As the end of 2012 approaches, it’s that time of year to reflect upon the security events which encompassed the infosec world. Many may label 2012 as the “Year of the Breach,” although this could be attributable to any year (not just 2012); while others may choose “Year of the Targeted Attack” or “Year of the Insider Threat”, or better yet “Year of the (continuous) Security Fail.” For the number of security incidents that were disclosed, these most likely represent a small fraction of overall incidents encompassing 2012, many of which have not yet been discovered.
Regardless of which headline you choose, the magnitude of the disclosed breaches reinforces that, overall, defensive measures are still lacking. Not only are basic information security fundamentals being ignored, more importantly, we are not learning from past mistakes. The opposition is gratefully taking advantage of these shortcomings - and once again, 2012 showed that offense still wins the game.
So what did we learn from the high profile security incidents of 2012?
• Insider threats are still prevalent
• Spear phishing is the catalyst for many breaches
• Database security is still lacking
• Storage of sensitive information is not adequate
• Access control, monitoring, and segmentation for critical assets is deficient
Many of the security incidents encompassing 2012 could have been mitigated, and some even fully prevented, if fundamental information security best practices had been reviewed and assessed, and controls encompassing incident response phases had been fully vetted.
How can we aim to mark 2013 as “The Year of the D(efense)”? First and foremost, we must assess the security controls deployed within the organization – and ensure that information security fundamentals are addressed. As you begin 2013, take the time to review your system boundary, validate the scope of controls which are deployed, and determine if they adequately provide monitoring and protection encompassing your organization’s critical data and assets.
In order to provide a sustainable defense, we must think like the offense. In 2013, there is no doubt that the scope of incidents may change (more aggressive and focused attack vectors, escalated threats encompassing mobile and bring your own devices, and a potential for escalated rates of insider breaches due to an unstable economy state). With this in mind, place yourself in the role of the attacker – and validate your defensive scheme from this perspective.
It was apparent that a majority of highly visible incidents in 2012 were invoked due to the human factor. Very quickly, all of an organization’s investments encompassing infrastructure, security controls, policies, and processes can be quickly negated by a single user clicking an email attachment or link – which appeared to be benign. Those in the security field know all too well that these initial actions can quickly become the catalyst for an APT or targeted attack execution. Does an increased presence of security training and user awareness combat this risk? While it certainly helps mitigate some of the potential risk, without an adequate assessment of security controls invoked from the perspective of the host, an organization may be blinded regarding possible defensive shortcomings.
Why not take a sampling of users and hosts (representative of various roles and areas within an organization) – and think like an offensive minded counterpart. If you were on offense, what methods could be invoked to access proprietary or sensitive data – and how could this information possibly be disseminated outside of the organization’s boundary? This same methodology should be followed for any public facing assets. In order to design a sustainable defense, we must think like the offense. Have the essential information security fundamentals been addressed? Have we incorporated controls encompassing indicators from previous incidents?
In 2013, there is no doubt that incidents will continue to occur. Many will most likely be representative of what has occurred within the past. For 2013, make it a goal to assess your defenses, and measure against the offense. While a stout defense may not be able to fully stop a potential incident from happening, at the very least our goal should be to strengthen our resilience for early identification and containment, before a potential incident becomes another statistic and headline for 2013.