A member of professional association ISACA, Professor John Walker, says that the multi-vectored nature of an advanced evasion technique (AET) attack means that organisation’s need to improve their conventional IT security. AETs are used to attack networks by combining several known evasion methodologies to create a new technique that is delivered over several layers of a network simultaneously. This allows the attacker to successfully deliver known malicious code without detection.
According to Prof Walker, of the Nottingham-Trent School of Computing, who is also a member of ISACA’s International Guidance and Practices Committee, while some hackers have figured out shell (command line) attack methodologies as part of their AET strategies, the implications are not always bad.
“On some recent security panels discussing and dissecting the AET, the conversations were at a very high level and did not consider the technological implications or the in-depth implications of what an AET can mean in real time,” he says in his latest blog, adding that this particular issue would seem to have been lost.
Prof Walker, who is chief technology officer of Secure Bastion, says the actual attack methodology underlying an AET vector does not matter, once the hacker has gained access to a command line shell prompt. “Again, I can attest from research, security testing and evaluations, that this is where the real issues can start to appear,” he says, adding that it is not a question of the hackers being smart with their attacks, but more that the targets they choose are particularly vulnerable due to insufficient security.
“In many cases, the first issue that is encountered is excessive privilege associated to systems that have not been locked down. Even today, I am amazed at how many organisations allow their user base, or a large proportion of their user base, to have administrative access,” he says. Once systems have been penetrated, he adds, the attackers may start to poke around, seeking what may be achieved and/or invoked from the command line. PowerShell and Windows Management Instrumentation Command Line (WMIC, wmic:rootcli).
The recommendation here, he says, is not to debate the topic of AETs as if it they are final conversation point, but rather to consider the implications of an AET attack and protections that should be put in place. Walker also recommends that that the first step in combating AET attacks is to assume they will succeed and develop a security strategy to defend the IT resource from the inside—in the same way that oil super tankers are designed to continue operating, even when one or two of their sealed hull compartments are breached.
Guidance on how enterprises can address these issues is available. ISACA’s recently released COBIT 5 helps business and IT leaders maximize trust in, and value from, their enterprise’s information and technology assets. Building on this, COBIT 5 for Information Security was designed in response to heavy demand for security guidance that integrates other major frameworks and standards. COBIT 5 for Information Security is divided into three major sections: Information Security, Using COBIT 5 Enablers for Implementing Information Security in Practice, and Adapting COBIT 5 for Information Security to the Enterprise Environment. COBIT 5 and COBIT 5 for Information Security is available at www.isaca.org/cobit .
For more information on ISACA, visit http://www.isaca.org.
For Professor Walker’s blog: http://bit.ly/MuCAge
