1) Fully understand your assets. As a security professionals, we should know what we are protecting. Although this seems to be an obvious question, it is a very difficult. Ask yourself this question "what's most important data within my organization? What are five most important business processes dealing with the data?"
2) Reduce the number of vulnerabilities of the systems. The threats are mutating every minute, it is so difficult to catch with bad guys. It is more worthwhile to spend time and efforts reducing attack surface. His idea of "airline security models" is great. It is almost impossible to protect thousands of different machines within one organization. However, the task is easier if the number of different machines is reduced to less than ten. Coupled with strict change management process, we can make the task really manageable.
3)Pay more attention to insider attack. The statistics show that the number of insider attacks almost equal the number of outside attacks. However, only 20% of money and efforts are spent on defense against insider attacks. There are general two types of insider attackers: malicious insiders and unintentional attackers. Malicious insiders intend to harm your organization driven by different factors such as money, revenge, etc. Unintentional attackers are victims who helped bad guys without even knowing what's going on. It might be an employee who clicked a malicious link of within a spear phishing email. Or it might be a help desk technician who happily assist a "so-called" manager on vacation to reset his/her password so that he/she can get some urgent tasks finished. Or, it might be just a customer service representative who is helping his customer using an vulnerable Intranet application which read malicious payload dropped by bad guys. The list goes on and on. The castle can be easily broken down from inside. However, people seem to be reluctant to trust insiders more since we are working for the same company. This is fine. In fact, most organization encourage employee socialization to boost productivity. However, we should also educate the employees about the insider risks and deploy defenses.
4) Correlation, correlation and correlation. The attacks are become more sophisticated as the systems are evolving too. How to detect multiple stage attack? How to detect encrypted payload? The solution is "correlation". Individual events might not be so interesting. But they might suggest something really bad is happening if correlated together. Here is Dr. Cole's example:
- download some content from a unsafe website
- Untrusted programs runs
- Something is changing registry and system files
- the machine talks to strange outside servers
- huge amount of data is transferred outside
5) Pay more attention to outbound traffic. The goal of the attacker is "making money". They want your sensitive data or finding other ways to make money for themselves. Stealing your data is one of most common ways to get them rich. The impact is more serious than denial of service attacks. The data needs to be transferred out of your organization. Pay attention to those outbound connections:
- Connection using IP address or dynamic DNS
- Long live connection
- connection with large amount of traffic
6) Detection is key.
7) Automation is must.
No comments:
Post a Comment