Wednesday, June 15, 2011
Information Security thawt leader... Thoughts
With all the breaches we have been reading about it must make us InfoSec professionals really think and worry if we can really secure our environments any longer.
Today we must take a posture that it is not a matter of if, but when we will have our systems compromised. IMF, Sony, Sony, Sony, Sony.., Gawker, Citibank, IMF, the Senate, and many others have had breaches that have made the press. What about the ones that have not? Or worse, don't know yet...
APT... A dumb term since all threats are generally advanced and you will never break in unless you are persistent, so it is nothing more that a Targeted Attack (TA), so can we call it what it is? You have been targeted and are under attack, by a serious pro.
If the ne'er-do-wellers are. ahem... Persistent, they will get in if your defenses do not meet or exceed your ability to detect and respond, as you might recall from Time Based Security that Wynn has touted for years. Yes, we have to migrate to the ability to detect attacks or for some who feel log management is just a pain in the ass, respond, eradicate and recover to incidents, quickly and swiftly.
Understand what to protect, do you have data on workstations? why?, can you re-image a system within 30 mins? Why not? If we can minimize the the systems we must protect, we can detect and respond much faster.
Recently a person I know computer got malware and the tech scanned and cleaned, scanned and cleaned and two days later she was still down. I told her to just re-image the system, it would be faster than trying to scan and clean, not to mention if you are a local Windows administrator the malware can imbed itself and be missed by all the Anti-Virus engines. Well, her system was in need of an upgrade, so they upgraded her with a new PC.. A week later she was functioning again... As an administrator.. Gee that malware won't happen again, it's Windows 7, minus some data that was local that needs to be salvaged.
What can we learn from this typical IT scenario? Well, re-imaging is far faster than getting an IT person to scan today's huge hard drives with all the bloatware installed and signatures the AV must crank through on older hardware that is sloooow. Recovery would have been faster too. We as InfoSec pros need to convince our IT staff to do better fingerprinting of systems and make re-imaging a priority, so when something nefarious occurs, we re-image the system and move on, which is far faster and easier than trying to figure out what was infected, when and where. You can always image a system if you want to do in-depth forensics after the fact.
Why do we need to re-image? For starters it guarantees your workstation is malware free. Re-imaging also helps your IT staff refine their build and recovery process, good for DR and good for Time Based Security. Re-imaging also takes discussion away from everyone saying "What do you want me to do with this PC Mr. Security Dude"... By getting IT focused at keeping business going, us InfoSec pros can focus at other issues, like protecting the systems where the data lives, the servers.
I know, you are asking why do user systems get infected.. Well I think that is obvious... URL's in emails and surfing the Internet, it is simple really. Management can't get to the point of restricting all users all the time, the InterWebbings have become an entitlement to employees these days, and besides, malware comes from legitimate websites and you can't block all websites.
Servers can also be re-imaged as well, Virtual Machines provide snapshots after you build a system or upgrade, so when something happens that is suspicious, IT can revert back to a snapshot. If you fingerprint your systems, something you REALLY should do, services/daemons, app versions, etc. that are loaded on a system, then you can reload an OS, restore a tape or disk image and point to the data and other app servers.
The data and users should be easily pointed to because developers created modular code that allows you flexibility (I know, slap me) then in theory you could re-image and recover fairly quickly. Great practice for DR too.. Refine refine refine... Cleaning some root kits and malware will probably take longer than a re-image, or at least your re-imaging should be faster than performing an investigation, analysis and forensics... Get business back up and running and ask questions later, or analyze the snapshots or disk images later. Do I really need to say patch and harden in the process?
If Sony had done this, then the PlayStation network could have been restored, but the hackers clearly ruined the environment beyond repair.. Not a good thing and clearly shows poor processes and a terrible state of DR.
Where DR practices are a thing of our predecessors, re-imaging or rebuilding a system and the process to do so needs to be refined to be as fast as possible to allow us InfoSec pros, and our IT staff the ability to quickly recover and minimize the impact of being p0wned by the true hacking pros.
Segmentation is another thing that seems to have gone by the wayside.. What the heck are we doing allowing everyone to see everything? It sure makes hackers jobs a cakewalk. Users only need to see the systems they use, that's it, not every other workstation, telco system, backup systems, admin systems, management systems and servers they will never access....
It is time to create bubbles of services, lock those bubbles to only those services and ports needed and grant access to only those user systems that need it and block all egress for ports and IP's that are not needed. Monitor this and you will know when something nefarious is occurring, 'new port detected', 'Disallowed IP attempted', hmm that's odd.
We need to do more with less these days and these two items don't cost hard $$$ and can be accomplished with existing staff and some dedication.