DarkReading recently published an interesting article entitled “BT Study: Most Enterprises Expect to Get Hacked This Year.” I’d say that that’s a safe assumption, since in the case of most large organizations, their electronic footprint is everywhere.  When you pair that with unmanaged parts of an organization setting up servers and machines, accounting for all resources is practically impossible.

Interestingly enough however, many of the organizations quoted in the BT study expect that they are less likely to get hacked if they pen test. But unless you have unlimited resources and endless stretches of time, that conclusion is very wrong.

In reality, the amount of resources that most organizations have to dedicate to pen testing is limited. According to the DarkReading article, this happens for a variety of reasons; everything from upper management not understanding the importance of pen testing to organizations worrying that “the results of a pen test ‘could be embarrassing’” causes vulnerable systems to go untested. But no matter what the reason, the bottom line is that this issue is only going to become more prominent as the role of technology in organizations continues to expand.  

So, if there’s no avoiding the fact that we should expect to get hacked even if we pen test, what should we do? Easy: Find out what we can do to minimize the impact of compromises and continue to make sure we have a strong foundation to work on.

This idea goes back to one of the ongoing themes we have here on the site, which is getting back to basics and doing them well. Start out by identifying what you are trying to protect and work your way out—take a defense in-depth approach. Most organizations are looking to protect data, so that’s where we’ll start.

First, we need to determine the sensitivity of the data we are trying to protect. What would happen if a hacker, competitor, or nation-state was able to get to that information? Would lives be at stake? Would the loss of a competitive advantage result in losing a contract? How much would it cost to clean up after your customers’ credit card details were sold on the web?

Based on this data value analysis, say you come up with three sets of data: A, B, and C, with A being your crown jewels. Maybe it would make sense to store the A set in a segmented area of the network where you need to log into a special terminal for access. Perhaps the B set could exist on your organization’s intranet protected by traditional OS and network access controls. The C set may not be too sensitive, so maybe it’s available in public areas on your intranet.

In this instance, an attacker may be able to get through your first line of defense and into your intranet. Any information stolen there wouldn’t be too sensitive, so the effect of compromised data would be minimized. Maybe the hacker is very skilled and is able to bruteforce someone’s password over a period of several weeks. They’ve broken through you second layer of defense and now have access to the B set of data. Although this data is more sensitive, the required skills and time commitment necessary to gain access to this information may minimize the compromise if the data is time sensitive. Finally, you have the
A data set. In this case, the attacker would not only have had to access the intranet and compromised someone’s account, but would have also had to physically gain access to a secured terminal. The hope is that at this point, the attacker will give up and focus on a less secured target.

You can make this scenario a lot more complex, but this example illustrates the basic concept of assuming you are going to get hacked and using defense in-depth to segment your network and employ protections relative to the value of the compartmentalized data.

Besides disconnecting your organization’s network from the Internet completely, this is the best that I could come up with. What are your thoughts on how we can minimize the effects of getting hacked? Comment below or send me a tweet @grecs.

o     o     o     o     o

One of the best ways to get back to basics is to have a good foundation. We’ve put together a list of useful books that will help you get on track and do the basics well.  

Addressing the problem of companies not taking insider threats seriously, the “Many Enterprises Still Don’t Recognize Insider Threat, Studies Say” article on DarkReading made some much-needed points about intranets not being the secure entities that many companies believe them to be. While the article’s primary focus is on traditional insider threats—with employees knowingly or unknowingly causing most of the problems—it got me thinking about different kinds of non-traditional threats.

The chief non-traditional threat that comes to mind is the occurrence of company workstations being infected with malware through non-technical users surfing the web. Since non-patched browsers are the norm in corporate America, an unsuspecting admin can have their workstation infected just by surfing the web. Once infected, the workstation can be used to take control of both internal and external company resources.  

The number one way that most of these malware-based insider threats happen is through the use of scripting. For an example of what scripting can do, look no further than the Twitter attacks that occurred over the weekend (one on Saturday, the other on Sunday). 

