altogether. Enterprises must take a multilayered, defense-in-depth approach to cybersecurity. This includes shifting the focus away from prevention-based models, such as the Kill Chain, that were designed to keep attackers out of a network but are limited in the post-compromise phase of a breach.

With 90% of US business hacked in the last year, and 97% of UK businesses suffering data breaches in the last five years, the question is no longer whether enterprises are vulnerable, but where they may have fallen victim already. Rather than focusing all of their attention on trying to keep attackers out of ever-more-vulnerable networks, enterprises should combine preventative measures with threat detection tactics. One can recognize the individual components that make up a cyber attack by understanding the adversary and identifying indicators of compromise.

WannaCry shows it's not just machines that need updating, but, rather, the entire approach to enterprise security requires a rethink. In a world where increasing complexity and edgeless networks invalidate perimeter-based protection and make updating individual devices unrealistic, enterprises must shift their focus toward a detection-first approach, combining threat detection with prevention in a multilayered strategy.    

Related Content:

As President and CEO of security firm Cyber adAPT, Kirsten Bay leverages more than 25 years of experience of risk intelligence, information management, and policy expertise. Her career has seen her sit on a US congressional committee; assist in developing policies for the ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
macker490
50%
50%
macker490,
User Rank: Ninja
7/2/2017 | 11:32:14 AM
Re: Kick Microsoft off your network
"Kick MSFT Out"

 

that's not a workable response:   much software that is essential to its users depends on the MSFT API

 

still, it's important to think about this problem:

What has happened:   a non-secure o/s has been placed into massive use in a network environment in which messages are generally not authenticated and message formats that carry macros and scripts have been incorporated into general use in this non-secure environment

if you wanted to design a system to facilitate hacking you could not do a better job.

the response cannot be immediate termination of the offending components; rather the offending components need to be re-configured into a protected environment such that attack messages cannot get at them

this means moving all vulnerable o/s and apps into protected intranets that do not have open-net access.   this will create some additional difficulty as it will block essential communication.   to correct this it will be necessary to build and deploy some heavy-duty filters that can require PGP signatures on all inbound messages.

this would be a start

it will need refinement;    most likely quarantine of messages of a questionable nature.
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
6/30/2017 | 4:59:57 PM
Re: Kick Microsoft off your network
True, Anthem got hit big in $$.  I suspect their compromise points more to not conforming to "Security 101" best practices, however, than it does their end-user architecture.  Again, no lover of Windows here, but I know how these big Corps love to hold on to the familiar.  Looking deeper, however, Anthem uses *NIX on the backend (Red Hat Enterprise Linux, AIX and Solaris, I believe) and are also utilizing IBM cloud.  They have a lot of Java-based code so they could well arm developers with Ubuntu systems using Eclipse for development.  One could argue Anthem could well move off Windows for their end-users since I find it hard to believe their Windows-based web servers couldn't be migrated to *NIX unless they are stuck on some ISS/.NET dependent apps (which I've see ported to NET Core).

Anyway, yeah, with hits that huge you could definitely start putting together presentations to future clients that highlight how detrimental using Windows in your environment could really be :-)  But let's also not forget the "Security 101" best practices, too.  I mean, if I keep throwing you a gun with no safety, I have to expect you to shoot yourself in the foot at least once...  
SchemaCzar
50%
50%
SchemaCzar,
User Rank: Strategist
6/30/2017 | 4:45:04 PM
Re: Kick Microsoft off your network
Well, Anthem spent nearly a half billion dollars because someone clicked a phishing email.
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
6/30/2017 | 4:42:19 PM
Re: Kick Microsoft off your network
As a *NIX nerd, you're not going to hear an argument here.  But if you're planning out IT at a new company, you'll have to be prepared to show data that demonstrates savings using FOSS in place of a Windows-based desktop ecosystem.  That is, weigh the cost of assumed eventual exploits on company Windows computers (cost being security staff, RCA effort and change implementation) against the cost of FOSS internal support, training end users, etc.  I could flesh out a FOSS-based IT solution for most companies, but then I'd need to assure the stakeholders that we have interoperability with vendors, etc. as well as a platform (Ubuntu, for instance) that is easy to use and can supply all the needs of the company.  I think that's the major hurdle right there.
SchemaCzar
50%
50%
SchemaCzar,
User Rank: Strategist
6/30/2017 | 3:04:42 PM
Kick Microsoft off your network
The fundamental "new focus" needed by enterprise security is to recognize the perimeter is failing because of Windows problems.  The fact is that we have seen for months (and more) that Windows is attacked more often and more successsfully.  The terrible attacks of recent weeks show this.  And what's more, a compromised Windows computer is an attack vector for the rest of your network.

Windows has a permission configuration that makes a successful phishing attack much more dangerous than it is on other platforms. Under Windows, many pieces of malware of more types can more aggressively attack within your firewall than you would find on other systems.

There are very few applications left that actually need Windows.  Are they worth the information security risk?
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
6/30/2017 | 10:34:45 AM
Re: Band-aids and Whac-a-Mole
Totally agree.  PGP and encryption in general should be a requirement in every workplace and yet only us developers and InfoSec pros seem to use it by default.  When you encrypt/decrypt, sign and md5sum (oops, dated myself) all day long you begin to wonder what everyone else is complaining about.  Viruses?  Worms?  Really?  Why aren't you encrypting, signing and verifying?  What do you mean "What is PGP?"

I try to educate as much as I can but we do need to see what we have taken for granted for decades in the *NIX environment and as FOSS developers brought to everyone in a digestible way.  The way average users fire up Windows and Word without thinking is how integrated encryption should be accessed as well.  No need to think about, still reaping the benefits; ease-of-use. 
macker490
50%
50%
macker490,
User Rank: Ninja
6/30/2017 | 7:38:30 AM
Band-aids and Whac-a-Mole
it's no use to keep putting band-aids on this mess.    it's like playing Whac-a-Mole: it goes on-and-on and you can't win.

a lot of critical software today runs on a very insecure o/s.     on a short term/immediate basis these vulnerable o/s systems should be positioned in protected intranets such that they do not have open-net access.

some heavy-duty filter systems will need to be developed to control data that is passed from one intranet to another.

it would be best to prohibit executable documents.

any document that contains scripts or macros should be regarded as an executable program -- just as dangerous as a binary .exe file

AUTHENTICATE

Computer Hackers leverage a general lack of authentication in order to impersonate legitimate traffic.   This, combined with the use of insecure operating software -- is a recipie for disaster -- and -- you have an on-going disaster on your hands.

the means of stopping this has been available since Zimmerman released PGP back in the 90s

Authentication should be incorporated into the filterboxes for all message traffic.

fussing over biometics, 2FA, A/V, and bad passwords ain't gonna get you noplace.
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: No, no, no! Have a Unix CRON do the pop-up reminders!
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.