In Information Security, there are attackers and defenders. Attackers usually stay attackers and defenders usually stay defenders; defenders tend to think like defenders and attackers tend to think like both attackers and defenders.
See something missing? Defenders also need to think like attackers. Easier said than done. If you were an attacker, where would you start? Sun Tzu wrote The Art of War ~2500 years ago outlining some attacker guiding principles that we can apply in information security today.
- Speed is the essence of war
- Travel by unexpected routes
- Take advantage of the enemy’s unpreparedness
- Strike him where he has taken no precautions
Now let’s take these attacking principles and look at how we in InfoSec can defend against InfoSec attacks:
- Numbers one and two fall into the category of knowing your environment. You can’t protect what you don’t know. If the attacker figures it out before you do, they have an advantage. All they need is a point of entry. Once they find the weakest link, they can work their way up the chain.
- Number three involves being prepared for an attack. Once you’ve figured out what you have, you need to make sure that it’s locked down in a state. Not locked to the point that it is rendered unusable, but configured in a way that makes it difficult enough for attackers to be deterred.
- Number four leads into ensuring you are checking and continuously are checking for any holes. As defenses wear down, like water wears down a rock, holes may open up. Ensuring you are continuously checking for holes, gives you the opportunity to find and fill those holes before an attacker does.
These three defending principles tie in exactly to the first four of what the Council on CyberSecurity calls the Top 20 Critical Security Controls. Here are the first four along with some of the steps the Council recommends to get some quick wins for your organization:
Inventory Your Authorized and Unauthorized Hardware
Actively manage – inventory, track, correct – all hardware devices on your network. Only authorized devices should be allowed on the network. Attackers are always looking for forgotten systems, be they BYOD that wasn’t patched, or something that was turned on and forgotten about, to use a stepping-stone into the organization.
Know what you have before they do! Quick wins:
- Deploy an asset discovery tool which actively scans the organizations public and private networks to build an inventory.
- Deploy a DHCP server which logs and improves the inventory through the DHCP information
- Ensure all new equipment is updated in your asset management system
Inventory Your Authorized and Unauthorized Software
Actively manage – inventory, track, correct – software installed on the devices you found in the previous control. Only authorized software should be allowed on the network. Attackers are always looking for quick wins. Unpatched software or vulnerabilities that they can point and shoot with automated and remote exploit kits to own our systems.
Sometimes it’s as simple as opening an e-mail attachment or clicking a link (check out my family vacation pictures! UPS has a package waiting for you!)
Know what you have before they do! Quick wins:
- Build a list of authorized software and match against what you have installed
- Track changes to that list either through change monitoring or whitelisting
- Perform regular scanning for unauthorized software or monitor in real time
Secure Configuration Management
Default configurations are an attacker’s dream – they know the defaults, so it’s like walking into a building with the blueprints!
Before systems are deployed in the network they should be hardened. This could be the operating system, applications, ports, and/or services on the devices. Common best practice frameworks include CIS, ISO, SOX, PCI, etc. There are plenty out there, more or less the same with minor differences. Pick what works best for you and your industry.
Almost every organization I’ve talked to, takes one of these standards, examines to see which controls are viable to their environment (Eg. Password length 8 instead of 6) and applies them.
If you already have a regulatory body overseeing your devices, then you’re already familiar with this. An all too frequent error I see, however, is the systems in scope of that audit are very well taken care of, but everything outside of that scope, fall into the “forgotten system” category. Quick wins:
- Establish and ensure the use of standard secure configurations of your operating systems
- Update operating systems and software – if they’re too old to be updated, remove them
- Limit administrative privileges
- Follow strict SCM practices, exceptions/modifications should be documented in change management
- Have a master image that is integrity checked and protected – compromised systems should be reimaged
Vulnerability Management and Remediation
Shrink that attack surface! Continuously scan for vulnerabilities and patch high-risk findings. If you are able to patch vulnerabilities that are automated or easy to exploit and they give the attacker remote and/or privileged access, you’ve just made the life of the attacker very difficult.
When they do eventually find a hole (no one can patch everything), they will see that it is very difficult to get in, deterring them from doing the work. Attackers love low hanging fruit! If they are determined enough to get in, then having secure configurations, as described above, covers you for integrity checking and monitoring their activity. Quick wins:
- Run automated vulnerability scans at least weekly and target remediation of high risk vulnerabilities
- Correlate findings with event logs to identify which exploits detected on the exterior are vulnerable on the interior
- Perform authenticated vulnerability scans with a dedicated administrative account
- Subscribe to vulnerability intelligence feeds to stay aware of emerging threats
To sum it up: Know your environment, lockdown and secure, and shrink that attack surface!
- Vulnerability Counts, Remediation and Risk
- Is Your Compiler Undermining Your Secure Coding?
- Top Five Hacker Tools Every CISO Should Understand
- Five More Hacker Tools Every CISO Should Understand
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock