As a security professional for more than 12 years and a former CISO, I was trained in the basic approaches of information security under the concept of "build a strong perimeter and you'll be secure."
Though it's a tough pill to swallow as a security pro, this means recognizing that you may not be able to protect everything.
Unfortunately, that principle has changed; the so-called perimeter has evaporated over the last several years due to the influx of laptop computers, mobile media, USB drives, the ubiquitous smartphone, personal and portable hard drives and the bring your own device (BYOD) trend. While all of these mobile technologies are making life more convenient and workers more productive, they've also created giant security holes through which data can be lost, stolen or breached. The perimeter -- once considered a solid wall -- is now more like a sieve. Maintaining security is getting more challenging.
RSA President Tom Heiser recently said, "More companies every day are acknowledging that in order to survive in this new era of attacks we all have to accept the fact that bad guys are in our network. Period." Heiser's comments are both spot-on and consistent with a philosophy I have been studying and advocating for almost two years.
Security professionals today should not operate under the assumption of will they get breached, but when. I was introduced to this notion of "assumption of breach" almost 10 years ago by my security mentor and friend, Kirk Bailey, CISO for the University of Washington, Seattle, and in recent years, the concept has taken over the mindset of the more realistic and pragmatic security professionals around the globe.
So, how do we make this transition to a mindset of assuming data breaches will happen? In light of this new paradigm in information security, let me offer some thoughts that may be useful for CISOs and security teams trying to protect critical data in shifting circumstances.
What does assumption of breach mean?
CISOs must begin educating themselves and their executive teams on this new information security philosophy, but overall, the shift to the assumption of breach philosophy doesn't require a complete makeover from the standard security approaches. The perimeter is still necessary to keep out the simple attackers, such as the "ankle biters" and "doorknob rattlers." However, security programs do need to be augmented with new elements and methods, such as advanced intrusion detection and prevention, to stop the intruders before they can export any critical data.
The first step I'd recommend is to evaluate your current approach, tools and techniques and how effectively they can perform intrusion prevention and detection. How do you really know when someone has broken into your digital house? How do you know when unauthorized access to critical data is taking place? Assess if your organization has the systems and capabilities in place to readily identify when an attacker is in your network, regardless of whether the attacker is performing reconnaissance, mapping the network, installing back doors and droppers or deleting data. This approach will also require executives to relinquish access to data they have no reason to touch.
Taking time to train the new security professionals is also a key aspect of this strategic transition. It's not only important to emphasize the fundamentals taught in CISSP boot camps and Security 101 courses, but also to stress that they must operate on an assumption of breach philosophy and prepare ways to best protect critical data. Chief executives and their assistants, as well as system administrators and procurement staff, need to be trained on how to identify strange, potentially malicious emails and websites. For instance, a common way for miscreants to break into systems is via targeted spear phishing attacks on senior executives, their executive assistants, and key directors and system administrators. Also, as noted in a recent report from Symantec Corp. regarding the Elderwood Project and watering hole attacks, even the supply chain can be a means of downloading an attacker's code when visiting the supplier's website.
FROM THE EDITORS: MORE ON ADVANCED INFOSEC STRATEGY
In this Information Security magazine feature, Lisa Phifer explains why new malware threats require a new anti-malware strategy.
Michael Cobb writes about how to adjust a network security strategy when business planning requires change.
Companies need to determine the effectiveness of their log reviews, especially for outbound traffic. Do you know what normal traffic is for your company 24 hours a day, seven days a week? Have you automated your egress filtering so that you get an alarm when data is being "pushed?" Data egress is tantamount to stealing your crown jewels, so staying on top of it is an operational imperative. This is especially true when shifting to the security mentality of assuming a data breach could be occurring.
