Implementing Cybersecurity: 5 Keys To Success

By Christopher Camejo, Director of Threat and Vulnerability Analysis, NTT Com Security

When it comes to cybersecurity, IT management in most organizations has heard it all from executives and bean counters — from “no need to worry about it,” and “too expensive” all the way to an unachievable “eliminate every vulnerability.” These attitudes create a budgetary and priority climate that increases the risk of an information security breach, by either failing to provide adequate resources for this important task, unnecessarily expending resources that would be more effective elsewhere, or by not commanding the board-level or senior management-level attention that will empower the IT and security teams to choose the most appropriate actions to support all the organization’s goals, including reducing risks to long-term profitability.

But there is hope — some companies are moving forward with sensible plans that align security measures with real business objectives. These efforts serve as good models for more companies to balance two conflicting objectives; on the one hand, restricting access to information and software to avoid the crippling consequences of a security breach, and on the other, providing extensive access and tools across a distributed workforce so that the firm can quickly and easily make plans and decisions, thereby taking advantage of new business opportunities.

The details of the best security plan for each business vary, but based on extensive research in this area, we’ve found that there are common themes — keys to success — that apply to every organization. These five keys can provide a framework for formulating and implementing an appropriate security infrastructure to meet your specific organizational needs.

The five keys to success are:

1. Network Segmentation. Networks should have internal perimeters that align with their functional areas, and reflect the data sensitivity and access requirements for those areas.

Many breaches originate in one segment of the network, where the attackers find an exposed vulnerability for the easiest entry, then propagate to other unrelated segments of the network as the attack progresses. Without internal perimeters, attackers are able to use the easiest entry they can find to then access areas that are much more protected from direct outside attacks.

It is essential to implement a hierarchical network infrastructure whereby different network areas can enforce unique data and access requirements, and to ensure that data flowing between segments is appropriately scrutinized. For example, employees in a call center environment should not need access to development environments, hence this activity should be restricted via access control lists (ACL) and administrative segregation of functions between environments.

In addition to network segmentation, organizations must ensure that system administration functions are conducted from specific subnets and segregated networks. This allows more granular control of who may perform administrative activities, and from which network segment they are authorized to be conducted. Administrators are a favorite target of attackers for the level of access their accounts can provide.

2. Malware Detection And Prevention. Signature-based antivirus solutions are an essential first-line defense but are not sufficient to stop real-world malware threats on their own. Organizations must also consider monitoring network and email traffic for behavioral signs of malicious activity.

Based on an analysis of the past few years, we estimate that signature-based antivirus solutions catch only 46 percent of the viruses in the wild. This is very important, because malware is often used as an initial attack capability to penetrate a network, leveraging a combination of both technical and human vulnerabilities. Additionally, malware often disables antivirus solutions to help increase its survivability.

Organizations should consider implementing technologies which also scrutinize network and email traffic for signs of malicious activity related to malware. Including multiple points of detection and visibility, for example by investing in both host-based and network-based detection and quarantine capabilities, greatly increases the chances that an intrusion will be detected.

Of course, to be even 46 percent effective, an antivirus solution must be installed on servers and end points, must be regularly updated, and must employ constant scanning. Many of our incident response engagements reveal systems and end points with outdated or no antivirus software installed. Which leads to the third key:

3. Patching And Configuration Management. Organizations must extend their attention beyond central resources and protect every distributed device that could give an attacker access to the network.

Most breaches analyzed by NTT Group in 2014 included the compromise of systems that were missing security patches or did not have common security configuration hardening applied. In 2014, 76 percent of unpatched vulnerabilities with available patches were more than two years old — and almost 9 percent were more than 10 years old. Malicious attackers seek out systems with unpatched vulnerabilities as a means of gaining an initial foothold into a system or network.

Configuration and patch management are not new concepts, but something most organizations are still doing poorly. Many organizations place attention on patching critical and public facing servers; however, most attacks today are focused on end-user and third-party applications, exploiting desktop software like document viewers, Web browsers, and their plug-ins which are less frequently patched by many organizations. Implementing an active, aggressive patch management program can greatly reduce the risk of these common vulnerabilities.

4. Monitoring. A determined attacker can usually breach a network’s perimeter, so detection and immediate action is essential. Only an ongoing monitoring program covering system communications can detect anomalous activities that can indicate an ongoing breach.

Some of the breaches analyzed by NTT Group in 2014 had been in process for months or longer, discovered well after the initial compromise and after data had already been lost. Attackers often conduct a patient attack campaign, extending their initial access to increase their control through the victim’s environment while avoiding detection. Some of these breaches had even been reported by malware and intrusion detection systems (IDS) systems but either went unnoticed by security personnel or were treated as false-positive alerts and ignored.

To be effective, monitoring must include not only system logs and alerts, but also ongoing behavioral analysis, that can detect anomalous activity in an environment. For example, if systems which had never communicated before are suddenly exchanging large amounts of information, that could be an indicator of a breach. Security engineers can help your organization identify the logs, devices and systems which provide the most value and context. Consider logging at the network layer and the application layer, and in cooperation with a security engineer, consider logging externally facing IDS/IPS (intrusion prevention systems), firewalls, Web application firewalls (WAFs), but also consider directory services, antivirus, file integrity monitoring, databases, Web applications, proxies, and data loss prevention (DLP). Outbound traffic is often overlooked but can provide a key indicator of a breach as the goal of most attackers is to exfiltrate data from a compromised network.

5. Incident Response: Surveys of organizations indicate that most have no functional incident response plan. In the event of an attack, the lack of an actionable plan extends the duration and losses associated with an attack.

Companies should prepare an incident response plan that covers these common questions, based on observations of many organizations after an incident occurred:

• Was the organization actually under attack?
• Did the alerts actually indicate a breach?
• Who from the organization should respond?
• Is the organization primarily interested in retaining evidence of the breach, restoring service, protecting data, or is there another priority?
• What systems and/or data should receive the highest response priority?
• Who are the organization’s third-party vendors (their ISP, for example) and who are the contacts (with contact phone numbers) at those organizations?

By considering each of these five key control areas, organizations can align their efforts with their business objectives and create a strong security foundation. And, should an attack or breach occur, they will be in a much better position to detect it, mitigate the effects of it, and recover from it more efficiently and with a better long-term outcome.