Insights on Security

As anyone in the IT world can tell you, security is by far the biggest concern in any organization.  With the prevalence of Crypto-Locker RansomWare variants, on top of the already innumerable amount of malicious software in the wild, it’s enough to keep anyone up at night.  In less than a decade IT had to shift its mindset from the traditional “I’ve got anti-virus, and it updates daily” to a more aggressive stance, parsing logs and network activity, and behavioral tracking.  The problem has become that traditional Anti-Virus isn’t enough anymore.

I remember fondly being the go-to for what Anti-Virus / Anti-Malware / General Internet Condom to use that is the “best” where I would take in to account performance weight against effectiveness, and choosing the software package that hits the best ratio of performance to functionality to Price.

Now, since the internet is so ubiquitous and there are developers everywhere that view it as their sole purpose to exploit vulnerabilities in computer systems.  Regardless if their intention is to promote security or something more nefarious, it is nearly impossible to stay ahead of the game, even in my small environment.

Anatomy of an attack

To better understand how to best secure your environment you first need to understand how an attack happens.  Knowing the fundamentals of an attack lay the groundwork that will put you in the best position possible.

  1. Reconnaissance
    • Just as we’re doing here, an attacker is going to gather all the possible information about their target that they can.
    • A determined attacker will utilize any means necessary to gather information on the target, including going through waste.
    • Other methods include network scanning, determining open ports and services on your network and what the responses are on those ports
    • An attacker may also do some online research about the target, looking for job postings, or even mirror the target’s web-site to get information about the structure of the network.
  2. Assessment
    • With reconnaissance done, it’s time to assess the information.
    • Comparing responses from the network scan against published vulnerabilities and determining what the most effective mode of entry is going to be.
    • Determine the direction of the attack, go to the target, or coerce the target to come to the attacker.
  3. Exploit
    • The attacker has gathered what the attack surface is, determined the vulnerability, and how it is going to be used.
    • During the exploit different payloads may yield different results, and the prime directive is to gain “persistence” or permanent access.  It is possible that to avoid detection after access is gained an attack may lay dormant for some time.
    • Once access is gained an attack will typically “pivot” to some other local resource that is more valuable (think Database, File Server, User Data)
Mitigation

Prevention is an idea of the past, so get that out of your mind.  Mitigation is attainable.   Knowing how an attack plays out makes it easier to take the steps necessary to secure your environment.  The saving grace of most attacks is that they are done with Free or Open Source tools, meaning you can perform all the steps of an attack yourself.  Particularly important are the Reconnaissance and Assessment steps (you can also exploit as well and then re-perform Reconnaissance and Assessment from within the network if you’ve gained access.)

Once you’ve gathered appropriate data, you now have something to work with.  This will give you a view on where your vulnerabilities are and how to mitigate them, be it through software patching or updating firewall settings etc.

So, you’ve secured your network, you’re good now right?  Nope.  All securing your network does is mitigate attacks originating outside the network and attempting to gain access.  There’s still attacks that get the target to come to the attacker.  These attacks are the hard one to protect against because they can come from almost anywhere, and all they usually require is user interaction.

Some methods to mitigate reverse attacks.
  • Instate application white-listing
    • Rather than pick what applications to block pick which applications are able to run
  • block executable content wherever possible (temp directories, user profiles, etc.)
  • Train the human element to be mindful
    • Far and away this is the toughest hurdle.  Users will always be the weakest link in IT Security.
    • Training should include:
      • Email best practices
      • Removable media (USB keys, CDs, DVDs etc..) should not be trusted
      • Authorized vs Unauthorized personnel
      • What information is pertinent to the conversation and what isn’t

While security is an ever evolving topology an IT professional should be pragmatic and vigilant in efforts to not become the victim.