By Thomas J. Mowbray, author of Cyber security: Managing Systems, Conducting Testing, and Investigating Intrusions
For financial enterprises, cybersecurity is an evolving challenge that must be managed successfully for our institutions. As I discovered researching my new book on cyber security, there are at least two major disciplines within information technology (IT) security which must be reconciled.
- Policy-Driven IT Security focuses increasingly on risk assessment and risk management, guided by identifying the key targets and protection priorities. The gold standards of policy-driven IT security are the CISSP certification and the NIST Special Publications, e.g. NIST SP 800-53.
- Testing-Driven IT Security focuses on hands-on discovery, investigations, and mitigations of IT incidents and vulnerabilities. Payment Card Industry (PCI) Penetrating Testing is a prime example of a testing-driven approach. The gold standards of the testing-driven discipline are hands-on cyber testing certifications (from organizations such as SANS Institute and Offensive Security), as well as, the Top 20 Critical Security Controls. In contrast to policy-driven, testing-driven is an anti-intellectual approach, similar to our earlier book about IT antipatterns. Antipatterns identify bad practices to be avoided and ways of mitigating them.
I have a working knowledge on both sides of IT security, but lean towards a testing-driven approach. Financial enterprises need to consider both perspectives: policy-driven to focus protections where they matter most, and testing-driven to implement the policies, provide general protections, and verify effectiveness.
For example, the Top 20 Critical Security Controls is a consensus list of practical approaches to IT protection proposed by an international group of (what I call) testing-driven IT security experts. At the end of the Top 20 document is a list of cyber attack types, with traceability to the controls. These attack types are high likelihood incidents based upon real-world experience, and really should be factored into your IT defense plans.
Let’s use a few of these attack types to discuss common cyber antipatterns and what you can do about them in your organization.
For example the attack: “Attackers continually scan for new, unprotected systems, including test or experimental systems, and exploit such systems to gain control of them.” Most large enterprises have blocks of IP addresses where their machines reside in their Internet de-militarized zone (DMZ). This is public information shared by the Internet registration authorities. Attackers are known to continually scan these address ranges anticipating that new systems will eventually come online.
It’s possible that a new system suddenly appearing online is not patched nor hardened. It might not even have malware defenses. For example, the new system could be a laptop or PC that’s rarely used, with seriously out of date defenses. That system is then attacked with malware, and if the attack is successful, the attacker has gained a foothold inside the enterprises infrastructure. This happens often enough to make this attack strategy a serious threat to large enterprises. To find out what happens next, see the mini-antipattern below: Pivot from DMZ to Internal Systems. This attack can also occur on internal networks from compromised machines.
One mitigation would be to have a mature system release process that does not allow vulnerable machines to be deployed on production networks. Patching, anti-malware updates and testing should occur on test networks, and there should be formal quality assurance and quality control processes to assure compliance.
The cyber antipattern, Unpatched Applications, is a key source of vulnerabilities. Patches are software updates that many manufacturers offer monthly on the first Tuesday, called Patch Tuesday. Most enterprises do a reasonable job of keeping up with operating system patches, but many fall short with application patches. In theory, any software defect can be used to crash the application; these defects are the source of vulnerabilities and can be exploited by attackers to gain system and network access. One mitigation is to deploy and manage an enterprise patch management product, available from major anti-malware vendors and specialty patch management vendors. Patches on key systems should be regression tested before re-deployment.
In large finance organizations, it’s best practice to perform log reviews several times per day. In the cyber antipattern, Lack of Logging and Weak Log Reviews, logging of system and security events is difficult to implement correctly, and requires exceptional enterprise maturity to properly utilize the logging information. More typically, logging is implemented only on a subset of devices and services, log information is not fully centralized, and exists in several forms; logging services can fail without anyone noticing. This is especially true if the logs are not being reviewed rigorously and regularly.
It’s sometimes said that “all of the evidence is in the logs,” so in order to notice anomalous events in the enterprise, the logs must be inspected and unusual events should be investigated. Cyber investigations is a critical testing-driven cybersecurity capability. One essential skillset supporting cyber investigations is advanced log analysis, a set of techniques for analyzing large volumes of logs for anomalies.
Implementing a network monitoring and cyber investigations process may lead you to a startling revelation. On my network, I quickly discovered that Internet user tracking firms were exfiltrating detailed information about my end-users’ systems and applications, as well as, user data from open web pages. There are thousands of firms performing user tracking. As they surfed the web, each end user was beaconing dozens of times per day to third party servers, mostly on HTTP protocol port 80, i.e. indistinguishable from ordinary outgoing web traffic. Web beaconing can be eradicated with techniques such as website blacklisting.
Best practices for defending financial enterprises are readily available in books and online publications; but implementation is often a complex multi-year proposition. Cyber incidents are an important opportunity to expedite cyber maturity and focus the enterprise on critical cybersecurity investments.
Thomas Mowbray, PhD, SANS GPEN, Chief Enterprise Architect, The Ohio State University
About the author
Thomas Mowbray holds gold-level certification from the SANS Institute in network penetration and ethical hacking. Dr. Mowbray, who has earned a doctorate in computer science, has co-authored five other professional books, including Cybersecurity: Managing Systems, Conducting Testing, and Investigating Intrusions and Antipatterns: Refactoring Software, Architectures, and Projects in Crisis. After founding the Northrup Grumman Cyber Warfare Community of Practice, Dr. Mowbray joined the Certification and Accreditation Team (an elite cybersecurity test group) as their network administrator, security tools customizer, and hands-on penetration tester. At the time of writing, Dr. Mowbray is the Chief Enterprise Architect of The Ohio State University.
For More Information
by Thomas J. Mowbray
November 2013, Paperback and E-book
by William J. Brown, Raphael C. Malveau, Hays W. “Skip” McCormick, Thomas J. Mowbray
April 1998, Paperback