Guarding the Gate
Let’s Break All the Rules
By Kevin Hamel, VP
Security Officer |
Let’s break all the rules. Accept a jump drive
from someone you don’t know. Bring it to work
and plug it into your workstation. Copy the
files copy over, and if your computer warns that
a program wants to communicate with a known
malicious website, click ‘yes.’
Sound far-fetched?
Perhaps. We’d all like to believe that no one
in our organizations would ever do anything like
this. But they may not have to.
Let’s consider the
incredible first. It is widely believed that
scientists carried jump drives infected with the
Stuxnet worm into a secret nuclear facility in
Iran. Stuxnet, allegedly developed by a country,
succeeded in gumming up the Iranian nuclear
enrichment program for a while. But in the
process, Stuxnet also succeeded in escaping
‘into the wild.’
That means that
several variants of the highly sophisticated
Stuxnet worm could be knocking on our doors one
day, using their highly advanced ‘zero-day’
attack mechanism to spread from one computer to
another. Zero-day attacks are the hacking
world’s most potent weapons since they exploit
software vulnerabilities that neither the
software makers nor the antivirus vendors have
seen.
Is your bank or
credit union ready for anything like a zero day
attack or advanced persistent threat? What would
happen if your institution were attacked? Do you
have the basics of security in place?
The most recent
Verizon Data Breach Report noted that of the
breaches studied, roughly 80% were purely
victims of opportunity. The hackers simply
found a security shortcoming they could take
advantage of. This is akin to a burglar walking
the neighborhood, checking to see who forgot to
lock the door to their house.
In the vast
majority of the breaches, it was all too simple
to breach the perimeter of the organization, and
in most cases, the breaches could have been
prevented by the use of relatively simple
controls. This sounds eerily familiar. In
2006, I gave several presentations underscoring
the importance of mastering the basics in order
to prevent security breaches. Six years later
it seems that some organizations are still
falling short.
There are a variety
of basic security controls that should be
standard operating procedure by now. Let’s run
through a short list:
· System
Configuration
– Are all devices properly configured as
recommended by the vendor or some other
reputable, independent source such as NIST?
Misconfigurations can often give an attacker a
foothold.
· Antivirus/Antispyware
– Although there will always be the threat of
zero-day exploits, there is still a wealth of
exploits for well-known vulnerabilities.
Failing to protect the organization against
known vulnerabilities leaves the organization
exposed.
· Access
Rights Management
– Do employees have access only to the
information they need in order to perform their
job function? Are administrative rights
restricted to those who truly need them? Often
hackers will make use of existing IDs to carry
out their crimes. You can make it more
difficult for them by tightly controlling access
rights.
· Vulnerability
Scanning and Patch Management
– keeping your systems updated is very
important. If a vendor releases an update that
closes a security hole, it should be applied as
soon as possible. Frequent scanning of systems
for known vulnerabilities is equally important.
It’s important to know where the holes are in
the dyke so you can plug them as quickly as
possible. Sources such as Secunia can help you
keep abreast of what’s going on in this area.
· Firewall,
IDS/IPS, Web Filtering
– Traffic to/from the outside world should be
filtered and inspected. Your network should not
be completely open to the outside world.
Network traffic should be scanned for known
malicious traffic patterns. It’s also important
to filter the sites that your employees can
visit.
· Log
Review –
it’s important to be able to identify what has
happened on a computer network. This will
enable you to detect a breach and help you
investigate what has been compromised as a
result.
· Security
Awareness Training
– last but certainly not least, it’s important
to educate the human at the keyboard. Many
breaches today leverage some type of social
engineering attack, and the amount of
information posted online in places like
Facebook make it easier for hackers to customize
their attack. This makes it more challenging
for employees to identify what is suspect and
what is not. Employees should be very cautious
when opening documents, surfing the Internet,
and handling media they have been given or
found.
There is certainly
no one silver bullet that will make all our
challenges disappear. But ensuring that the
basics are covered at your institution will go a
long way toward preventing a security breach.
Your behavior at your bank or credit union can
make the difference between a mild annoyance and
an outright catastrophe.
|
