Despite the general agreement that being prepared for an information security incident decreases the pain of dealing with the intrusion, few companies seem to plan for the eventuality of a data breach. Understanding why organizations don’t prepare for incident response might help us come up with advice that goes beyond merely emphasizing the need for an incident response plan.
Do Organizations Understand the Threats?
One explanation for the lack of preparedness suggests that organizations simply don’t know that it’s a dangerous online world out there and, therefore, might not even understand what security incidents are about. This is probably incorrect. A Symantec study of small and midsize businesses found that the SMBs were aware of online threats. More than half “stated that malware would reduce productivity while the infected systems were repaired and 36 percent recognized that hackers could gain access to proprietary information.” If SMBs understand this, so do the larger enterprises.
Do Organizations Recognize That They Might Be Attacked?
As indicated above, companies seem to possess a general awareness of the threats and understand that a data breach could have adverse effects. The problem might be that these firms don’t believe they will be attacked.
Indeed, the Symantec study mentioned above found that SMBs thought that, due to their smaller size, they were less likely to be attacked. In reality, Symantec’s data showed that SMBs were more likely to be targeted than large enterprises and, therefore, underestimated the risk.
This situation is a bit reminiscent of the University of Pennsylvania’s study that examined teens’ perception on the risks associated with smoking. The teenagers knew about the link between smoking and cancer; however, they believed that they personally would be able to “avoid the health consequences of smoking.” The researchers noted:
"In keeping with other research findings, young smokers in this study estimated their own personal risks differently from risks to smokers in general."
Perhaps there is an underlying psychological tendency among individuals to be optimistic when assessing risks, thinking they are less likely to experience a negative event than others in their peer group.
Do Organizations Foresee the Pain of Dealing with the Incident?
There’s another explanation for organizations not thinking in advance about security incidents, even if they are aware of threats and recognize that they might be attacked. It has to do with the weak understanding of the effect an incident can have on the organization. Without this understanding, the company would fail to see the need to prepare in advance and wouldn’t know what dealing with incidents might be like.
In the UPenn smoking study mentioned above, some teens acknowledged that they were at an increased risk of developing cancer if they continued to smoke. However, they failed to understand the horrible effect that cancer, if it occurs, could have on their lives. They underestimated the deadliness of this disease. The researchers concluded:
"Young smokers understand that smoking is likely to shorten a person’s life, but do not have a clear idea of the number of years involved."
It’s quite possible that organizations similarly underestimate the disruptive effects of information security incident. At least in the short term, it will find itself suspending some aspects of its routine, switching into incident handling mode that is costly and stressful.
Persuading Organizations to Prepare for Information Security Incidents
The studies act as illustrations of the challenges we encounter when assessing risks. If we are to attempt persuading companies to consider how that will handle information security incidents before the event takes place, we need to consider several reasons why they might not care to think about this in advance:
Try as we may, we should also recognize that human nature leans towards being reactive, rather than encouraging proactive behavior. This is one of the reasons I’ve prepared various incident handling cheat sheets and outlined some advice in a presentation titled How to Respond to an Unexpected Incident.
Agreeing on the scope of a security assessment, such as a penetration test, is easier said than done. Define the scope too narrowly, and you will miss the vulnerabilities another attacker could have exploited. On the other hand, an overly-wide or ambiguous scope can unnecessarily increase the cost of the assessment and put at risk careers of people involved with the project.
Jake William’s recent blog posting Penetration Testing Scope - Murky Waters Ahead! highlights the challenges associated with determining what may be examined by the tester. For instance, if the assessment is supposed to exclude web applications, should a PHP vulnerability that allows remote code execution be excluded as well?
Defining the scope is as much of a technical as it is a political issue. Many assessments focus exclusively on “web applications” or only on “network services,” instead of combining the two efforts, because these resources are usually maintained by different teams. As the result, the funding for these assessments comes from different sources and different people will be blamed for security problems.
