Skip to Main Content
December 05, 2012

The Defensive Security Strategy. What strategy?

Written by David Kennedy
If you are following the news, the most recent large-scale data breach is Nationwide Insurance. Reported 1.1 million social security numbers, drivers licenses, birth dates and more (Source). You may remember in October the South Carolina breach affecting 3.6 million returns (). There are few details on the Nationwide breach at this point however looking at the analysis from the South Carolina breach, a massive exposed environment that contained 3.6 million unencrypted returns was compromised. The response from South Carolina was that the information was just to expensive to add encryption (that still defies reality for us). With the newly filed lawsuit against South Carolina, some information was released on the actual attack () 1) The attackers utilized phishing campaigns which compromised a total of 44 systems. 2) 3.8 million taxpayers information was compromised including 699,900 businesses, 3.3 million bank accounts, 5,000 credit cards, and electronic returns were nabbed. With the latest Nationwide breach, it was a significant number of applicants personal information that was compromised. There is little on the breach details however Nationwide apparently caught the breach the same day. The question posed to businesses is why and how are we seeing these massive exposures continue to occur and how are they occurring? We see the same types of attacks day in and day out on every organization but the mentality around most businesses is these types of attacks can't happen to us, we do not have any type of data that is valuable. The truth is that companies have a ton of information thats sensitive that we aren't protecting. The focus primarily resides on regulated data and most specifically credit cards. Not saying that the Nationwide exposure was due to any of this or that there was anything specific the company could do in order to prevent this exposure. Who know's how it happened and the sophistication that it took. Let's look at how companies get breached today. Here is the top 5 list of how 95 percent of companies are being breached today. #1 Phishing - Targeted or not, sending believable emails has superseded SQL Injection and web applications. Web apps are no longer the number one most attacked avenue, it's now the user. #2 Malicious Websites - Browsing even legitimate websites are being compromised left and right. Just by visiting a website your machine is compromised. #3 Web Applications - SQL Injection - 12 years old and still alive and kicking. #4 External Perimeter - One of the highest attacked avenues and a very likely point of entry for hackers. #5 Misconfigurations - printer/printer is no longer cutting it for security. Default or weak passwords are still one of the easiest ways into a company. So we know how we are going to get breached, what are we doing against it? Our defensive strategy of risk management is being blown out of the water. As sure as we sit here, you can be sure that a vulnerability management program existed, penetration tests were performed, critical exposures identified, best practices attempted to be followed, and yet we continue to see a large number of breaches (). Our focus on compliance or hypothetical situations and over-convoluted meetings has crippled the security industry from being effective. The good news is the industry itself has matured over a period of time and is on the right track to succeeding some day, just not anytime soon. If we focus basic principles, just these few basic principles for the time being, you may see things become more challenging. Here's five principles to divert the entire security program to these specific tasks. Just these five and only these five. #1 Protecting the Perimeter - Focus your efforts on baselining the external perimeter and what services are running. Lock these down, remove any egress filtering, and make this the highest security zone on earth. Go inside and out of your web applications, remove any ports that don't have to be there and push forward on locking everything down. #2 Protecting the Employees - A combination of education and awareness and strict employee controls is a necessity today. Your user population should not have free reign to go out any protocol, service, or port to any destination. Focus HEAVY on egress filtering and only allow services such as FTP *ONLY* in business justified exceptions and only to specific destinations. Consider proxy chaining your user population out non-standard ports for Internet connections and disallow 80/443. Monitor them heavily for deviations or strange behavior. #3 Monitoring and Detection - Detection. Detection. Detection. If you can stop an attack in the early stages, guess what. You just saved your company millions. #4 Communication - Communicate everything and make sure the entire company knows why you are doing things. Security is almost always the iron fist within the organization stopping something. Versus the communication wing for why security needs to be a business enhancement. #5 Protecting whats important - What is important? SSN's? CC#'s? Processes? Manufacturing data? Things that make your company special? Protect what is most important to your company. Encryption and limiting access in a lot of these cases would have been a plus. Do these five steps and be successful in security. If you don't, that's fine. Hackers will continue to rip through what we call "a defensive strategy". Right now, we have none, but we can.