Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/21/2013
04:38 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

How To Avoid Breaches Where You Least Expect Them

Vulnerabilities and threats could lurk in the most mundane of systems

In the real world of constrained budgets and limited personnel, prioritization of security resources is a must. Many departments prioritize practices based on the severity of vulnerabilities, the value of a target, and the likelihood of a threat hitting said target. However, the flip side of that is to remember the real world is also a connected one. And as many security experts can attest, enterprises often forget to account for how attacks against the vulnerabilities in less critical systems can jeopardize the crown jewels.

"Most companies focus their efforts on locking down vital assets, such as the infrastructure, servers, mission-critical applications, and work machines, and when assessing risk put too much emphasis on these as opposed to other systems deemed not as vital," says Vann Abernethy, senior product manager for NSFOCUS. "But we have seen attacks against these soft targets that either led to serious damage or were used as a way into the systems that were thought to be better protected."

A great example of what it looks like when an organization chooses not to secure these incidental soft systems happened back in 2011 at the Hong Kong Stock Exchange (HKEX), Abernethy explains. HKEX ran a simple informational news site that wasn't prioritized for protection because it was a low-risk system with no connection to trading platforms and seemingly no connection to the organization's core trading functions. Nevertheless, a DDoS attack against this site actually kept a number of prominent companies from trading while that site was down.

[Your organization has been breached. Now what? See Establishing The New Normal After A Breach.]

"The news site is where companies posted announcements to comply with disclosure regulations, and when those statements could not be posted, trading was halted," Abernethy says. "So a site with minimal protection and a lower perceived risk value can cause several major stocks to go untraded when taken out -- and result in a huge loss in revenue."

It is a good lesson in how organizations have to exercise a higher level of thinking about potential threats to seemingly low-priority systems. In that case, the system in question was not necessarily connected to more sensitive systems of data. But often deprioritized soft targets are ideal for attackers because these systems have back-end connections to other systems that IT staff may not be aware of or have forgotten about. Similarly, some soft targets may not necessarily be connected to sensitive systems but could still hold sensitive data due to lack of policies or lack of enforcement of existing policies. Take, for instance, test databases for development work -- in many organizations, these databases will contain real production data. But they're not considered high-priority systems and don't have near the levels of controls on them as production databases.

So how does IT find those systems that could prove to be soft targets for attackers? It starts with becoming more comprehensive in asset discovery and tracking -- it's a task that's helpful not just for vulnerability management, but many more security investments that need to be made, says John Walton, principal security manager at Microsoft, in charge of the Office 365 security engineering team. Walton recommends using as many different sources of data as possible to put together an asset list, starting first with subnet base scanning and moving outward from there.

"So think about things like your log data, maybe netflow data or network routing information, your asset data in Active Directory, and any other number of sources you may have available or could start collecting from," he says. "Then really try to combine those different sources because the more you can identify, the closer you can get to having a complete asset list."

Even before developing that list, though, netflow data can also be particularly helpful for identifying existing compromises of seemingly low-risk systems connected to and endangering more critical systems.

"If you are seeing large and unexpected flows of data from an internal origination point to other computers on the network or to external addresses, this can indicate an attempt to exfiltrate data from your company," says A. N. Ananth, CEO of EventTracker. "Netflow data is a useful way to spot these unexpected information flows."

However, keeping tabs on netflow data may be only addressing symptoms of a deeper problem. Part of the issue at hand is that organizations are assessing risks to their assets in a bubble, says John Pescatore, director of emerging trends for SANS Institute.

"There is generally no real connection to real-world threats on how best to protect the business or the customer's information," he says.

He says that all too often organizations use a small imaginary number to estimate the probability of a security incident, a large imaginary number to estimate the cost of a security incident, and then multiply those two numbers together to get a medium-size imaginary number, says Pescatore, adding that the exercise is purely done to tell auditors that they did an assessment.

Instead, he says, it is important to home in on a controls-based priority list. This can be done by relying on a community of experts who can look at real-world threats and prioritize which security controls are most valuable in deterring those threats. Then they can prioritize solutions that implement those controls with as much automation as possible to improve efficiency and effectiveness.

"Work your way down the priority list until you run out of budget," Pescatore says.

Most importantly, though, organizations need to be comprehensive when seeking IT assets eligible for these controls. While mission-critical systems certainly deserve the most attention to details, security professionals must also keep an eye out for the fringes of IT infrastructure. It is there -- in the places where high-priority and low-priority systems may be interconnected -- where business processes create a tenuous connection between unrelated systems, and where data lurks in unexpected places. It is that gray area where the biggest propensity for compromise awaits.

"Companies should take a very serious look at all assets and be very comprehensive in looking at the consequences of an attack," Abernethy says. "Don't overlook the mundane because, as the HKEX found out, it may very well be a critical risk area."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Peter Fretty
50%
50%
Peter Fretty,
User Rank: Moderator
11/14/2013 | 3:40:58 PM
re: How To Avoid Breaches Where You Least Expect Them
Great post. There is no question breaches impact everyone, and organization need to integrate plans that not only prepare against breaches, but also strategies for how to handle post breach situations. As a recent Sophos Naked Security blog discusses, breach susceptibility has prompted some states to strengthen notification laws. Simply put, Customer data needs to be cherished.

Peter Fretty
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12868
PUBLISHED: 2019-06-18
app/Model/Server.php in MISP 2.4.109 allows remote command execution by a super administrator because the PHP file_exists function is used with user-controlled entries, and phar:// URLs trigger deserialization.
CVE-2019-12865
PUBLISHED: 2019-06-17
In radare2 through 3.5.1, cmd_mount in libr/core/cmd_mount.c has a double free for the ms command.
CVE-2017-10720
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the desktop application used to connect to the device suffers from a stack overflow if more than 26 characters are passed to it as the Wi-Fi name. This application is installed o...
CVE-2017-10721
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the device has Telnet functionality enabled by default. This device acts as an Endoscope camera that allows its users to use it in various industrial systems and settings, car ga...
CVE-2017-10722
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the desktop application used to connect to the device suffers from a stack overflow if more than 26 characters are passed to it as the Wi-Fi password. This application is install...