Incident Response Teams Find Common Pitfalls in Network SecurityBy: Tom Sammel
It might seem weird, but it could be time for organizations that want to avoid breaches to follow one of the tenets of the character George Costanza in the "Seinfeld" episode "The Opposite." Do the opposite of what's normal.
When responding to breaches, our Incident Response (IR) teams find that it's sometimes normal for organizations around the globe to ignore certain areas of security, which has aggravated the compromise of their networks.
Below are some of the most common pitfalls we've seen in the field and actions you can take to prevent them.
Common Pitfalls Most Often Seen
IT architecture has been designed for delivery, not security. Networks are usually flat, allowing any user to access files that have nothing to do with their duties. This is one way to increase the ease of administration. Most organizations also don't have a well-deployed Demilitarized Zone (DMZ), a computer host or small network which is separated from the company's private network.
Do The Opposite:
Segment your network so that only certain departments can access certain information and only designated people can access files on a need-to-know, or need-to-have-access, basis. For example, people in the finance department could be only allowed to access files in the finance and billing departments, allowing no one in the sales or marketing department to access financial files. Servers should exist in their own Virtual Local Area Network (VLAN) so that access and traffic to and from these devices can be adequately controlled. For example, administrators could have the ability to 'Remote' into the servers, but all others in the organization would be restricted from that function.
Organizations should also segment their network from outsiders so they cannot connect to it. Using a DMZ allows you to deliver specific services to prospects and clients while keeping your internal network (corporate network) secure. A server that delivers services to prospects and customers, like whitepapers and videos, should be set-up in the DMZ with only the minimum services needed. Connections between the DMZ and the corporate network should be limited by either protocol, time of day, user, or some other defined access control mechanism. Also, any system that exists in the DMZ should have its own unique credentials that are not the same as credentials inside the corporate network. The Dell SecureWorks Incident Response Team has conducted breach response after breach response where an attacker collected the credentials in a DMZ, and then 'walked in the front door' of the corporate network using the same credentials….Often administrator credentials.
If you provide Wi-Fi connection to visitors who are on your company property, they should only be able to access the Internet through a connection set-up to access the Internet directly. This way, outsiders don't connect directly into any segment of your corporate network.
Companies don't always know what assets exist in their environment. They don't know what hardware or software exists, nor do they know all of the cloud services that are 'in-play' and how those cloud services connect to the corporate network. In addition, they don't know who is authorized to access each of these systems.
Do The Opposite:
Keep a detailed record of all devices and software on the network and ensure only authorized people can access them. Controls should be in place so that employees are prohibited from downloading software from entities outside your organization. We are routinely responding to breaches where our clients allow users to have administrative rights to the computer they use. These users are installing software that is not managed or supported by the IT staff. This opens a huge number of uncontrolled vulnerabilities in the corporate environment. Having software running that routinely identifies system and software are essential to good security. Also, working with contracting to ensure that the IT Security Team knows all of the cloud vendors allows them to make informed decisions about how to manage access to and from these services.
Organizations purchase and have deployed security devices but have not acquired the skill sets to manage and monitor them.
Do The Opposite:
I have to say, that in general, I like CIO's and CISO's. But time and again we respond onsite to breaches where the senior management has bought the newest and shiniest technology but not the ability to leverage that technology to its fullest extent. Team Members who are responsible for the day-to-day security have to be fully trained on the technology and know-how to optimize its effectiveness for the organization. The more agile a Security expert is on a given technology, the sooner they will notice outsiders attempting to gain a foothold in their environment. The faster the detection, the faster the ejection. The last thing you want is an attacker that has the time to move laterally across your network and steal your information.
Organizations are not monitoring endpoints (workstations, laptops and servers).
Do the Opposite:
Monitor endpoints 24/7 with the proper endpoint security. Antivirus (AV) is good and useful. This may buck the growing trend in the industry today, but I still see usefulness from AV. It's like a seat belt in a car. It's not the be-all-end-all safety device, but it's a great first step. When the seat belt is used in conjunction with airbags, crumple zones, and safe driver training, you wind up in a much better place in the event of a crash. Endpoint computers need something watching more than just strings in code. Malware authors continue to write code that is designed to bypass AV. Organizations need 'eyes-on' the endpoint, checking registry changes, folder creation, file creation, anomalous access, and other functions.
Organizations lack a structured approach to responding to security incidents. They may discover malware and may be able to get that one instance out of the network, but they don't know what the malware represents or how it got there, or what the attacker did when he was inside the network. When someone inside a company responds to an incident, they are typically looking at that one incident. They don't know the latest attack trends, nor do they know the attacker's techniques and procedures because they don't have much to compare it to.
Do the Opposite:
Work with a professional Incident Response team that handles incidents every day. This team has probably encountered similar situations to yours and is familiar with the techniques the attacker is using. The team can see how the attacker got into the network, where in the network the attacker traveled and what the attacker did since getting inside. The attacker leaves tracks, and a skilled IR team is familiar with what the tracks mean. For example, they are likely to know what the attacker was looking for, what other malware he probably hid in the network, and what backdoors he created so that he could re-enter the network in case he got shut out. If you find one piece of malware in your network, there is quite possibly more, and an experienced incident responder will be far quicker in finding it than anyone else.
After they've been breached, many organizations end up asking the same question as George did in "The Opposite" episode, "Why did it all turn out like this for me?" For George, I'm not sure, but for organizations that want to position themselves better to prevent a network breach, the answers are above.