Decreasing Risk to the Enterprise
Today, more than ever, organizations need Information Security programs. Data breaches are on the rise and adversaries have organized into a Hacking-as-a-Service model so organizations coalesce around safeguarding their environment. But for new, or immature Information Security programs, what should they absolutely be doing today? To examine this question let’s take a look at a fictional company called Dorp Corp.
Dorp Corp, a giant in the retail industry, was the victim of a data breach. An adversary gained access to Dorp Corp’s internal network and gathered 60 million customer records which included PII and PCI information. This data breach cost Dorp Corp a total of $85 million dollars along with a hit to its impeccable national brand. When notification of the breach was first received the CISO and CIO wondered how this was possible? They had the latest and greatest firewall product, encrypted all communications and had every network monitoring tool set up to watch for zero-day attacks. To understand how this happened we have to take a look at Casey, in shipping.
Nine months before Dorp Corp was notified of the data breach Casey received an email which appeared to come from Dorp Corp’s IT department. The email informed Casey their mailbox limit had been reached, and some emails were lost as a result. The email told Casey to click the link contained in the email then enter their Dorp Corp username and password into the corresponding website so that their mailbox size can be increased and their held emails will then be forwarded to their inbox. Casey glances at the email, clicks the link, then enters their credentials. There is even a confirmation page that tells Casey to expect the held emails in the next three days. Casey, however, was unaware of the fact that their credentials would be leveraged as the first step in a digital attack on Dorp Corp.
Many people, just like Casey, don’t think of themselves as a security risk because when they think of a data breach they typically think of a hacker entering commands on a keyboard. These commands will allow the hacker to instantaneously bypass all perimeter security and internal monitoring devices. Then the hackers’ next keystrokes will search for and find every record the company has and take them all. While this is the story most films would have us believe, this could not be further from the truth. In fact, in 2018 96% of cyber attacks began with and/or were carried out via email (Verizon. “2018 Data Breach Investigations Report”), just like the email received by Casey.
In a typical targeted attack, an adversary will start with research. A target is Googled, their website is studied for logos, and respective staff of the target are searched for on LinkedIn. All of this information is used to put together a plan which will likely consist of a targeted phishing email like the email Casey received. Because Casey is not as versed in security as they should be (e.g. checking the email address of the sender to verify the email is from the IT department, knowing her IT department would never ask for her username and password, etc.) they are very likely to click the link in their email and enter their username and password into a nefarious website designed to look like a Dorp Corp website. If the link did not lead to a website asking for their credentials it likely would have led to a nefarious application that would have attempted to install on Casey’s workstation.
Once the adversary has Casey’s credentials, they will use Casey’s credentials to log into her account. From here they will use tools that are readily available in every Windows 10 workstation to investigate the network. They will identify as many internal systems (e.g. websites, applications, databases, domain controllers, etc.) as they can. Each user account will have some access to internal systems 100% of the time. Most corporate networks have all the proper perimeter protection in place so bypassing a firewall, unless it’s poorly configured, is a difficult task. The easier option is to have a user provide an adversary the access they need via a social engineering mechanism like a phishing email.
After the adversary has identified the internal systems they will scan the systems in stealth mode (i.e. scanning that is highly likely to go unnoticed by monitoring solutions) in order to see if any known vulnerabilities (e.g. missing security update patches, out of the box configuration settings, etc.) exist that can be exploited. Once this information has been confirmed the attacker decides what systems to attack and goes to work installing backdoor applications, copying data so that it can be sent to an external system they control or setting up a RansomWare attack.
This attack process is prevalent whether systems are on-prem or in the cloud. When looking at this type of attack, which is the norm in the hacking world, one can immediately find areas to address within their Information Security organization.
Regardless of the maturity of your information security organization, there are 5 things every organization should be doing, today, to aid in enhancing their Information Security posture:
- Cyber Security Awareness Program. A cybersecurity awareness program is a set of training modules, pamphlets, and exercises to make all end-users aware of the more common security vulnerabilities (e.g. phishing scams, specially crafted emails, data vigilance, etc.) against your organization. An example would be a computer-based training module that details how to investigate emails, asking for information, for authenticity. If Dorp Corp possessed a mature Cyber Security Awareness Program Casey would have known that their IT department would never ask for their credentials. Based on this fact she could have determined the email was a phishing scam and forwarded the email to their IT Security department.
