As a continuation of my first blog about Cyber Crime, I am moving on to my 2nd Blog resuming the story with the “IMPLEMENT” phase.
As advanced persistent threats pursue multiple targets, many organizations are starting to realize what they are up against. Industries that have dealt with these types of threats for years are further down the road in implementing sophisticated defenses. You have to take fresh approaches and whole new ways of thinking about information security to combat this new class of threat.
For example, tackling advanced persistent threats means giving up the idea that it is possible to protect everything or that you could be 100% secure. This is absolutely not realistic. IT Security teams will have to work closely with the business to understand the business processes and identify the organization’s most critical information and systems—the “crown jewels”—in order to concentrate efforts on protecting these core assets.
Furthermore the definition of successful defense has to change from “keeping attackers always out” to “sometimes attackers are going to get in – you will not be able to avoid it; detect them as early as possible and minimize the damage.”
You have to assume that your organization might already be compromised and go from there. The following seven recommendations provide key ways to shore up defenses for organizations facing advanced persistent threats. It will take not only the commitment of the information security team but also the support of executive leadership.
Here are 7 recommendations which I can provide when implementing your security strategy:
Recommendation 1. Gathering intelligence
Formulating strategies by using the answers to these questions:
- What digital assets are malicious users going after?
- How do they pursue targets?
- What are their means, methods, motives?
- What actual attacks have occurred at other organizations?
- What do attack patterns look like?
- What does the malware look like?
- Are they planning attacks involving my industry?
- Is there chatter specifically about my organization being a target?
Recommendation 2. Activate smart monitoring
- Adjust protection in order to focus on the “crown jewels” and current threats
- Perform data analysis of mass data with regard to striking and damaging activities
- Program implementation in order to control network activities and to analyze data flow
Traditional Intrusion Detection/Prevention Systems do not use patterns to detect advanced persistent threats
- Further education and employment of cyber security experts, in order to properly evaluate risky situations
Recommendation 3. Reclaim access control
- Only allow administrators to log in to their admin accounts from within specific trusted areas
- Do not allow remote access, email and web surfing in these trusted areas
- Require face-to-face password changes and/or multifactor authentication for administrator accounts
- End the use of identical administrative passwords that work across several systems
- Reduce the number of employees having administrative rights that allow them to roam the network
- Use ways to separate the administrator group from the general user group (for example jump servers)
- Perform monitoring on all administrative users
- Traditional employee training methods such as web courses, videos, and classroom presentations do not involve the employees in active defense
- New training mechanisms should make the threat real for the individual users, engage them in actively defending the organization and communicate the message that employees could be personally responsible for a major information breach
- Simulation of phishing attacks on employees in order to analyze their reaction
- Simulation of an attack by exploiting the vulnerability “human being” in their own workspace, e.g. a computer game
Every organization’s greatest vulnerability is its people regardless of all security technologies being implemented
The employee must perceive himself as the most important element in the safety chain
Recommendation 5. Support of the executive leadership
- Call the executive leadership’s attention in order to obtain financial support and to create an organizational structure
- Establish an organizational structure, that permits an overall collaboration to identify and prevent attacks targeting corporate data
- Information risk management should be integrated into the overall enterprise risk management strategy
- Use comparisons to other organizations as well as benchmarks, in order to promote investments in IT security, e.g. description of investments versus risks
It is most worrying to meet a board director asking: “Are we secure – yes or no?” He should actually ask instead: “Are you getting enough support and funding so that the security management is able to keep up with this ‘digital arms race’?”
Recommendation 6. Verify the IT knowledge
- Review of IT cost-benefit analysis: Contracting out to IT experts to run a secure IT infrastructure may be more cost-efficient in the long term
- “Cloud” providers are able to deliver less expensive IT services with reliable, robust, and scalable security
- Organizations can reduce the number of vulnerabilities by re-architecting IT systems:
- Avoid flat networks
- Set up network zones to isolate the „crown jewels“
- Desktop virtualization so that data and applications are stored on a centralized server
Recommendation 7. Participation in information exchange
- Active cooperation with Industries, IT Activists/Hacker organizations and government agencies is necessary
- Typical attack signatures have to be shared in „real-time“ among the organizations
- Information sharing is essential in order to adapt security strategies in time
- The new ATP-style attacks are targeting enterprises in a wide range of industries
- No organization is impenetrable!
- It is most important to protect the “crown jewels” in an organization
- New specific defense has to be implemented in order to protect the organization
- Cyber security requires a continuous review of security strategies
- Every employee is responsible to ensure the enterprise security level
- Organizations have to share information in order to protect themselves
As a continuation of my 2nd blog about Cyber Crime, I will inform you in my next blog about how a common hacking attack could look like and what you should consider in defining an IT Security Management process .