- Security TWENTY
- Women in Security Awards
David Balaban, pictured, covers how to deal with information threats.
Many organisations do not have the opportunity to purchase expensive security software and hardware tools to protect their information. This situation arises for various reasons; at the same time, you cannot simply ignore present-day cyberthreats. Almost all operating systems have tools that can be used to protect against cyber-attacks. A lot of security problems can be avoided if you build the company IT infrastructure correctly from the very beginning. So, how can organisations that have limited budgets deal with information threats?
To begin with, it is worth noting that the use of tools available in all popular operating systems can be used to improve overall security. You can correctly configure user account settings, use information from system logs to analyse various system events, tune up an existing firewall, etc.
Before building your defence infrastructure, it is necessary to understand what dangers are out there, understand what stages potential cyber-attacks consist of, and then see what can be done to prevent the attacks. Cyber-attacks consist of several stages. Before launching an attack, malefactors must find security gaps in the system – vulnerabilities. Typically, attackers are divided into internal, who have direct access to the components of the system, and external. Given this division, different types of cyber threats exist and each of them has the corresponding measures of protection.
Stages of building your protection
At the first stage, it is necessary to determine the attack implementation scheme. It is best to consider cyber threats as a specific action, such as a DDoS attack on a web server.
The second step is to choose a strategy to counter each stage of a cyber-attack. It is useful to choose several strategies since perhaps not all of them will be used in the future. The third step should be the selection of protection measures that can be implemented using built-in OS tools.
At the fourth stage, you test existing mechanisms and adjust the protection scheme based on the information received. This approach makes it possible to:
– Effectively distribute available information security resources.
– Identify weak points in the security system and see where additional paid tools are needed.
– Compile a list of services and tools that must be monitored on a regular basis.
At the fifth stage, you need to understand how to use the mechanisms available in the OS to protect against possible attacks and how justified their use is. As a basis, you can take the concept of Cyber Kill Chain. It describes the various phases of a possible attack, where at each stage an attacker performs certain actions. For greater realism, you can use MITRE ATT&CK that contains all known adversary tactics and techniques. This scheme provides a common scenario for the development of all known attack types even the minor ones. You can single out a generalised scenario of a possible attack aimed at your organisation and see what OS tools can be used.
Here is the sequence of actions when carrying out an attack:
1. Reconnaissance. Collection of information about the attacked system.
2. Weaponisation. Search for vulnerabilities and selection of tools for their exploitation. From the point of view of the hacker, there must be a gap in the attacked system that will allow the attack to be implemented. Quite often the attack occurs using several vulnerabilities.
3. Delivery of the exploitation tool. Objective: to make it possible to carry out the planned destructive actions on the attacked system.
4. Exploitation and persistence. Objective: to make it possible for the attacker to be permanently present in the system.
5. Destructive actions in the system.
6. Covering the tracks of presence.
It should be noted that this scheme consists of two large sections:
– Actions taken before the start of an attack (first two)
– Actions implemented directly during the attack (all other actions)
Key protection strategies
To protect the system, you can use a number of solutions that are divided into several categories:
1. Detect. As a rule, all measures within this stage come down to detecting signs that can be used to identify suspicious activity associated with a particular attack.
2. Deny. Prevention of unauthorised access to resources. Here it is necessary to decide what tools or mechanisms you will use to actually stop the potentially dangerous impact. The measures used at this stage will prevent attackers from receiving necessary information needed to implement an attack.
3. Disrupt. Measures that will allow you to disrupt the attack.
4. Degrade. Measures aimed at reducing the number of opportunities to implement an attack.
5. Deceive. Methods that can be used to give the attacker the impression that the attack could not be implemented.
In general, the main protective and preventive measures are as follows:
– Connection monitoring
– User account policy
– Analysis of logs
– Audit of events in the system; and
– Backing up information.
Unfortunately, the volume of this article does not allow us to dwell on each method in detail. Nevertheless, these measures are enough to protect the organisation’s resources, and in many cases, to prevent attacks at the stage of their preparation.
The problem of budgets
Of course, free or cheap protection measures also have their shortcoming:
– Fairly extensive knowledge of the technologies used in the OS is required. One should not hope that yesterday’s graduate will be able to set up something correctly and quickly. You need professionals who can build reliable protection with the help of limited budgets.
– In some cases, you will have to use certain paid protection tools. Besides, it is necessary to focus on a specific list of measures that must be 100 per cent implemented (for example – the protection of confidential information, such as personal data).
Therefore, you always need to remember that security is not only measures and means, but also specific specialists who configure and maintain the system.
About the author
David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures. Visit https://www.linkedin.com/in/david-balaban/.