- Authentication. 2-factor authentication (2FA), leveraging something someone physically has in addition to a password, should be implemented wherever possible. If someone were to be able to guess the password to an account, without physical possession of the second factor the account cannot be accessed. 2FA, implemented properly, all but nullifies circumvented passwords. Had Dorp Corp implemented 2FA the adversary would not have been able to log into Casey’s account without their second factor (e.g. smartphone, fob device, etc.). The attack would have likely stopped here.
- Vulnerability Management. A DarkReading article noted that 60% of data breaches included the exploitation of a vulnerability for which a patch was available(Higgins, Kelly Jackson. “Unpatched Vulnerabilities the Source of Most Data Breaches”. April 5th, 2018. https://www.darkreading.com/vulnerabilities---threats/unpatched-vulnerabilities-the-source-of-most-data-breaches/d/d-id/1331465). Having a mature process in place for vulnerability management can decrease your attack landscape by a large percent yet many organizations, to this day, cannot patch systems in a timely manner. It takes an average of 34 days to patch high priority known vulnerabilities (tCell. “Security Report for In-Production Web Applications”). Couple this with the fact that “access to websites belonging to 70% companies on the Financial Times (FT) 500 list can be found on the dark web, because the apps are not protected with strong authentication and other access-control measures” (“Abandoned Web Applications: Achilles’ Heel of FT 500 Companies”, High-Tech Bridge Security Research), adversaries have an abundance of targets and a lot of time to figure out how to get data from these targets as well. With a mature vulnerability management program, patches would be deployed within 14 to 30 days of availability.
- Secure the Endpoint. Today corporations allow employees to work remotely and connect to any network for connectivity. This access essentially removes traditional perimeter security, and because of this, it is critical to secure the endpoint with a type of solution that leverages crowdsourced and/or AI capabilities to thwart adversaries. Securing the endpoint, be it a server or workstation, with AI-infused endpoint security provides the ability to alert on a user who has performed actions outside of the scope of their responsibilities. When an adversary tries to log in to the domain controller with Casey’s credentials an alert would have been set off because Casey is not an IT administrator, they’re in shipping.
- Segment the Enterprise. Many data breaches begin with social engineering and/or a vulnerable system, yet most can’t be completed without unfettered access to an internal network. Segmenting the internal network is a very important mitigation technique to defend against adversaries having full access to a network, the spread of viruses and ransomware and insider threats. Limiting access to internal network segments keeps environments safe. Had Dorp Corp properly segmented the network the computers in shipping would only have access to servers in shipping or corporate servers required for logging in to the domain, sharing files, or some corporate function like that. The Shipping domain would have never had access to the Sales domain to gather that PII/PCI information.
These 5 items, when implemented in conjunction as a coordinated program, will aid in providing a strong defense for an enterprise environment. Over the next 6 months, we’ll publish more detailed articles that will expand on each core item.
Slalom is a modern consulting firm focused on strategy, technology, and business transformation. In over 30 cities across the US, UK, and Canada, Slalom’s teams have the autonomy to move fast and do what’s right. They’re backed by regional innovation hubs, a global culture of collaboration, and partnerships with the world’s top technology providers. Founded in 2001 and headquartered in Seattle, Slalom has organically grown to over 7,000+ employees. Slalom was named one of Fortune’s 100 Best Companies to Work For in 2019 and is regularly recognized by employees as a best place to work.
Slalom Atlanta got its start and grew, by attracting veteran consultants to the promise of no unwanted travel. We build trusting relationships in our home communities. We offered the brightest lights in consulting an opportunity to love their work and their life. We knew that what was good for our people would be good for our clients, and the growth of Slalom Atlanta has reflected this.
Slalom has been operating in the Atlanta area for over 10 years. We have solved some of the most complex problems for Atlanta’s top corporations. We provide Information Security expertise out of our Technology Strategy group and love having discussions about the opportunity organizations have with Information Risk Management. We have helped clients build PMO offices to run their risk divisions, provided maturity assessments to devise plans to address high priority risks, and served as virtual CISO’s to clients to help fill a critical function in their information security practice.
Learn more at www.slalom.com.