Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

04:38 PM
Connect Directly

How To Avoid Breaches Where You Least Expect Them

Vulnerabilities and threats could lurk in the most mundane of systems

In the real world of constrained budgets and limited personnel, prioritization of security resources is a must. Many departments prioritize practices based on the severity of vulnerabilities, the value of a target, and the likelihood of a threat hitting said target. However, the flip side of that is to remember the real world is also a connected one. And as many security experts can attest, enterprises often forget to account for how attacks against the vulnerabilities in less critical systems can jeopardize the crown jewels.

"Most companies focus their efforts on locking down vital assets, such as the infrastructure, servers, mission-critical applications, and work machines, and when assessing risk put too much emphasis on these as opposed to other systems deemed not as vital," says Vann Abernethy, senior product manager for NSFOCUS. "But we have seen attacks against these soft targets that either led to serious damage or were used as a way into the systems that were thought to be better protected."

A great example of what it looks like when an organization chooses not to secure these incidental soft systems happened back in 2011 at the Hong Kong Stock Exchange (HKEX), Abernethy explains. HKEX ran a simple informational news site that wasn't prioritized for protection because it was a low-risk system with no connection to trading platforms and seemingly no connection to the organization's core trading functions. Nevertheless, a DDoS attack against this site actually kept a number of prominent companies from trading while that site was down.

[Your organization has been breached. Now what? See Establishing The New Normal After A Breach.]

"The news site is where companies posted announcements to comply with disclosure regulations, and when those statements could not be posted, trading was halted," Abernethy says. "So a site with minimal protection and a lower perceived risk value can cause several major stocks to go untraded when taken out -- and result in a huge loss in revenue."

It is a good lesson in how organizations have to exercise a higher level of thinking about potential threats to seemingly low-priority systems. In that case, the system in question was not necessarily connected to more sensitive systems of data. But often deprioritized soft targets are ideal for attackers because these systems have back-end connections to other systems that IT staff may not be aware of or have forgotten about. Similarly, some soft targets may not necessarily be connected to sensitive systems but could still hold sensitive data due to lack of policies or lack of enforcement of existing policies. Take, for instance, test databases for development work -- in many organizations, these databases will contain real production data. But they're not considered high-priority systems and don't have near the levels of controls on them as production databases.

So how does IT find those systems that could prove to be soft targets for attackers? It starts with becoming more comprehensive in asset discovery and tracking -- it's a task that's helpful not just for vulnerability management, but many more security investments that need to be made, says John Walton, principal security manager at Microsoft, in charge of the Office 365 security engineering team. Walton recommends using as many different sources of data as possible to put together an asset list, starting first with subnet base scanning and moving outward from there.

"So think about things like your log data, maybe netflow data or network routing information, your asset data in Active Directory, and any other number of sources you may have available or could start collecting from," he says. "Then really try to combine those different sources because the more you can identify, the closer you can get to having a complete asset list."

Even before developing that list, though, netflow data can also be particularly helpful for identifying existing compromises of seemingly low-risk systems connected to and endangering more critical systems.

"If you are seeing large and unexpected flows of data from an internal origination point to other computers on the network or to external addresses, this can indicate an attempt to exfiltrate data from your company," says A. N. Ananth, CEO of EventTracker. "Netflow data is a useful way to spot these unexpected information flows."

However, keeping tabs on netflow data may be only addressing symptoms of a deeper problem. Part of the issue at hand is that organizations are assessing risks to their assets in a bubble, says John Pescatore, director of emerging trends for SANS Institute.

"There is generally no real connection to real-world threats on how best to protect the business or the customer's information," he says.

He says that all too often organizations use a small imaginary number to estimate the probability of a security incident, a large imaginary number to estimate the cost of a security incident, and then multiply those two numbers together to get a medium-size imaginary number, says Pescatore, adding that the exercise is purely done to tell auditors that they did an assessment.

Instead, he says, it is important to home in on a controls-based priority list. This can be done by relying on a community of experts who can look at real-world threats and prioritize which security controls are most valuable in deterring those threats. Then they can prioritize solutions that implement those controls with as much automation as possible to improve efficiency and effectiveness.

"Work your way down the priority list until you run out of budget," Pescatore says.

Most importantly, though, organizations need to be comprehensive when seeking IT assets eligible for these controls. While mission-critical systems certainly deserve the most attention to details, security professionals must also keep an eye out for the fringes of IT infrastructure. It is there -- in the places where high-priority and low-priority systems may be interconnected -- where business processes create a tenuous connection between unrelated systems, and where data lurks in unexpected places. It is that gray area where the biggest propensity for compromise awaits.

"Companies should take a very serious look at all assets and be very comprehensive in looking at the consequences of an attack," Abernethy says. "Don't overlook the mundane because, as the HKEX found out, it may very well be a critical risk area."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Peter Fretty
Peter Fretty,
User Rank: Moderator
11/14/2013 | 3:40:58 PM
re: How To Avoid Breaches Where You Least Expect Them
Great post. There is no question breaches impact everyone, and organization need to integrate plans that not only prepare against breaches, but also strategies for how to handle post breach situations. As a recent Sophos Naked Security blog discusses, breach susceptibility has prompted some states to strengthen notification laws. Simply put, Customer data needs to be cherished.

Peter Fretty
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Lessons from the NSA: Know Your Assets
Robert Lemos, Contributing Writer,  12/12/2019
4 Tips to Run Fast in the Face of Digital Transformation
Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...