No matter what city you live in, you have likely seen a police officer conducting a traffic stop or talking to someone on the street. The officer may be issuing a ticket to the red light runner in hopes of changing the driver’s behavior to prevent a potential serious collision. Or he or she may also be talking to a person who seems out of place, gathering intelligence on who they are and why they are there, trying to identify possible criminal activity in a particular location.
Policing the Organization to Reduce Risk
You may be thinking: How does this relate to cybersecurity? Well, it is my belief that the chief information officer (CIO) or chief information security officer (CISO) is charged with the security of the corporate network in much the same way a police chief is responsible for the security of the city. The police chief is responsible for protecting citizens from criminal activity and situations that cause injury, while the CIO/CISO is responsible for protecting the company’s crown jewels from malicious cybercriminals.
Imagine if the police officers were just sitting at the police station waiting for something to happen before they responded. Crime would go up, collisions would increase and the overall risk to the public would be much higher. The police chief reduces these risks by having the patrol officers take a proactive approach to stopping drivers whose behavior is likely to cause a collision or educating the public on how to secure their residences and not become a victim to theft.
What CISOs Should Do
A CIO/CISO who takes a similarly proactive approach in looking for and eliminating threats or risky behaviors can dramatically reduce risk. At a minimum, the organization will be better prepared for a security incident when one occurs.
While many organizations have excellent information technology teams that do a great job of configuring networks in place, the configurations are often designed around functionality and performance, with only a touch of security built in.
Consider security activities that can inform IT organizations of areas where they may want to consider additional enhancements. For example, an active threat assessment (ATA) approaches the network from a fresh perspective, using intelligence from years of incident response investigations and current security trends to identify active threats and risky behavior.
How to Reduce Risk
A thorough ATA should include components such as penetration testing, host scanning and assessment, log analysis and an assessment of essential practices and critical controls.
Penetration testing, depending on size and scope, can help to identify the unpatched servers that still have exploitable vulnerabilities and find weaknesses through social engineering. Considering that the human factor is the weakest link in any security chain, testing and educating employees should be high on the list of any proactive practices.
Host Scanning and Assessment
Host scanning and assessment should not only include a search for the obvious malware running on the system or residing static on the drive, but should also feature an assessment of the system and program configurations an intruder may use to further traverse the network.
For example, it is not uncommon for administrators to unintentionally leave credentials in configuration or batch files on servers in plaintext; they don’t realize they left the keys to the kingdom under the doormat. While not intentional, this type of risky behavior can be the difference between a simple infection being contained and complete ownership of the network by the malicious intruder.
Log analysis is an extremely important part of a threat assessment. Firewall logs can show if there is suspicious traffic coming from an internal endpoint, even if that traffic is blocked at the firewall. This can help identify an indicator of compromise. Security event logs may also indicate possible remote desktop connections and brute-force attacks on user accounts.
Additionally, the ability to respond to a security event and follow an intruder through a network depends heavily on network visibility in the form of logging. Threat assessments often flag blind spots in the network logging that could limit the ability to track an intruder or impede the root cause analysis of a situation.
The essential practices and critical controls element can be anything from looking at everyday processes and the risk associated with them to examining the architecture of the network for security risks that could improved.
Are You Prepared for a Security Incident?
Networks are commonly referred to as jelly-filled hard candy. Once an intruder gets through the hard outer shell, the rest is the soft and chewy center that yields the most flavor. The hard shell is generally defeated with a breakdown in the human factor via phishing emails, drive-by downloads, etc.
So as you read this and reflect back on your own network and security posture, think about how proactive you are and whether you could do more. It’s only a matter of time until your organization comes under attack. Implementing sound, proactive assessments and thorough testing designed to improve the network security posture will help prevent or reduce the risks when an attack does occur.
The cyber storm is coming. Are you ready?
Senior Emergency Response Analyst, IBM
Gene has been a computer forensics analyst for 9 years and has over 21 years of experience in supervision and leadership in business management. Gene additio...