Update: The Defensive Security Strategy
Original post: https://www.trustedsec.com/blog/the-defensive-security-strategy-what-strategy/
Massive exposures and attacks, such as recent SolarWinds and Exchange exploit issues, have been common news lately. While the security landscape has advanced and changed, these massive exposures are continuing to occur. The question is why, and how, are they occurring?
While common issues are often leveraged, the mentality around them is still often, “These types of attacks will not happen to us; our data is not valuable enough.” Even if your organization isn’t dealing with information typically regarded as critical (like financial or healthcare information), almost all companies have sensitive data about their customers, users, and employees that must be protected. This data includes employee Social Security numbers, client credit card numbers, and other personal information.
Some common vectors used in these attacks are:
- Phishing - Targeted or not, sending believable emails is one of the most common attack techniques. Instances where the user has superseded web applications is the number one attack method used.
- Malicious Websites - Common entry points for an attacker are malicious websites set up as watering holes or even compromised legitimate websites.
- Web Applications - SQL Injection is still one of the most traditional ways that companies are breached.
- External Perimeter - One of the highest attacked avenues—and a very likely point of entry for hackers due to critical or unknown exposed assets—is external perimeter. Lack of MFA is an common weakness here.
- Misconfigurations - Default or weak passwords are still some of the easiest ways to gain access to a company’s information. Misconfigured firewalls are also an easy way for an attacker to access data. Databases are often found in S3 buckets wide open to the internet.
What can be done to prevent a breach? Even when vulnerability management programs exist, penetration testing is performed, critical exposures are identified and remediated, and best practice security control are attempted to be implemented, breaches still persist. Organizations bound by various security compliance regulations are sometimes limited in what effective security controls have been implemented. Focusing on the following security principles can effectively assist an organization in hardening its environment.
- Protecting the Perimeter - Focus your efforts on baselining the external perimeter and asset management. Lock services down, implement egress filtering, and make this the highest security zone. Audit your web applications and shut down any unnecessary ports and services.
- Protecting the Employees - A combination of education and awareness and strict employee controls is a necessity today. Your user population should not have free reign to use any protocol, service, or port to any destination. Focus on egress filtering and allow higher-risk services such as FTP only in business-justified exceptions and only to specific destinations. Consider proxy chaining your user population to non-standard ports for Internet connections and disallow 80/443. Monitor them heavily for deviations or strange behavior.
- Monitoring and Detection - Be proactive, instead of reactive, in your security operation monitoring and detection. It isn’t if a breach will occur, but when it occurs. How you detect, deflect, and defend against an attack, especially in its early stages, may save your organization millions of dollars.
- Communication - Communicate everything and make sure the entire company knows the procedures and why they’re in place. Security is often viewed as the iron fist within the organization, but explaining security as a business enhancement helps to get buy-in from the management of the organization.
- Protecting What’s Important - Whether it’s Social Security numbers, credit card numbers, proprietary processes, or intellectual property, it’s vital to protect what’s most important to your company. Encryption and limiting access are major security controls to implement.