Do you really know what you'd do when you discover an attacker in your network? Who is on your response team? Who do you call for help? What about forensics (after the fact)? Better yet, how do you stop the attacker before he or she steals and transmits any data? It is crucial to ask these questions now rather than assuming a castle-and-moat approach to security will adequately protect key assets. Line up a forensics team using an outside vendor or appropriate resource so that when a problem is detected, or even suspected, your organization can know what was stolen, when it was stolen, who stole it and what other back doors were added or remain open.
Finally, security vendors themselves must support this philosophical transition. They need to realize that a more holistic security strategy includes a strong, viable perimeter, but with tools and capabilities for detecting intruders and stopping them in their tracks before they can exfiltrate data.
Protect critical data via islanding
In protecting critical data, one approach to consider for improved protection is to isolate critical data. The concept of islanding (also referred to as enclaving) means to literally isolate the data in a location that is secure both physically and via cyber access, essentially building a new network node. Date is held within a perimeter of firewalls and intrusion detection/prevention capabilities. Access controls, including three-factor authentication and user names, passwords or biometrics separate from the enterprise Active Directory or LDAP scheme, are used to severely limit and control who can access the data. The following considerations must be made for pursuing the data islanding approach:
- What is the critical data? What data can the company not afford to have stolen? What data theft would be so detrimental to the company and its competitive position and reputation that its future would be at stake?
- Where is the critical data located? Where are the primary data and associated backups? What about the one-off, forgotten spreadsheet that may contain critical data?
- Who has access to the critical data? Why? Don't forget system administrators and executives who think they really need access to the data. Also, what are their access rights? Read? Write? Copy? Steal? Are these access rights excessive? Are the access rights global in nature, meaning a worker in the Middle East can access critical data in Houston without any added logins or access control hoops to jump?
Education is again key to making sure those with access to critical data have an understanding of spear phishing, targeted attacks and social engineering. If there is even the slightest element of a breach or an attempted attack is suspected, individuals should be advised to call a specific point of contact who is available around-the-clock to quickly respond.
Finally, strictly monitor the dataflow in and out of the new critical data perimeter. Know why bits and bytes are being included inside the critical data perimeter, including patches and other system upgrades. Make sure that data removal, modification and deletion is closely monitored in real time. You want to envelope the critical data with a real-time configuration and change control system; basically, build a prison inside your network to house and protect the critical data.
This new security paradigm is a departure from the way we were all taught in our CISSP classes and Security 101 training. Not only is this approach about technology and employee awareness, but it also is about narrowing down and protecting the critical data in an organization. Though it's a tough pill to swallow as a security pro, this means recognizing that you may not be able to protect everything.
CISOs cannot make this transition alone, but with the right attitude and a new approach to security -- as well as new technical and administrative controls -- we can begin to move down the path where organizations operate under the assumption-of-breach model. Once it is accepted that breaches can and will happen, critical data will have a better chance of survival and protection.
I strongly recommend taking a hard look at the Verizon Data Breach Investigations Report in context with the suggested approach above. Realize that the symptoms of attack need to be considered so that you can detect miscreants before they exfiltrate or sabotage your critical information.
About the author:
Ernest N."Ernie" Hayden, CISSP, CEH, is an experienced information security professional and technology executive, providing thought leadership for over 12 years in information security, cybercrime and cyberwarfare, business continuity and disaster recovery planning, leadership, management and research in conjunction with his 35-year professional career primarily in the energy and critical infrastructure protection business. Based in Seattle, Hayden holds the title of managing principal -- critical infrastructure protection and cyber security on Verizon's RISK Team, devoting much of his time to energy, utility, critical infrastructure and smart grid security on a global basis. Prior to this, Hayden held roles as an information security officer or manager at the Port of Seattle, Group Health Cooperative and Seattle City Light. Hayden's independent analysis may not always reflect positions held by Verizon. Read more of Hayden's expert advice on his contributions to the Verizon Think Forward blog. Submit questions or comments for Ernie Hayden via email at firstname.lastname@example.org.
This was first published in March 2013