- Security TWENTY
- Women in Security
Over the last few months, the world has witnessed the disclosure of nation states using a vast amount of zero day exploits, or code that attackers use to take advantage of not yet known security holes in software, to achieve their goals by gaining control over high profile targets, writes Philip Lieberman, pictured, President and CEO of Lieberman Software.
One of the key takeaways from each of these exploits, such as the recent Sandworm APT attacks on prominent US and European targets, is the lesson that many of the existing privilege management solutions have failed to limit nation state access. Privilege management involves sorting out who has elevated permissions to carry out tasks like accessing files, installing and running programmes and changing and configuring settings. Interestingly, Target, JPMorgan, Home Depot all had privilege management software, but somehow it all failed to protect these organisations due to either technology shortcomings or IT process issues within each of these breached companies.
Indeed, there are some pretty pertinent lessons to be learned when it comes to organisations’ attitudes and practices when it comes to privileged management and the security of their business-critical systems.
The common fault amongst all of these breaches has been the lack of privilege identity coverage and slow speed of the mitigation process. Many systems lacked proactive management because companies did not fully deploy their purchased solutions, or the purchased solutions were slow and labour intensive to deploy (and keep deployed). In any case, attackers were able to find systems and identities that were missed by their existing technology; and hackers were able to exploit the lack of coverage to their benefit. The simple lesson is that if those attacking an organisation are using automated tools – which they are – and companies are trying to manage their environments with tools that require manual labour to implement , then they have already lost the war. A lot of technology that touts pretty web interfaces will require a tremendous number of mouse clicks to configure anything and this will ultimately deliver no automation, making it impossible to keep up with attackers.
Anybody a target
Those companies that believe they are not subject to attack because they are not a worthy enough target should all know that all systems in most IP address ranges are attacked without mercy. Though it is true that there are certain ranges that are skipped because they are marked as “friends” or “allies” of specific attackers, or are particularly well known to trigger undesired responses against attackers, but otherwise – all bets are off. Both Russia and China launch cyber-attacks on Western nations, and these attacks bypass their own territories and allies. This situation is well understood by both sides. You can see a great visualization of this scenario in real time at: http://map.ipviking.com/
Attackers go for the weakest links as well as high profile marks; and for those that are both – they just better be prepared.
If it’s broke, then fix it
When a lot of money is spent on certain technology, such as privilege management software, there is a general mantra that the organisation will and should make it work, even if it has proved ineffective time and again. As the saying goes: repeating the same behaviour and expecting a different outcome is the definition of insanity. Such insane behaviour is a breach of fiduciary responsibility by senior management at these companies. The resistance of these repeatedly breached companies to replace failed privilege management technology with technology and processes designed to match the threats they now face is mind boggling.
Cyber-defence today is not about stopping intrusions, it is about creating architectures and processes that minimise the losses and limit how far intruders can go with zero day and other exploits. This means having fully automated technology that can operate at scale and depth without the need for continuous human interaction. The use of zero day technology and sophisticated phishing emails by both criminals and nation states guarantees that intruders will be able to get a foothold. From a foothold, attackers will look for credentials of all types, including passwords, hashes, tickets, keys and certificates, that will allow them to switch from their expensive zero day technology to simple peer level access. Getting any credentials on a system will allow for the attacker’s lateral movement around systems.
Using very fast technology that scales and operates autonomously to disrupt the attacker’s strategy on a continuous remediation basis is an effective place to start. In doing so, it will scale the lifetimes of user credentials down from months to hours and keep humans out of the business of configuring this technology that often leads to the most error.
These activities point out the need for significant fundamental changes in the way we run our infrastructures as well as the need to refresh the knowledge and duties of everyone in the senior management chain. It is the hope that these companies as well as the many other similar ones can learn from the mistakes of those that have been so explicitly and publicly breached. The time is now for businesses to quit burying their heads in the sand, hoping they have security covered – until something goes wrong.
Company boards of directors will no doubt need to dismiss their senior management, which many will have done already. Instead replacing them with leaders ready to step up their game and act as cyber-defence warriors, not recurring victims with the insane idea of repeating failed strategies.