The most obvious fix for these all-too-common browser infiltrations caused by scripting is to go no-script by disabling scripting by default. Sure, it’s a pain, and employees are likely to complain, but is the potential compromise or loss of data really a risk that companies are willing to take? For some companies, the answer, (unfortunately) is ‘yes.’ Though it may be obvious to security professionals why disabling scripting is more necessary than optional, members of company management usually buy into long-propagated myths like anti-virus and anti-spam applications being enough protection for both internal and external threats.

If you find yourself in a company that is scared to take the plunge and go no-script, another way to help protect non-technical users and company data is through the creation of a whitelist. Far easier than creating a blacklist of ‘bad’ sites that users need to avoid, creating a whitelist cuts out time, money, and frustration by allowing users to only visit specified ‘safe’ sites.

If you find that a whitelist is also out of the question, I will use one of my oft-touted solutions: Encryption. While many companies feel that encryption for intranets is unnecessary (since they see intranets as being internal and therefore ‘safe’) the reality is that encryption is just as necessary for intranets as it is for external sources.

Another recent article on DarkReading pointed out that the default setting on Internet Explorer 7 and 8 can be unsafe for internal intranet-based Web applications. Since most companies use Internet Explorer as their default browsers, there is no denying the importance of intranet encryption.

But whether you go no-script, create a whitelist, or encrypt every last piece of data you have (which we highly recommend), consider compartmentalizing your data. Inventory it and rank it according to its sensitivity. Segment your network so that the important stuff is really protected. You can do this through creating multiple compartments: One compartment for general users, another part for the company employees that deal with sensitive information ‘a,’ another compartment for company employees that deal with sensitive information ‘b.’ That way, if your network gets compromised, you can protect the rest of your data so attackers don’t have access. 

The bottom line is that traditional insider threats as well as malware-based insider threats need to be taken seriously if we’re going to move forward and keep our companies—and ourselves—secure.

###

If you’re looking for some additional ways to keep your company—and yourself—a little safer, we’ve put together a handy list of books that might do the trick. 

Securing Internet Explorer’s (IE) Zones can go a long way toward protecting your non-technical family and friends from malicious web sites.

Security Background

Many non-technical users in your life probably use IE for most of their computer activities. From checking email to editing photos, these cloud computing applications make the web browser the most prominently used tool on most computers. With firewalls in operating systems and abundance of inexpensive hardware routers, many attackers are turning towards browser infection techniques by luring unsuspecting users to web sites that compromise the computer. Therefore one of the most basic things you can help non-technical family and friends with is locking down their browser. There are entire treatises written on how to secure IE, but the most basic approach involves locking down IE’s Zones settings from its default promiscuous settings to a more secure white list approach. This simple technique disables most of the common exploit vectors, such as ActiveX and scripting.

Setup Internet Explorer Zones Security

• From most versions of IE double-click the zone area in the bottom-right of the browser (typically it shows Internet.) to open up the Internet Security Properties window.
• Set the Trusted zone to Medium by selecting each zone, moving the slider to Medium, and pressing Apply.
• Set the Intranet zone to Medium using the same steps as above.
• Next set all other zones (i.e., Internet and Restricted Sites) to High using the same steps as above.
• Click OK to close the window.

Add Proven Sites to Trusted Sites List

Most sites should still be functional enough for users to get the information they need or to at least check out the site to see if it seems trustworthy. If the site requires ActiveX or JavaScript, for example, and the user has determined the site trustworthy, then they can add it to their Trusted Sites list using the following steps.

• Open up the Internet Security Properties window by double-click the zone area.
• Select Trusted Sites and press the Sites button.
• In most cases you’ll have to clear the “Require server verification…” checkbox.
• Enter the site’s domain name (e.g., domain.com) and press the Add button.
• Select Close to dismiss the Trust Sites window and press OK to close the Internet Security Properties window.

This setup isn’t as user-friendly at first, but it’s a lot safer. After adding many of their commonly used sites, it hopefully won’t be as annoying for your family and friends.