The article below is a condensed version of a chapter from The CISO Journey: Life Lessons and Concepts to Accelerate Your Professional Development, a book by Gene Fredriksen scheduled for publication in March 2017.
What do you have that the enemy would like to steal? If you were the bad guy, how would you steal it? If you were the enemy, how would you disrupt your business and why? Here is a cautionary (and true) story to illustrate:
A company I once worked for reported a break-in to an engineering office that resulted in the theft of a couple laptops. Management and law enforcement were certain the stolen laptops would end up in a pawn shop; no client data were on the machines. My first mistake was believing the initial assessment. A couple of months later, I got a call from one of the company’s locations that a key piece of high volume production equipment was behaving strangely and shutting itself down. The case was beginning to sound like malware, but how would it get on the system? We were guaranteed that the system was isolated on the network with no external connectivity.
We later found a custom piece of malware on the system that attacked the memory locations critical to the operating program, consuming the system’s resources. The question now was about how it got on the machine in the factory. We learned a well-meaning network engineer had enabled the machine for Internet access so its operator could surf the web during his slow night shift hours. The engineer reasoned it was safe because the laptop was behind a firewall and ran antivirus software. His logic was sound except that the operator was also using web mail to keep up with his friends.
The first clue we found during our investigation was that this business was an acquisition from about a year prior, and there were layoffs in the engineering ranks. The engineering office was in the location that had the break-in months before. Through interviews with office staff, we found out the thieves had walked through the main office, entered a back office and stole the two laptops.
On the compromise side, we were able to locate and reverse-engineer the attack code. It actually contained some code identical to the operating code developed thousands of miles away. Further investigation showed that the malicious code had entered via an email attachment opened by the operator that looked much like a legitimate email.
So, we know the how but what about the why? Simply, it was revenge and competitive loss. If the company could not keep up with production commitments due to malware problems, they would lose huge, high volume contracts to competitors.
So, what did I learn? First, nothing is ever as simple as it first seems. Second, traditional data breach for profit, while very prevalent, is not the only answer – never become comfortable, and always challenge your assumptions. You don’t get paid to take the easy position – you are one of the last lines of defense for the company. Third, when you identify a threat vector, learn to think like the enemy. If you were going to shut down production equipment for revenge, how would you do it?
As dedicated as we are to protecting our data, there may be hackers more dedicated to stealing it.
Focusing solely on keeping attackers out of a network is no longer the best strategy to protect an organization from cyber security threats. If an attacker is successful in establishing a foothold on the network and hiding their presence, they will have unlimited time to probe and snoop around the company infrastructure. During that time, they may find where the company jewels are really kept. When we hear about massive breaches, we also typically hear that the attacker existed on the network for months or even years.
Many companies mistakenly believe that they are perfectly safe behind a firewall. The fact is quite the opposite: if you can get out of your network, someone else can get in. The most common cause behind the presence of vulnerable applications is failing to stay on top of security updates. It seems that throughout my career, patching always seems to take a back seat to other activities. Not for a lack of concern, but because with limited staff and resources, something has to wait.
Keeping up to date on patches and security updates is a good start toward protecting your network. The goal of security controls and countermeasures should be to defend your network while maintaining its ease of use and accessibility.
Today, hackers are winning on sheer speed and determination. Remember, the attacker has an army of allies who take great pleasure in discovering vulnerabilities and sharing their discoveries. Unfortunately, we cannot turn back the clock and return to more innocent days. As attackers become more skilled, it is next-to-impossible to keep systems completely free from compromise. The key is to shift the time frames of an attack, so that the odds are stacked in the defender’s (not the attacker’s) favor.
It’s also important to understand that cybercrime is an economic crime. In my experience, there are very few attackers that look for complex targets to “test their skills.” The average attacker is looking for an easy target.
Network vigilance is another factor that can reduce the time frame from compromise to detection. It is during this period that attackers are able to explore networks and steal resources without hindrance.
If the firm you hired to test your defenses is not able to gain advanced access, you did not pick the right firm. You don’t run a penetration test to prove how good you are, you run it to find new holes and paths to the corporate jewels that you do not know about.
We can build the biggest castle with the largest moat to protect us, but the sentry in the parapets is our most effective early warning system. We shouldn’t wait until the siege engine has brought down the walls to react. Carl von Clausewitz said it is better to act quickly and err, than to hesitate until the time of action is past. We do not have the luxury of time on our sides.
Knowing our enemy allows us to respond quicker and stack the odds in our favor.