Following the publication of a recent article regarding Sony spending $15 million on cyber security defences, I got into a conversation with two professionals on securing a business on a much smaller budget.
That conversation initially took place on Twitter, and I tasked the two men involved, Coalfire European managing director Andrew Barratt and Gary Smith, a senior security professional within financial services, to discuss this.
I began by asking them if it is possible to run a security programme and secure network on a shoestring budget, and if so, are open source and free tools sufficient for the intended job?
Barratt said it is possible, but in large companies it is particularly complicated. “Firstly tools alone are never sufficient; most security tools require people to be able to respond to alerts and review logs, or take actionable steps. Open source and free tools, as well as a good/better understanding of how the underlying operating systems work and can be restricted, are the ideal base for a security programme.
“Typically when scaling up, the decision to use a ‘commercial tool’ can be used in conjunction with some sensible metrics – such as it takes xFTE days (full time employee) to do Y tasks with Z tools. When commercial tools are thrown into the equation, their individual value can be considered against existing benchmarks. It becomes useful to look at security on a per asset or per person basis for comparison purposes.
“These give sane comparable metrics that senior executives will use without any context. Understanding them and understanding how to communicate the risk reduction using these terms can help significantly. Better management of the underlying systems can go a huge way too while timely patching and limited access can reduce the impact and lateral movement of an attacker.”
Smith said that it depends on what gaps the company needs to address, as if it is a “roll out end-user sandboxing technology to bolster our controls and improve our resistance to phishing”, then it makes sense to look at it in those terms to determine whether it’s sufficient to include rollout and training.
Barratt said that there is a better role to be played by the media, as in the case of Sony, lots of people were jumping up and down about this rather than actually squeezing them on what they really do now – and what decisions had led to this breach (if any). “It would be really good if the media pressed for root-cause information to be shared with other companies so that other senior decision makers can really say ‘wow this could have been us’,” he said.
“There is also a potentially dangerous message that ‘if you’re big, you can ride out a security breach doing very little’, which may translate to C-levels of big(ish) companies thinking ‘well Sony didn’t do much’ so why should I. Then without knowing the full facts they end up suffering a really damaging breach.”
Smith agreed with the view on sharing information on the breaches, but said that unfortunately there is still a lot of attitude of “you show me yours first” going on, and private lists, but even when there is a significant breach, this results in people keeping quiet.
“FS-ISAC does a reasonably good job at sharing low level intelligence and indictors of compromise, but for major breaches the influence of the learning experience means that fewer details become available,” he said.
“I still don’t know the full details of JP Morgan Chase for example. I’m not sure media can really influence that too much. FBI/SEC pressure means they can just point to that and clam up, especially if you implicate nation state.”
Smith commented that there is also an issue with a company being deemed to be “too big to go down”, as it’s not too far removed from “well that couldn’t happen here”.
Barratt predicted that what we will see is a “perception correction”. He explained that whilst we in the infosec community see all breaches as an event to be avoided, sometimes for some types of data, a company might just have to live with it.
“In the same way as any other negative event, the thing that concerns me more is that the big guys with big coffers (or even certain sectors) become a little more disinterested and then companies with a much lower base security use them as an excuse for inaction until a breach almost cripples them,” he said.
Smith said that he does know that the financial services sector does take this stuff very seriously, and most boards in this sector do too, but sadly most (if not) all and even those that do are sometimes unsure of where they need to spend money effectively. “It is a case of ‘I’ve given you $200m, why aren’t we secure yet?’,” he said.
“Although I remain relatively sceptical of initiatives such as Walking Shark and CBEST, they are at least a step in the right direction to make people think. I remember the first time we ran a phishing exercise internally and then produced the report of how things would have gone from there. The results weren’t enough by themselves, it was the follow on analysis that really let us drive it home on why end point security was critically important.”
The two men agreed that it is still much too easy to map out an organisations technology without ever setting foot in the door, and far too easy to get a foothold inside.
Barratt said: “Back in the pre-permanent online days, access to incoming email was much more restricted than it is now, albeit largely to reduce ISP costs and associated communication charges. This meant it was easier and cheaper to prevent phishing attacks as fewer emails supported incoming mail, less overhead to screen them etc.
"You could invest $200m in awesome protection for all your most sensitive assets, and then one road warrior gets an email that bypasses the filters, hits a vulnerability that hasn’t been patched because they’re still out on the road and you are in. You are in with the same level of credentials too.
“If an attacker wants to go in unnoticed, they’d cache everything on that endpoint and then wait for it to get plugged in at home. Pre-VPN, they could do the exfiltration of all the data, making it almost unnoticeable until it’s too late.
“In large organisations, the simple/cheap job of restricting email usage can go a long way to minimising these kind of attacks. Or at least reduces the attack pool to a manageable number.”
Smith agreed that by defining a whitelist of approved internet sites that are needed for business, and then whitelisting at the proxy, then ensuring all internet access must go via the proxy, would also go a long way to limiting future attacks. “You would find productivity improves too I would bet!”