Security: How Many People Does It Take?

Friday, June 01, 2012

PCI Guru

Fc152e73692bc3c934d248f639d9e963

There are a lot of jokes that start with the phrase, “How many people does it take …”  But this post is no joke. 

I have been taking some heat over my comment that you do not need to know who is attacking you, you only need to focus on what you need to protect.  As such, I felt the need to further explain myself.

The first complaint I get is that it is important for security professionals to know the tactics used by the attacker.

So my first question to all of you is, “How many people does it take to analyze attack vectors?”

We have forensic security organizations such as Verizon, Trustwave and Security Metrics that analyze attacks.  We have security companies such as IBM/ISS, Symantec, Kaspersky and McAfee that analyze attacks.  We have hardware/software vendors such as Checkpoint, Microsoft, Cisco and Palo Alto that analyze attacks. 

I would venture to say there are hundreds of reliable sources for the analysis of attacks.  And yet, I am taken to task that you need to have your own analysis of attacks.  These hundreds of other sources just are not enough for you to rely on?  Really? 

If you are doing the correct analysis of your vulnerability scanning and penetration testing reports, your attack vector risks should be known and you should have either patched or developed mitigations for those risks.

And while they might be put together in a slightly different sequence, DDoS is still DDoS and a SQL Injection is still a SQL Injection. The bottom line is that the library of exploits available to an attacker is essentially finite. This is proven out by the statistics that the forensic firms publish year after year. 

As such, you should be able to monitor for all of these attacks fairly easily because they are all known quantities.  Yes, there is the rare Zero-Day that turns up every so often.  But, even those can be picked up if you have things configured and implemented properly. 

If you think about it, unless an attacker is someone that can develop their own exploit code (and 99% do not), they are limited to whatever exploits are available in the public domain of exploits and that is a known quantity.  Take an inventory of what is available in Metasploit or Core Impact at any fixed point in time and you will see what I mean.

Then there is the group that argues that if you do not do analysis of the attacker, you cannot understand why you are being attacked.

So my second question is, “How many people does it take to give you an idea of why you are being attacked?”

This is pretty straight forward to figure out without some extensive and intensive analysis.  In 99% of cases, you are being attacked for one or more of the following reasons.

  • Your organization has sensitive information such as credit card numbers, bank account numbers, intellectual property or customer information that the attackers want.
  • Your organization has produced a product or service that has been perceived to be a safety hazard, overpriced or other detriment to society.
  • Your organization or an employee has publicly taken a stance on some issue(s) that has irritated some group(s) of people.
  • Your organization has donated money, time, products or services to an organization viewed by some group(s) of people as questionable.

Read the reports published by the forensic firms.  Read the news reports in the media.  If you distil down that information, the reasons for attacks break down into these four basic reasons. 

Yet, security professionals continue to worry about the motivations of the attacker.  If you think your attack is unique, you are wasting your time.  The likelihood of your attack not being covered by these four primary reasons is slim to none.

I think these complaints just come down to the fact that doing the actual grunt work of security is just not very sexy work.  There is no doubt about that fact.  Ensuring the security of networks 24x7x365 is very, very monotonous work.  And it is that very monotony that is one of the primary reasons why organizations get breached. 

People get bored with the monotony and they start to cut corners on procedures because, in their view, nothing is going on and, therefore, nothing will go on.  Only rotation of people and tasks will address the monotony, but that only works for so long.

This is why security professionals turn to automated tools to minimize reliance on people to flag potential anomalies.  Without tools, people get bored very quickly searching for the “needle in the haystack” through all of the data produced by all of the devices on your network. 

However, even with all of the necessary tools, correlation of information still requires people to bring all of the anomalies recognized by the tools together and determine if all of these anomalies warrant further investigation.

Even with the necessary tools, you are not out of the woods.  One of the more common problems that we encounter is that organizations have not completely implemented those tools. 

How many of you invested in the cool intrusion prevention system and still run it in notification mode?  Even then, those organizations that do completely implement the tools, do not always keep up on the “care and feeding” of the tools to ensure that the tools recognize the anomalies. 

The tools are current and up to date, but anomalies are not recognized because the tools are not properly configured and tuned to the organization’s current network configuration.  Networks are not the static environments that a lot of people think they are. 

As a result, either the number of false positives is so high that personnel ignore the voluminous number of alerts generated or anomalies are just never identified by the tools.

It is not until someone finally recognizes an anomaly for a breach that it finally gets interesting.  Then things become very interesting in a hurry.  Unfortunately, the statistics from the forensic firms point to the fact that, if an anomaly does get recognized, it is often many months to years down the road from the original compromise.

And that is where security professionals need to get better.  If you look at how long it took TJX to recognize their breach (years) versus how long it took Global Payments (months, but still counting), we are headed in the right direction.  But when it takes attackers only minutes, hours or even days to get your information, months still does not cut it. 

