Confession - I loved David Letterman and I couldn't get enough of his Top 10 lists.
So in that theme, I give you...
the Top 5: You Know You're in Trouble When...
- You’re asked to move the Active Directory server to an open part of the network to insure users can easily LOGIN
- When your boss, who is responsible for security, asks you, “What type of security software do we use?”
- You remind him, “the freeware version of Malwarebytes Anti-Malware”
- A press release states, “our IT system and security measures are in full compliance with industry practices.”
- The second press release states, “we were the victim of a sophisticated cyber attack operation.”
Top 5 list is sort of a funny way to look at it, but if there is one thing that everyone in the security industry can agree on, it is that the hackers are getting smarter. A firewall isn't enough to keep your network safe. You can have the strongest password in the world, and still have it taken from you in a phishing scam. Healthcare and financial services records are the most valuable in the world, their security systems are top notch, and yet still the hackers are getting in.
So the question becomes:
How do you think like an attacker?
First you have to understand the anatomy of a cyber-attack. Let's use the Target hack as our example for this. Target was breached the same way that many other organizations are - through stolen credentials. One of Target's partners, an HVAC company, had access to its network as a non-employee and fell victim to a phishing campaign. Once the hacker had the contractor's information, he was able to use a web application to get into Target's network. From there, the hacker was able to take any one of many lateral paths to information. Once the network was accessed, it was easy for the hackers to make their way to the POS system and start to exfiltrate data from their system. The attack path here seems simple, he was in and out in only six steps. The issue is, how would you have stopped him? The firewall held, there was no vulnerability exploited (the hacker had valid credentials), and there were no alarms raised when the network was accessed. However, there were also no alarms raised when a contractor working on their HVAC system started working their way into the POS system. That is the problem. The hacker knew that there were no obstacles in place to alert anyone of his activity so they were free to roam around the network finding the information they wanted and exfiltrating it straight to the black market. Would you have caught the hacker when they entered the system? Would you have noticed when he accessed applications that should have been out of his reach? Would you even have caught on when massive amounts of data started disappearing from your network?