Mitnick In The News
Access Controls and the Inability to Keep Up
The media is filled with stories of large breaches and omens of cyber catastrophe, and it tends to leave you with a defeatist view. There is a common saying in the industry that “it’s not if you will be breached, but when.” It certainly feels that way sometimes, but I felt it might be a bit refreshing to offer an alternate view.
It’s actually a really exciting time to be in the world of information security. For the first time in 22 years of working in this business, I feel confident in saying we have an opportunity to truly get ahead of security issues.
Finally Feeling Good About Security
My history goes back to the Department of Defense (DoD), during the days when Kevin Mitnick was traversing DARPA systems. I was fortunate enough to play a part in the formation of the U.S. Air Force Computer Emergency Response Teams (AFCERT) and its defensive operations at the time.
From the DoD, I went into commercial industry as a consultant and ethical hacker for one of the big four firms. Since those early days I have crossed many verticals as hacker, defender and consultant to high-tech firms, financial services, the health industry, natural resources, life sciences and national critical infrastructure such as energy and utilities, oil and gas, transportation and manufacturing.
While each organization I’ve worked with has its own unique challenges that cut across many dimensions (i.e., compliance, economic, culture, security maturity and more), there are common themes that are universal. Most of the CIOs, CEOs, CROs and CISOs I speak with share a sentiment along these lines, almost without exception:
I’ve been assessed to death, I’ve invested a ton and I’m getting beat up more now than ever. I feel surrounded by bad guys, including insiders, and they are more organized, better funded and more highly skilled than what I can bring to the fight.
How do you effectively fight in this environment?
I’m sorry to say that historically security professionals haven’t had a really good answer to that question. For a very long time, the security industry was fragmented, with vendors specializing in specific protection technologies. Risk-based approaches were limited in their effectiveness because even the best risk program was limited by the timeliness and quality of the information available. We simply did not have a high level of sensor technologies, collaborative approaches, automation and machine intelligence available to us in the past. And that past was only just a few years ago.
A Case Study for the Future
Things are truly different now, which has breathed some new life and excitement into the information security industry. The technological advancements are nothing short of phenomenal, and the mindsets of security professionals are changing as well. That is as important — if not more important — than the technology.
Take something as fundamental as security controls and common industry frameworks. Until now, the security world was flat, meaning we only thought of these things in one dimension. Let’s use access control as an example: With any regulatory or industry security framework, access control will be at the top of the list of must-have measures.
Most organizations take these frameworks and apply them like checklists. In the case of access control, you may implement risk-based access control across the enterprise, two-factor authentication for remote access, digital certificates, biometrics and maybe a variety of other methods. Then you check off the task and move on to the next requirement on the list.
The mindset of prescribing one-dimensional control has not been effective. The industry is now seeing a shift in mindset toward three-dimensional control. We think of things more end-to-end, meaning from each individual control through the monitoring capability focused on that control and ending with the specific, prepared response to take when that control is breached.
Three levels of security and response for access controls:
- Traditional Framework Controls (ex: Access Controls)
- Monitoring and Detection Capability (ex. monitoring and behaviour-based analytics)
- Prepared Response (ex. playbook for enterprise-wide password change)
A Closer Look at Access Controls
Let’s take this specific example a bit further to round out the point: Credentials and access controls are the most common links in attack chains because most hackers need both credentials and access to achieve their objectives. Changing passwords is one of the top three remediation activities during and after a breach, and it’s often a wise precautionary activity to preclude an attack.
An enterprisewide password change means changing all passwords for all users, all administrators and all service accounts. For many organizations this can be 100,000-plus normal accounts with hundreds or thousands of service accounts. Bad guys love service accounts — ideally they collect several that have domain privileges and are hard-coded into custom critical business applications. The more embedded they are and the more painful for you to expel them, the better.
Remediating an access breach typically occurs during a frantic 36 to 48 hours in an all-hands-on-deck event. Unfortunately, it takes most enterprises four to six months to prepare for, plan and execute this task in crisis mode, which means you may have to uncomfortably coexist with attackers in your environment for months before you can do anything about it.
Unplanned activity like this is time-consuming. Not only do you have to make technical changes and conduct code analysis, but users must also be notified and the impact to business application owners, partners and vendors surveyed. Scheduling downtime, changing passwords and bringing the environment back live are all intensive tasks as well.
Make It Tougher for the Bad Guys
The bad guys are counting on our inability to respond swiftly. It would come as a complete surprise to even the most advanced attackers if a large enterprise could move with this kind of agility. It comes down to being prepared and making sure you have a response plan for each control in your framework.
Things like an enterprisewide password change playbook or a rapid digital certificate revoke-and-replace plan are powerful tools. It takes surprisingly few of these big levers to make all the difference between a single breached control and a full-on organizational breach with data loss and negative brand impact. We need to be more about preparation and less about hero effort in the moment of crisis.