This article is contributed by Chris Roberts, Chief Security Architect at Acalvio Technologies.
So, the CISO MAG staff and I were talking about an end-of-year article that might get people reflecting on 2017 AND concentrating on 2018. The prediction thing is too fuzzy and I have an aversion to crystal balls, the financial thing is pretty much sorted (everyone got their 2018 budgets locked and loaded? More blinky lights for everyone, right?), and if I hear again that AI or ML is going to solve everything I will be whipping up another batch of Molotov cocktails to distribute. So, we decided to go back to basics.
The human, the poor sap we sit between the chair and the keyboard, is the one we expect to defend against people like me on a daily basis. We ask them to do this all the while juggling their regular jobs on systems that are either ancient or changing every 5 minutes with that annoying call of “where’s my damn icon NOW?” ringing out across the office. We ask them to defend our companies after we take them for 1 hour each year and sit in a room with a geek who simply tells them to “Please don’t click sh*t, please don’t send sh*t, and please stop using [email protected] as your Facebook, bank, AND company log in.” That’s one whole hour, once a year and you then expect them to remember that for the remaining 2,086 work hours in the year (I’m now waiting for someone to tell me it’s 2,080 and I’ll point out leap years and calendar fluctuations. Trust me, HR folks need advanced degrees in quantum math to work out holidays and work periods!)
Here’s another thing you’re probably not paying enough attention to: those servers. Yes, you know the ones, the ones sitting in the remote office, or the warehouse (yeah, you though I forgot about those didn’t you). They’re sitting on the same network segment as the rest of the organization, aren’t they? The users, servers, printers, doors, AD, and probably even the IoT office-dogs bowl are all sitting on the same network. Just because it’s easy, just because you don’t know how DHCP or VLANS work, doesn’t excuse you from putting some simple separation, segmentation, or other controls in place. Oh, also back to those Windows XP servers in the warehouse, just because the vendor or supplier is too lazy to upgrade them doesn’t excuse you from taking adequate protection to reduce the risks accordingly.
And another thing. Recently we were on an IR engagement and the attackers hit at 22:30 on a Friday night. They were done and out with “job done” left all over the screens 3 hours later (NOT the normal 12 hours AVERAGE it takes to get in and get out without being detected). It took them 3 hours and nobody watching the logs until 0800 MONDAY morning. Get some logging in place, get someone to watch them 24×7, and pony up the minimal money it costs to have some peace of mind!
Don’t forget about the computers themselves. You’ve given each employee a new, shiny computer and you’ve entrusted them (you fool) with all your data. You’re left praying that the sales guys don’t trade their laptop for a round of drinks at the next client appreciation golf outing. Why? Because you didn’t bloody encrypt them! Seriously, it’s free, it’s simple, easy, secure, and can be locally or centrally managed. Just do it! That way, the next time you lose the security plans for a major airport or government you won’t be on the 9 o’clock news!
You have lost the battle for the perimeter; accept that and you might be able to focus accordingly. Look at the simple fact that in essence “computer number 1” has been compromised and work accordingly. The concept of predictive, proactive, deceptive technologies should not be alien to you. Neither should you buy next year’s purple blinky light F/W and expect it to do anything more than this year’s did, EVEN if it has UBA or “Next Gen” or “AI/ML” on it. You have the basic tools; now it’s time to elevate them with something OTHER thank the same sh*t that hasn’t secured you for the last “x” years. Your presence on the Internets, all of the Internets, the open, dark, and deep – what do you know about yourself that might be out there, what do others know that is out there, and more importantly, what are your users, vendors, suppliers, partners, and trusted resources putting out there about you? Learn what’s outside of your four walls and it might help you to focus better on how to protect what’s inside them.
Oy vey, physical security still gets overlooked. The systems that are in place can still can be bypassed (in many cases) with a fake business card (Sprint/AT&T, Cable Company), an official looking folder, and a box that looks like an Internets upgrade. Failing that, we’re going to go in via your shipping entrance, your vendor (HVAC, water, etc.), or some other way that gets us into your facility. When we get in, we’ll find your surveillance is probably on the LAN and if it’s working, nobody’s watching it. It’s still too easy, too simple to walk far enough into many facilities (not always the main office! Got to love satellite offices or warehouses on the LAN) and simply park yourself in their offices and let loose the dogs of war (or a scanner – both are equally effective). Fix the physical and you’ll be amazed at the uptake in people caring about how they look after “their” company.
Ok, now on to communications. Let’s NOT be another Uber. Sh*t happens – acknowledge it, learn from it, and move on. Humans can be forgiving if you ask for forgiveness, are contrite, accept the blame, and actually do better in the future. How do you avoid becoming another Uber? Communicate across the ranges – the basics of communication are fundamental to our understanding of our environments. Talk with people regularly, explain why decisions around security and integrity are being made, educate them as to the logic for protecting the organization, and help them implement the same protections at home and with their own family. Communication is free and it’s a troublingly underutilized tool!
A good friend of mine (F1nux) has a somewhat amazing yet grounded-in-reality statistic. He talks about the number of accounts that are already breached in global organizations at any one point in time and it’s ridiculous how many there are. It’s more than you’d think, and it’s right here, right now. If we can’t keep control of our credentials what hope do we have of keeping control of our data?
Embrace the distributed workforce and their desire to connect into the mother ship and then make sure you throw the public facing RDP server off the bloody roof.
All your SQL, MySQL, Oracle, NoSQL and other types of databases that are sitting on the Internets belong to us. This has nothing to do with patching (you are already underwater on that and running round trying to patch things every day of the week isn’t going to work). This is back to the fundamentals: certain things should NOT be on the Internets! There’s no excuse, there’s no way of lying your way out of this one, VPN’s are free, easy to implement, and simple to integrate: get the low hanging fruit OFF the firing line!
Lastly, the employees, those folks you continue to overlook: we started with them, so it’s fitting we close with them. Let’s look at a couple of things that you do wrong:
- You trust them! Why on this great green planet do you do that? You are not nice to them yet you expect them to be loyal and look after your assets and then you are surprised when they turn against you and you have to call us in on the forensics to see what the heck happened and why they dropped all your dirty secrets out to WikiLeaks.
2. You don’t train them and then wonder why they email all your PII/PHI/EHR all over the place?
3. You don’t give them any incentives to help secure not only YOU (the company) but also their own families and friends, and you still trust them with everything and are surprised when they turn on you.
Good grief, look in a mirror and realize YOU, the capitalist corporation, are the problem. WE ARE NOT A NUMBER, OR A STATISTIC, we are HUMANS. Treat us as such, please.
So, in closing, when 2018 comes for us (or 5775 for those of you currently in a different set of though processes) and the vendors line you up in their sights for golfing, fishing, dinner, and other events to woo you into buying the next NGFW, UBA, purple-blinky light POS, please for all those of us out there fighting the good fight, take a step back, evaluate how that technology will fix the very basics that are crippling your organization (probably without you knowing it) put down the fork or golf club, say NO THANK YOU and spend the time, effort, and money on fixing some of the things I’ve covered above.
I promise you, if you miss your vendor steak, come to Colorado and I’ll buy you one. I live on a golf course so you can go catch that one missed game and your enterprise will thank you a lot more for simply doing the basic things you need to do to protect them and their assets.
To listen to Chris Roberts and his views on cybersecurity basics, click here: