Analysis

Developing a new strategy for information security

Warwick Ashford

The (ISC)2 Security Congress 2013 in Chicago focused on the challenges facing information security practitioners – but what are they and what are the solutions?

Apart from the increasingly sophisticated nature of attacks, information security

    Requires Free Membership to View

professionals often find themselves fighting a culture of disbelief in the businesses they support.

Many businesses still do not believe they will be targeted by cyber attacks, typically arguing they have no data worth stealing.

Consequently, the business is unwilling to invest in basic security management and control systems, and assumes the IT department will take care of any security issues that may arise.

In a typical anonymised case study, presented by Ernst & Young, responders to an incident at a large research firm were told there was no information security officer and no security operations centre (SOC).

There was poor identity and access management, no network segmentation and no network situational awareness in the form of intrusion prevention or detection systems.

Business units were encouraged to be self-supporting in IT and IT policies were outdated. Consequently, the firm was unaware that a breach had taken place until notified by a third party.

Ernst & Young investigators found different variants of custom malware, making them invisible to any signature-based anti-virus or other security systems.

The investigators found attackers had gained access to the company’s network by targeting just 19 users connected to the database with a highly-customised and plausible phishing email.

The email appeared to come from someone inside the database group and directed recipients to a plausible work-related intranet page. However, clicking on the link launched a set of tools for the attackers.

Lessons to be learned

This case study contains several lessons.

  • It is important for the business to understand the nature of the threat against the business and the impact of a breach on production, finances, intellectual property and reputation;
  • Organisations need to be able to continually monitor their networks and have the ability to detect and mitigate intrusions as quickly as possible;
  • Security policies and procedures need to be updated regularly and enforced to help information security keep pace with the constantly evolving threat landscape;
  • Malware is increasingly customised and targeted. This means organisations need to be prepared for unknown attacks. But that does not mean all other attacks go away. Basic IT security remains vital;
  • Human beings are often the weakest link. Consequently, an extremely high proportion of attacks involve a social engineering element. Security awareness training is therefore indispensable;
  • Attackers may be using customised attacks, but operating methods typically remain the same. Though intelligence sharing, businesses can continually update their defence strategies.

Many in the security industry believe that, as attackers become organised into structures using teams with separated duties – all dedicated to bypassing defences of specifically targeted organisations – information security professionals need to change tactics too.

While the idea of offensive security – where traditional defenders strike back, is gaining popularity in some quarters – others in the profession are cautioning against going to the extreme.

Retaliatory cyber attacks are not a good idea, an international panel told attendees of a joint session of the ASIS International and (ISC)2 2013 annual congresses in Chicago.

Although security practitioners ability to trace the source of cyber attacks is improving, they said it is seldom possible to do this with total certainty, particularly in the most sophisticated attacks.

But even where attribution is possible, retaliation is not good because it typically leads to an escalation of attacks and an increase in complexity, said Scott Borg, chief of the US Cyber Consequences Unit.

Tony Vargas, a member of the (ISC)2 application security advisory board, said offensive security is challenging and mistakes could even cost lives in some situations.

Security by design

Instead, he advocates several legal “offensive” security strategies that enable organisations to be proactive about security through security awareness and secure product development.

“Awareness works, and is where security should start. If we could fix the problem with technology alone, we would be there by now,” said Vargas, a technical leader and security strategist at Cisco Systems.

He believes most people in an organisation want to “do the right thing” so, instead of beating them with a stick, they should be made part of the solution.

Vargas said information security professionals need to understand the business and help ensure executives and all other users are aware of the general and specific threats to their organisation.

“Find out what communication channels they are using, then spread the security message using those channels, whether it is video, Twitter, LinkedIn or instant messaging,” he said.

Information security practitioners, he said, must also keep abreast of what is going on in the security industry, and forge partnerships and relationships to help drive the industry forward.

An important element of that, he said, is creating software, products and services that are secure by design though implementing secure development lifecycle programmes.

“Security needs to be part of every development stage, including initial requirements,” he said. “And any insights from testing, deployment and security incidents must be fed in for continual improvement.”

Vargas predicts there will be a “huge market for application security professionals” in coming years, as governments and large enterprise increasingly mandate inherently security products and services.

“Considering the present and likely future security skills gap, we need to ensure that the security work is done upfront an not left to the deployment phase; there are not enough people for that,” he said.

Procurement

Vargas believes information security professionals must work with the business to ensure security is part of the procurement processes.

“Business must create demand for security features in products and refuse to buy anything that does not meet their security requirements,” he said.

Vargas said it is not only important for information security professionals to work with their peers across industry, they also need to work across the whole business to move things forward.

Attendees of the (ISC)2 Congress heard that another key strategy in the face of increasingly sophisticated threats and a shortage of people with the necessary cyber defence skills is prioritising information assets.

“Knowing the 'who, what and how' will enable organisations to develop a more focused security strategy and stronger defence posture,” said Adam Meyers, director of intelligence at security firm CrowdStrike.

“Organisations can’t defend against everything, but if you know who is likely to attack, what they are likely to target, and the methods they are likely to use, it makes defence much easier.”

Borg said that the paradox is that, by taking a broader view and making the effort to analyse attackers and their methods, organisations can narrow down what they need to defend using a risk-based approach.