We need to get to days or, better yet, minutes. That is the challenge security professionals face and that is where we need to focus our efforts.

The PCI DSS is a good foundation, but the requirements of the PCI DSS are not going to get us to our goal.  We must go beyond the PCI DSS to get to our goal and that is a message that the PCI SSC and the card brands have consistently delivered.  The PCI DSS is only a security baseline, the ante into the game.  If you really want to be the best, you need to take your security game beyond the PCI DSS.

So let us start using the PCI DSS properly.  If your organization can execute the requirements of the PCI DSS 24x7x365 at almost 100% compliance, then you are ready to take things to the next level. 

If you cannot achieve almost 100% compliance, then you need to work with your organization to get to that level.  Breaches and data loss are never going to go away, but if all organizations followed this approach, the number of breaches and amount of data lost would significantly drop.

Cross-posted from PCI Guru

Possibly Related Articles:
6604
Enterprise Security
Information Security
PCI DSS Compliance Incident Response Attacks Due Diligence Network Security Attack Vector Information Security Mitigation
Post Rating I Like this!
1de705dde1cf97450678321cd77853d9
Ian Tibble "you do not need to know who is attacking you, you only need to focus on what you need to protect."

You don't need to know who, but you do need to know the nature of the beast. Read "Hackers" by Steven Levy. One of the reasons why CISOs equate adequate countermeasures with audit compliance is because they think hackers are the same as their in-house staff (i.e. "hacking" is running nessus against infrastructure).
Someone said recently "casual attack efforts grow at the rate of metasploit". This is the bottom end.

> "Verizon, Trustwave and Security Metrics that analyze attacks. We have security companies such as IBM/ISS, Symantec, Kaspersky and McAfee that analyze attacks. We have hardware/software vendors such as Checkpoint, Microsoft, Cisco and Palo Alto that analyze attacks. "

I wouldn't trust any external vendors, especially the names you mentioned, but you maybe right in that these names form the lesser of two evils. You're own internal security staff ideally understand the complexities of your environment together with ops. But in reality this is never the case. So then the work needs to be outsourced.

> "If you are doing the correct analysis of your vulnerability scanning and penetration testing reports,"
Never equate vuln scanning or pen testing with knowing attack vectors. Tools are bad. and pen testing, as restricted as it usually is (and also delivered with poor quality as it usually) is not exactly a waste of time but it is somewhere close to a waste of time. Even if pen testing conditions are ideal, there is a lot to learn about networks. a two week engagement doesn't cut it. Not even close.

Knowing attack vectors comes back to knowing the nature of the beast, but if your internal staff never even login to your boxes...you see where this is going. As Christofer Huff recently commented "Platforms Bitches".

>"The bottom line is that the library of exploits available to an attacker is essentially finite"

Maybe not infinite but Huge (capital H).

>"This is proven out by the statistics that the forensic firms publish year after year. "
Those reports are better than nothing but they don't prove anything.


>"Yes, there is the rare Zero-Day that turns up every so often"
Rare, because usually attackers can re-use weak passwords or use well known SQLis as a starting point for example...low hanging fruit.
Malware usage of zero day is not rare at all, but when firms don't even patch known issues (as we've seen in some recent incidents), a zero day isnt even needed. But they are out there, and in large numbers probably (given the economics of crimeware).

>But, even those can be picked up if you have things configured and implemented properly. "

yes, and this comes back to "platforms frakes" ..i.e. OS controls mostly. In terms of detection, we can use SIEM or something like it...but then we also have to know what to log. But the key is...we can prevent many attacks by making us harder to attack than the guy down the street, and we do this with OS and Dbase controls as a main factor. Patches and passwords don't always get us where we need to be.

>"So my second question is"..

Yes, i would also find it quite odd if i hear people asking questions about "why".

>Even with the necessary tools, you are not out of the woods. One of the more common problems that we encounter is that organizations have not completely implemented those tools.

Yes. Thing is, if we're talking tools like IDS and SIEM...the more we try to tune these things to do something useful, the more effort is required to configure and monitor - then we seem to be getting further away from where we need to be. I would venture that few of the real-world applications of this technology ever made sense as a business idea.


>"How many of you invested in the cool intrusion prevention system and still run it in notification mode? "
Or worse (or better) still, leave it powered off. Turning these things on can seem like awakening Frankenstein's monster to some. In reality though there's little that these things can really do for businesses.


>"Unfortunately, the statistics from the forensic firms point to the fact that, if an anomaly does get recognized, it is often many months to years down the road from the original compromise."

Its infinity in most cases. In most cases they would never have a clue at all. They only find out when a C&C node gets owned by the light side. But as to why this is...we have to generalise all the way back to skills at management and analyst level. Tough to fix...it's a 180 degree shift for the industry.

>"The PCI DSS is a good foundation, but the requirements of the PCI DSS are not going to get us to our goal."
I'm glad you finished up with this, and kind of pleased that there's more awareness of this issue these days.







1338557796
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.