Rewind the clock, back in the 90s and early to mid-2000s the world was a different place. There wasn’t a cyber security industry, there weren’t highly specialized roles with cool colours. There were just the IT crowd. In large organizations, you may have had an IT security role but based on my experience in the UK this was a rarity not the norm.
Learning how to defend came from hard lessons and gruelling configuration management exercises and even then most organisations I visited still didn’t have the basics covered. The idea of a host-based firewall probably seemed insane until Nachi/MSBlaster came along and devasted organisations. I remember commenting at the time that someone could just have watched the world burn by wiping data with it… not realising how close to real life that could have been.
Fast forward 10 years to a post STUXNET era of 2017 and we saw again how the lack of security awareness and consideration reared its ugly head. WannaCry felt like a repeat of MS Blaster but this time we had a sinkhole. Even if the payload was spreading, the encryption routine would check if the sinkhole existed and responded and if so it would NOT run the encryption routine. This worked for many organizations however some (and one very large bogy) pulled their network connections in a panic. Trapping a highly dangerous worm inside their network and re-activating the payload.
Slowly the world is waking up to the fact that businesses and organizations are fundamentally missing something when it comes to protecting all the things! Our old ways of deploying technology and security have failed us miserably. The naysayer gatekeeper of old, obsessed with firewall change controls and declining anything and everything without considering business and human impact (whilst not completely eradicated) are well on their way out.
However, the land of milk and honey isn’t, for most organizations, exactly implemented here today! Almost daily there is a major breach exposed alongside the countless volume of scams and ransomware attacks. Why is this? We’ve got the knowledge, tools and expertise… I know I speak to people on the frontlines every day on the internet! As a friend of mine said, you Cyber, Eat, Sleep, Repeat!
We hear too often in the news and industry about APT that and Nation-state this. 0-Days sounds uber-cool and if you believe the marketing hype your business is being targeted by multi-million-pound gangs of Nazgul looking ‘hackers’ (it’s cybercriminals, hacking isn’t a bad thing!!) and you need the latest blinky boxen to protect yourselves.
Wake up people, the legacy approach and a FUD led marketing exercise isn’t fucking working!
A New Way
Your masses of paperwork (I’m not saying paperwork isn’t important, it is!) and your shitty approach to flow, gatekeeper mindsets and lack of understanding of what the actual risks are to your business by scrimping on the essentials or focusing on niche edge cases not only increases your chances of failure it also puts your employees, customers and members of the public at risk.
I’m not asking for you to burn millions, or disabling your use of the technology you and your business relies upon in the modern world, in fact it’s the opposite.
Security improvement starts with communication and realising that you need to take an iterative risk based approach. Security isn’t ever ‘done’ and if you try and fix everything at once your likely going to have some major issues. New models or working include taking a principles based approach and moving the security work throughout the development lifecycle (sometimes referred to as shifting left) to design and build security into your products and services from the start and in an iterative fashion, because waiting till the end to ‘do a pentest’ is likely going to hard your security posture. Security as a people and business first enabler is going to have far more success than the yesteryears fear, uncertainty and doubt machine which says ‘no’ to everything whilst watching the eventual bypass of the ‘controls’ that have been forced upon them.
Putting Those $$$ to Work
Anyone want to know how long it takes to block the mainstream attacks? The answer is, well not very long! I’m not going to detail everything; however, let’s take a look (anyone who is familiar with Cyber Essentials should recognise a lot of these):
- Identify your assets and crown jewels
- Stop blaming ‘The users’
- Train people but also put in controls so they have a reduced likelihood and impact on the event they lose a cred of have a vuln explode on their endpoint!
- Consider not only adopting standard cyber security awareness training (it has it’s place but just throwing out a CBT video and a phishing simulation isn’t exactly the whole point! That’s not exactly a great communication tool, consider using gamification and maybe running a capture the flag experience or other educational vehicle)
- Backup your data
- Ensure there is no way for this to be affected by ransomware
- Patch (I know it’s not easy, but if you do regular (automated) deployments it’s a lot simpler overall!)
- Deploy a hardened configuration
- It’s getting easier with Windows 10 (thanks Ned and others in the MS team!)
- Use admin jump boxes and stop everything being able to connect to everything
- Deploy LAPS
- Use a password manager and where you can use MFA
- Check your domain/users haven’t had their creds leaked all over the web and run regular password audits
- Don’t run with admin rights
- Encrypt your disks on PC and Mobile endpoints
- Implement human enabling password policies
- Monitor the really important stuff (like crown jewel access and authentication logs etc.)
- Use the right tools, just deploying an AV solution with no central visibility and control is a sure fire way to increase the cost of an incident and extend time-to-resolution
- Endpoints are the perimeter, you need to be able to protect, detect, respond and recover on each device.
- Segment your networks (even if you are flat, segment using host based firewalls)
- Control your internet exposure and implement protective controls (if you have WordPress combine it with MFA (DUO for example is really simple and easy to use and deploy)
- A pentest once a year is a really insane way to try and ‘manage’ your cyber security
- Do vulnerability assessments
- Defend based on real vectors, stop removing everything from scope and also test the test systems first
- White box is a thing, it’s cheaper and finds more vulns!
- Make everyone part of the security team
- Run workshops, awareness sessions, live demos and build a culture of security responsibility and awareness. Leverage your IT team peers and the wider business, develop security champions to extend your reach!
Keep going, cyber security isn’t a destination, it’s a never-ending process. The more you work on it, the simpler it becomes! Go for small incremental improvements with fast and regular releases over monolithic hardening projects.
The list above is long and I’m not even scratching the surface. Security isn’t easy but it doesn’t have to be the monster of the past. I could draw out a load of TCO analysis and risk assessments but that’s for another day. My message to you, if you are setting strategy or working in a position whereby you have budgetary control, is help us consider and implement security practises at the inception stages of programmes and projects. Get priorities, funding sorted and let’s not just focus on developers, let’s have security governed, managed and implemented by the business decision makers. Let’s go out there from the start in a way which not only adds business value but protects our families, friends, employees and customers by delivering them the technology of tomorrow without compromising peoples security and privacy today!