Target, Sony, Belgacom and You
We’ve seen some high profile corporate information security failures in the past year at a wide range of companies: Target, Belgacom, Sony Pictures Entertainment, the various attacks on gaming companies by Lizard Squad and others. The goals of the attackers are as varied as their targets. In some cases attacks are purely motivated by profit, others may be for corporate or national espionage, some are politically motivated to create the maximum embarrassment for the target, and some may be simply for the bragging rights. It seems there is no way of knowing which company may be the next to be attacked. In order to minimize the chances of your company being breached, and reduce the impact if a particularly determined and resourceful attacker does find a vulnerability, it’s important that security is not an afterthought. Let’s look at a few steps you can take to prevent, detect, and contain cyber attacks.
“The weakest part of your defenses is the people inside them. So protect your perimeter and this does not mean just having a good firewall”
Protect your Perimeter
This does not just mean having a good firewall. The weakest part of your defenses is the people inside them. Many breaches start with a phishing attack aimed at employees. As well as a good messaging security system, make sure your employees are trained to detect and report phishing and social engineering attacks. I suggest informing all your staff that you have hired a penetration testing company to attempt to breach corporate security at some point in the next year, and offer a free dinner for two to anyone who successfully detects an attack via phishing, social engineering or physical penetration. If you promote this effectively enough you may not even have to hire the pen testers!
Routinely Encrypt all your Data
Any system administrator will tell you that administrators need access to all the data on the system. Don’t listen to them. A single renegade employee, or a single compromised account, does not need and should not have access to every email, spreadsheet, or PowerPoint presentation in the organization. If you just password protect sensitive documents that is a start, but it shows attackers where the sensitive data is, and it may be vulnerable to brute force attacks. If you password protect everything, an intruder does not know which files are worth attacking.
Use Secure Communications Channels
A vast amount of sensitive corporate data is transmitted by email. If an intruder gains access to your mail server, they can potentially read all of this. Email residing on your mail server should be encrypted. At the moment, PGP provides a fairly clumsy way of doing this, but there are some much more user-friendly approaches currently in development, so we can expect to see a range of solutions for this by this time next year. The Belgacom attack showed the lengths to which some attackers will go to intercept voice communications. For mission critical voice and text message communications a hardened mobile device such as a Blackphone along with the Silent Circle apps is recommended.
Set up Bulkheads between Systems
In the Target attack, criminals compromised an account at Target’s HVAC contractor, and from there were able to place their own software on the point of sale terminals. There is no reason why anyone with access to the thermostats should also have access to the cash register. Those networks should not touch. Build separate systems with separate credentials, and make sure your system administrators don’t use the same passwords on different systems. They can be different VPNs on the same physical network, so this does not add a huge cost overhead. Make sure that any system that handles payments is isolated from the rest of your system. Pay particular attention to any systems connected to your web server as well, as there are many vulnerabilities in some of the common content management systems. Having your web site defaced by hacktivists is bad enough, but make sure they can’t also publish copies of your corporate databases.
Watch for Data on the Way Out
One notable thing about the Sony Pictures Entertainment attack was the huge volume of data exfiltrated from their network. Make sure that you have network monitoring in place to detect data exfiltration. Be on the lookout for unorthodox transfer methods. As well as HTTP, HTTPS and FTP be sure you are monitoring DNS, Bittorrent and other protocols that can be used for data transfers.
Protect your Infrastructure
Some malicious attackers like Lizard Squad may simply want to put you out of business for a while with a DDoS attack. Make sure that you are well protected against this. Check that your DNS servers are robust as well, as we are seeing an increasing number of DDoS attacks that exploit the vulnerable DNS system, either by DNS amplification or by resource exhaustion, otherwise known as the water torture attack.
Have a Data Breach Response Plan Ready
If you do have a major data breach, a rapid and appropriate response to your customers and to the press will go a long way to restoring corporate credibility. Plan for this in advance. Make sure that you have experts on call to deal with the breach, and that the people responsible for writing and approving external communications are aware of their roles and are adequately briefed while the crisis is being handled.