Gone are the times when security was top priority only for Security experts and CIO’s. Today, every executive, irrespective of their domain and specialization, worry information security. This has been especially true after the recent ransomware attacks. Ransomware such as Matrix, Wannacry, Petya etc., have scared civilians and Governments alike.
Hackers are not lone geeks or illegal hacking groups that lurk in the underground anymore. “These days nation-state driven warfare is also on the rise,” opines Ed Skoudis, who has trained more than twelve thousand people on cyber security and incidence response. Worms and viruses like Shamoon, Stuxnet, Gause, Flame, etc., has opened our eyes to cyber espionage, cyber warfare and the involvement of entire countries in cybercrime. Let us logically break down this very real and ever looming threat and explore some solutions as well.
Why would hackers want access to your company’s information?
According to experts from Regis university, College of Computer & Information systems, the motivation to hack could be political, financial, or ideological. When asked why do you want to climb mount Everest, the famous Mountaineer George Mallory said, “Because it is there”. The reason some hackers try and penetrate networks is just because they’re there. To prove their mettle, to test their skills, and to advertise themselves when they do not have an affiliation with a hacker network. Sometimes disgruntled employees and the likes do it for revenge. But more often than not, the motives are financial. Hackers try to get information that could be of financial value to them. Or in the ransomwares’ case, they encrypt information of value to the victim, and demand a ransom to give it back to them.
What are the techniques that are employed to gain access to your company’s information?
Now this is a much more difficult to answer than the previous one. Offensive forensics, Misattribution, seemingly small attacks on IT infrastructure that result in kinetic impact, large scale DDos attacks, password leaks & breaches and social engineering attacks are some of the attacks that worry information security experts like Ed Skoudis and Johannes Ullrich, chief research officer at SANS institute (As stated on this webcast on SANS institute’s site https://t.co/0g0wFWDkJc).
A simple technique like leaving USB drives outside offices and in parking lots can lead them to gain access to a goldmine of information. Researchers dropped about 300 USB drives around the University of Illinois Urbana-Champaign campus, in an experiment. It took only six minutes for someone to get one of the drives and plug it in somewhere. Out of all the dropped drives, 48% were picked up and used. If those USB sticks had a malware planted in them, plugging them to a network device would open the door to hackers to the entire network. Such techniques were hackers manipulate unwitty users into performing something that would in-turn enable them to gain access to the data/systems/network they want, is called, Social engineering. Elie Bursztein, who heads the anti-abuse research team at Google, who also worked on the study, was shocked by the outcome of the experiment. “This surprisingly high conversion rate demonstrates that USB drop attacks are a real threat and underscores the importance of educating users on the risk of plugging in untrusted USB devices,”
In stark contrast to the simple techniques in social engineering, Offensive forensics are techniques hackers employ to take control of the forensic tools themselves. Digital forensics involves finding, recovering and studying the information found in digital devices. The tools used in the field are better equipped to access the file systems since they’re designed to recover digital evidence. Say you’re trying to recover some wrongly deleted data using a tool. What if that the tool gets hacked? It’ll open the doors to the entire file system.
Misattribution is deliberately attributing the wrong source for the cyber threat. For example, when a nation state is trying to use spyware, they would leave errors in the code on purpose, so that it would look like the work of rookies and not strong nations using professionals.
Perhaps the most threatening of the lot, are hacking of infra systems leading to a cascading kinetic impact, even though they look relatively small and harmless. For example, imagine the infrastructure in an operating theatre of a hospital with a few tens of systems on the network, with a doctor remotely performing a surgical procedure on a patient. If hacked, the hackers perform the surgery on the patient, cutting off the doctor. The operations coming to a standstill is not the worst of the endless possibilities of outcomes. Imagine the control tower of an airport being hacked. The possibilities are too appalling to imagine.
How do I secure my enterprise infrastructure?
Getting a good information security solution in place would be one of the most obvious things to safeguard your enterprise infrastructure. There is no super tool or solution out there that you can use to protect your entire environment. And there is no such thing called the best security solution either. Indeed, there are several good tools and solutions in the market, including open source tools. But choosing the right one for your environment, is a giant task and is best left to the experts.
“You can’t blindly suggest one tool for all clients. It totally depends on the organization and the choice would vary based on their domain, size, and a lot many factors”, says Aravindh Subramanian, Associate manager – Information Security, Security Operations Center at GAVS technologies.
Having an enterprise security solution installed doesn’t ensure complete safety. Sometimes more than one software need to be used. You may need to safeguard your network with an entire system of tools, policies and procedures to ensure safety and minimize risks. This is known as Information Security Management System (ISMS) which aims at ensuring business continuity in the event of breaches and such incidents.
Of course, encrypting confidential data and following the least privilege principle (only the least required amount of access rights to data is provided to people and revoked immediately when appropriate) only makes sense to be made part of the ISMS. Sadly, such simple and highly important policies may not be part of the ISMS when you don’t choose the right IT partner.
In fact, even storage encryption may not be enough. In addition to encrypting the data at the storage level, Aravindh suggests transaction level encryption for organizations. He says, “Yes, there is a trade-off between time and the security factor here. Encrypted transactions will take longer than ordinary ones, but I think the security is worth it”.
The backups also need to be safeguarded at the same level as your primary data. Caution needs to be exercised in choosing backup locations, technologies and backup software. For small and mid-sized organizations, it makes sense to go for a cloud based backup services provider, especially for tertiary backups. Often, pricing models and performance are given more weightage when choosing a vendor while security takes a backseat. It’s important to check what kind of security measures are in place at their location, what technology they use to authenticate users, how often they conduct penetration tests, are their policies ISO 27001 and ISO 9001 compliant? There might be other rules that your vendor needs to comply with, depending on your domain, say HIPAA for healthcare organizations. This is another task best left to the experts.
After all the appropriate security measures are in place, the people who interact with the environment regularly, need to be trained. In fact, GAVS trains its staff to identify and report attacks right during their induction. They are educated on the types of attacks; the tools used in the environment and are encouraged to report their suspicions even when they aren’t sure. Everybody is aware of whom to call and what to do and what not to do. These kinds of activities are a non-luxury that every organization needs to invest on. Without this simple and inexpensive step, no environment is safe, no matter how good the technology used is. Being digitally secure is one of the necessities in making your organization a success.