Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

12/18/2017
08:35 AM
Craig Dods
Craig Dods
News Analysis-Security Now
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

Everything Is Hackable: Now What?

When everything is hackable, breach prevention can't be the only tool in the cybersecurity tool chest.

The security industry has a mindset problem. For years, businesses have operated with the "might" mentality -- that they might get attacked someday, unless they do something to prevent it. The reality, though, is that all organizations, whether they are public, private or non-profit, are being analyzed, tested and exploited by malicious entities constantly. These entities' motivations may differ between industries, but the fact is that someone, somewhere is trying to break in, and the odds are in their favor.

If you acknowledge that you are under attack -- today, right now -- then it becomes possible to shift your mindset towards protecting your organization. Focusing on detection and remediation gives you a better chance of limiting the damage to your business once an incident happens.

However, in order to respond to an incident, you first have to recognize that one has actually occurred. The statistics are still quite troubling in this area, with the majority of breaches being identified by external third parties and not by an organization's internal teams. Verizon's 2017 Data Breach Investigations Report found that 89% of all breaches caused by miscellaneous errors were discovered by external parties -- 76% of which were a customer. This leaves little opportunity to remediate the threat in a meaningful way, i.e. prior to data exfiltration.

Once you understand that (unfortunately) you as an organization are unlikely to identify a certain portion of threats, ensuring that you maximize your detection capabilities is critical. Here are a few ways to do so.

  • Reduce false positives. The primary means of maximizing detection capabilities is by reducing false positive alerts coming from your existing security infrastructure. Once the fidelity of alerts viewed by the security operations center (SOC) is acceptable, this is where your incident response plan comes into play.
  • Have a plan (any plan!). Having a plan for incident response is crucial. There are multiple frameworks, products and guidelines that can be leveraged for this purpose, so it's important to find the one that makes the most sense for your business. An organization must have a predetermined incident response plan to have any chance of success.
  • Practice makes perfect. If you work under the assumption that a breach is imminent, you will be better prepared to react when an incident occurs. Build a red team and test your infrastructure and SOC's response times. The incident response process needs to be a well-oiled machine, and the only way to accomplish that is by conducting hands-on drills.

Of course, this is not to say that prevention should be ignored. There are still necessary tactics that should be put in place to help your organization's overall security, such as limiting access to critical infrastructure -- if someone doesn't need access to "X," they should not have access to "X." This applies to both users and machines -- web server "Y" should not be able to reach database "Z" unless absolutely necessary.

And while investing in quality security products remains important in any enterprise security strategy, they need to be coupled with a security team that knows how to implement these products and get results. These security products are simply tools in a human analyst's security tool belt. Firewalls, intrusion prevention systems, anti-virus solutions, SIEMs and sandboxes all exist to reduce risk and exposure, but at the end of the day, a well-trained analyst is an enterprise's best defense.

Many will argue that subsets of artificial intelligence (AI), such as machine and deep learning, are a bigger key to success than actual employees. However, those of us who are realists understand that while these technologies may be effective in certain, specific use cases today, we are decades away from AI replacing most solutions (and humans) that are employed today.

With your security team -- and ideally, the full organization -- on board with an "imminent breach" mentality, the chances of limiting damage when an attack hits are much higher. By coupling a strong security team with the right tools and processes for when -- not if -- the worst happens, your organization will be in a stronger position to protect itself.

Related posts:

Craig Dods is the Chief Architect for Security within Juniper Networks' Enterprise Business.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
4 Security Tips as the July 15 Tax-Day Extension Draws Near
Shane Buckley, President & Chief Operating Officer, Gigamon,  7/10/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...