Stuxnet, DuQu and the advanced persistent threat (APT) are currently dominating the headlines. Sophisticated zero-day exploits, carefully researchered and planned attacks that appear to be almost impossible to defend against, have many security professionals wondering if this is a game they can possibly win. The part that is often overlooked: These attacks target only a small number of organizations.
In particular, groups like Anonymous and LulzSec have made a name for themselves by not seeking out the latest and greatest vulnerability, but by persistently scanning large organizations until they find the one weak system ready to be exploited. For example, in its attack against NATO, among all of the hosts NATO is likely operating, LulzSec found an online bookstore with a very common, unpatched vulnerability and managed to exploit it. In credit to the persistence of the group, they are frequently able to leverage a minor breach like this by taking advantage of shared passwords and other trust relationships between systems.
Shared passwords, unpatched systems and basic web application vulnerabilities. These issues are easily mitigated. The problem is usually a matter of scale. In order to actually apply consistent and centralized policies and controls, an organization needs the infrastructure, culture and, first of all, leadership to accomplish this task.
Too many IT security leaders still see security as an amazing and interesting game of cops and robbers. Trying to outwit the bad guy, dodging the bullet, having “better kung-fu” than the other side. Sadly, instead they would probably be better off turning security into the most boring counterpart of cops and robbers: operations. Operationalizing security is the only way you will ever be able to counter modern not-so-advanced persistent threats. These threats are much more likely to cause a breach than sophisticated advanced persistent threats. As an added benefit: A clean and well managed network will also help you with many of the more advanced threats.
Just to put this into perspective with some real numbers: Let’s take a look at a quick summary of web logs for isc.sans.edu, a web site I operate. According to this probably incomplete review of access logs, I spotted about 200 attacks yesterday. Each attacker tried on average about a dozen different attacks with one of them being responsible for almost half of the attacks. In addition, my firewall blocked more than 7,000 connection attempts that day that never made it to the web server.
The only way you are able to fight this is using simple repeatable techniques. I refer to it sometimes as “street fighting” style security vs. “Kung Fu.” These are simple, ugly at times, but effective and repeatable techniques implemented consistently.
Make security part of what you are doing anyway, make it part of operating a network. Establish clear guidelines and controls and apply them consistently throughout your network. This usually requires that security functions are also part of the top IT management. Sony, for example, initially figured they could do without it. They were proven wrong.
Have a network, but don’t integrate security into it as part of the operations and design. An embarrassing attack that is estimated to have cost Sony $170 million in damages made the company think again. To its credit, it hired a CISO to take top level centralized responsibility for security. At the same time, it gained the top level visibility into its IT operations it needed.