Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

04:38 PM
Connect Directly

How To Avoid Breaches Where You Least Expect Them

Vulnerabilities and threats could lurk in the most mundane of systems

In the real world of constrained budgets and limited personnel, prioritization of security resources is a must. Many departments prioritize practices based on the severity of vulnerabilities, the value of a target, and the likelihood of a threat hitting said target. However, the flip side of that is to remember the real world is also a connected one. And as many security experts can attest, enterprises often forget to account for how attacks against the vulnerabilities in less critical systems can jeopardize the crown jewels.

"Most companies focus their efforts on locking down vital assets, such as the infrastructure, servers, mission-critical applications, and work machines, and when assessing risk put too much emphasis on these as opposed to other systems deemed not as vital," says Vann Abernethy, senior product manager for NSFOCUS. "But we have seen attacks against these soft targets that either led to serious damage or were used as a way into the systems that were thought to be better protected."

A great example of what it looks like when an organization chooses not to secure these incidental soft systems happened back in 2011 at the Hong Kong Stock Exchange (HKEX), Abernethy explains. HKEX ran a simple informational news site that wasn't prioritized for protection because it was a low-risk system with no connection to trading platforms and seemingly no connection to the organization's core trading functions. Nevertheless, a DDoS attack against this site actually kept a number of prominent companies from trading while that site was down.

[Your organization has been breached. Now what? See Establishing The New Normal After A Breach.]

"The news site is where companies posted announcements to comply with disclosure regulations, and when those statements could not be posted, trading was halted," Abernethy says. "So a site with minimal protection and a lower perceived risk value can cause several major stocks to go untraded when taken out -- and result in a huge loss in revenue."

It is a good lesson in how organizations have to exercise a higher level of thinking about potential threats to seemingly low-priority systems. In that case, the system in question was not necessarily connected to more sensitive systems of data. But often deprioritized soft targets are ideal for attackers because these systems have back-end connections to other systems that IT staff may not be aware of or have forgotten about. Similarly, some soft targets may not necessarily be connected to sensitive systems but could still hold sensitive data due to lack of policies or lack of enforcement of existing policies. Take, for instance, test databases for development work -- in many organizations, these databases will contain real production data. But they're not considered high-priority systems and don't have near the levels of controls on them as production databases.

So how does IT find those systems that could prove to be soft targets for attackers? It starts with becoming more comprehensive in asset discovery and tracking -- it's a task that's helpful not just for vulnerability management, but many more security investments that need to be made, says John Walton, principal security manager at Microsoft, in charge of the Office 365 security engineering team. Walton recommends using as many different sources of data as possible to put together an asset list, starting first with subnet base scanning and moving outward from there.

"So think about things like your log data, maybe netflow data or network routing information, your asset data in Active Directory, and any other number of sources you may have available or could start collecting from," he says. "Then really try to combine those different sources because the more you can identify, the closer you can get to having a complete asset list."

Even before developing that list, though, netflow data can also be particularly helpful for identifying existing compromises of seemingly low-risk systems connected to and endangering more critical systems.

"If you are seeing large and unexpected flows of data from an internal origination point to other computers on the network or to external addresses, this can indicate an attempt to exfiltrate data from your company," says A. N. Ananth, CEO of EventTracker. "Netflow data is a useful way to spot these unexpected information flows."

However, keeping tabs on netflow data may be only addressing symptoms of a deeper problem. Part of the issue at hand is that organizations are assessing risks to their assets in a bubble, says John Pescatore, director of emerging trends for SANS Institute.

"There is generally no real connection to real-world threats on how best to protect the business or the customer's information," he says.

He says that all too often organizations use a small imaginary number to estimate the probability of a security incident, a large imaginary number to estimate the cost of a security incident, and then multiply those two numbers together to get a medium-size imaginary number, says Pescatore, adding that the exercise is purely done to tell auditors that they did an assessment.

Instead, he says, it is important to home in on a controls-based priority list. This can be done by relying on a community of experts who can look at real-world threats and prioritize which security controls are most valuable in deterring those threats. Then they can prioritize solutions that implement those controls with as much automation as possible to improve efficiency and effectiveness.

"Work your way down the priority list until you run out of budget," Pescatore says.

Most importantly, though, organizations need to be comprehensive when seeking IT assets eligible for these controls. While mission-critical systems certainly deserve the most attention to details, security professionals must also keep an eye out for the fringes of IT infrastructure. It is there -- in the places where high-priority and low-priority systems may be interconnected -- where business processes create a tenuous connection between unrelated systems, and where data lurks in unexpected places. It is that gray area where the biggest propensity for compromise awaits.

"Companies should take a very serious look at all assets and be very comprehensive in looking at the consequences of an attack," Abernethy says. "Don't overlook the mundane because, as the HKEX found out, it may very well be a critical risk area."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Peter Fretty
Peter Fretty,
User Rank: Moderator
11/14/2013 | 3:40:58 PM
re: How To Avoid Breaches Where You Least Expect Them
Great post. There is no question breaches impact everyone, and organization need to integrate plans that not only prepare against breaches, but also strategies for how to handle post breach situations. As a recent Sophos Naked Security blog discusses, breach susceptibility has prompted some states to strengthen notification laws. Simply put, Customer data needs to be cherished.

Peter Fretty
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-14
In Textpattern 4.5.7, the password-reset feature does not securely tether a hash to a user account.
PUBLISHED: 2020-08-14
In Nim 1.2.4, the standard library browsers mishandles the URL argument to browsers.openDefaultBrowser. This argument can be a local file path that will be opened in the default explorer. An attacker can pass one argument to the underlying open command to execute arbitrary registered system commands...
PUBLISHED: 2020-08-14
In Nim 1.2.4, the standard library httpClient is vulnerable to a CR-LF injection in the target URL. An injection is possible if the attacker controls any part of the URL provided in a call (such as httpClient.get or httpClient.post), the User-Agent header value, or custom HTTP header names or values...
PUBLISHED: 2020-08-14
In Nim 1.2.4, the standard library httpClient fails to properly validate the server response. For example, httpClient.get().contentLength() does not raise any error if a malicious server provides a negative Content-Length.
PUBLISHED: 2020-08-14
In Textpattern 4.5.7, an unprivileged author can change an article's markup setting.