"Most companies focus their efforts on locking down vital assets, such as the infrastructure, servers, mission-critical applications, and work machines, and when assessing risk put too much emphasis on these as opposed to other systems deemed not as vital," says Vann Abernethy, senior product manager for NSFOCUS. "But we have seen attacks against these soft targets that either led to serious damage or were used as a way into the systems that were thought to be better protected."
A great example of what it looks like when an organization chooses not to secure these incidental soft systems happened back in 2011 at the Hong Kong Stock Exchange (HKEX), Abernethy explains. HKEX ran a simple informational news site that wasn't prioritized for protection because it was a low-risk system with no connection to trading platforms and seemingly no connection to the organization's core trading functions. Nevertheless, a DDoS attack against this site actually kept a number of prominent companies from trading while that site was down.
[Your organization has been breached. Now what? See Establishing The New Normal After A Breach.]
"The news site is where companies posted announcements to comply with disclosure regulations, and when those statements could not be posted, trading was halted," Abernethy says. "So a site with minimal protection and a lower perceived risk value can cause several major stocks to go untraded when taken out -- and result in a huge loss in revenue."
It is a good lesson in how organizations have to exercise a higher level of thinking about potential threats to seemingly low-priority systems. In that case, the system in question was not necessarily connected to more sensitive systems of data. But often deprioritized soft targets are ideal for attackers because these systems have back-end connections to other systems that IT staff may not be aware of or have forgotten about. Similarly, some soft targets may not necessarily be connected to sensitive systems but could still hold sensitive data due to lack of policies or lack of enforcement of existing policies. Take, for instance, test databases for development work -- in many organizations, these databases will contain real production data. But they're not considered high-priority systems and don't have near the levels of controls on them as production databases.
So how does IT find those systems that could prove to be soft targets for attackers? It starts with becoming more comprehensive in asset discovery and tracking -- it's a task that's helpful not just for vulnerability management, but many more security investments that need to be made, says John Walton, principal security manager at Microsoft, in charge of the Office 365 security engineering team. Walton recommends using as many different sources of data as possible to put together an asset list, starting first with subnet base scanning and moving outward from there.
"So think about things like your log data, maybe netflow data or network routing information, your asset data in Active Directory, and any other number of sources you may have available or could start collecting from," he says. "Then really try to combine those different sources because the more you can identify, the closer you can get to having a complete asset list."
Even before developing that list, though, netflow data can also be particularly helpful for identifying existing compromises of seemingly low-risk systems connected to and endangering more critical systems.
"If you are seeing large and unexpected flows of data from an internal origination point to other computers on the network or to external addresses, this can indicate an attempt to exfiltrate data from your company," says A. N. Ananth, CEO of EventTracker. "Netflow data is a useful way to spot these unexpected information flows."
However, keeping tabs on netflow data may be only addressing symptoms of a deeper problem. Part of the issue at hand is that organizations are assessing risks to their assets in a bubble, says John Pescatore, director of emerging trends for SANS Institute.
"There is generally no real connection to real-world threats on how best to protect the business or the customer's information," he says.
He says that all too often organizations use a small imaginary number to estimate the probability of a security incident, a large imaginary number to estimate the cost of a security incident, and then multiply those two numbers together to get a medium-size imaginary number, says Pescatore, adding that the exercise is purely done to tell auditors that they did an assessment.
Instead, he says, it is important to home in on a controls-based priority list. This can be done by relying on a community of experts who can look at real-world threats and prioritize which security controls are most valuable in deterring those threats. Then they can prioritize solutions that implement those controls with as much automation as possible to improve efficiency and effectiveness.
"Work your way down the priority list until you run out of budget," Pescatore says.
Most importantly, though, organizations need to be comprehensive when seeking IT assets eligible for these controls. While mission-critical systems certainly deserve the most attention to details, security professionals must also keep an eye out for the fringes of IT infrastructure. It is there -- in the places where high-priority and low-priority systems may be interconnected -- where business processes create a tenuous connection between unrelated systems, and where data lurks in unexpected places. It is that gray area where the biggest propensity for compromise awaits.
"Companies should take a very serious look at all assets and be very comprehensive in looking at the consequences of an attack," Abernethy says. "Don't overlook the mundane because, as the HKEX found out, it may very well be a critical risk area."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.