Unfortunately, this means that many penetration tests fail to adequately mimic a typical attacker’s actions, because the scope of the assessment is artificially constrained.
One way to determine whether a particular vulnerability is in scope is to ask the client whether they are the ones responsible for patching that vulnerability. That’s not satisfying , I know. The good news is that the assessor can still provide value by asking questions about the vulnerability, explaining its significance and highlighting the need for someone within the client’s organization should take a look at it.
A well thought-out penetration test will define the rules of engagement in a realistic manner without drawing these artificial boundaries. A consultant should strive to define the rules of engagement and the scope in this “fused” manner when selling the assessment. Similarly, organizations should combine these types of testing efforts into a single engagement, even if it means that two different teams need to collaborate and pool their budgets.
In a follow up to his post, Jake pointed out that talking to “the customer is ultimately the correct way to obtain ultimate resolution on the issue.” He explained that they report all issues they “find (even if they happen to be out of scope). … this provides a real value added to the client.”
Information security professionals need to keep an eye on the always-evolving cyber threat landscape. Accomplishing this involves understanding how changes in people’s use of technology influence the opportunities and techniques pursued by criminals on-line. Below are 5 tech trends that have affected the evolution of threats.
Mainstream adoption of the Internet into daily activities. The Internet has become so interwoven into our lives that we often don’t notice when activities make use of Internet-connected resources. Technology that allows people and businesses to utilize Internet connectivity has become so convenient, that even non-technical people, old and young, are able to harness the power of the web. As the result:
The increase in usefulness and popularity of mobile devices. Powerful pocket-sized computers with always-on Internet connectivity, also known as phones„ have become so common, that we rarely make a distinction between a regular and a “smart” phone. Overall, mobile devices have become as integral to the modern way of life as glasses, wallets and shoes. As the result:
The popularity and acceptance of online social networking. While initially seen as serving the needs of niche groups, websites such as Twitter, Facebook and LinkedIn, have been joined by numerous others to support new ways in which people socialize online. Social networking sites have become the backbone of modern interactions. As the result:
The connectivity between “physical” and “virtual” worlds. Objects, tools and other constructs (e.g., thermostats, industrial control systems, home automation devices) in the “physical” world are increasingly connected to the web, giving rise to the concept of the “Internet of things.” As the result:
The acceptance of cloud computing. The use of external, virtualized and/or outsourced IT resources has gained mainstream adoption for not only personal, but also enterprise applications. The cloud is permeating all aspects of modern life. It is becoming increasingly difficult and unnecessary to make a distinction between traditional and cloud-based technologies. As the result:
Though I’ve broken out technology trends as distinct observations, they are interrelated within a system that comprises the modern way of life, which incorporates phones, social exchanges, interconnectedness and cloud services into its very fabric. Similarly, the trends in attack strategies, targets and rewards are intertwined to create the reality that infosec professionals need to understand and safeguard.
Sometimes people ask me for career advice related to information security in general and, more specifically, digital forensics and incident response. I’ve written a few articles on this topic, as did many other respected professionals. Below are pointers to some of these tips.
Digital forensics in general:
Specific to malware analysis:
Broader IT and information security career tips:
I’m sure I missed many other excellent articles with practical career tips for digital forensics and related fields. If you’d like to recommend your favorite references, kindly leave a comment.
LinkedIn prompts users to take additional steps when it determines that the logon attempt is unusual. What activities does LinkedIn consider suspicious? This isn’t well documented, but here are a few possibilities.
According to LinkedIn, the service presents a security challenge when the user attempts to sign-in “from an unfamiliar location or device” or when the service detects “suspicious web activity.” In this case, the user might be emailed a verification link or presented with a CAPTCHA challenge.
The security challenge could come up when the user accesses LinkedIn from a new country. In this case, the person would see:
“This sign-in attempt seems unusual for you. As a security precaution, please check your email to verify this sign-in attempt.”
The email message will explain, “Someone just tried to sign in to your LinkedIn account from an unfamiliar location, so we want to make sure it’s really you.” The email will specify the IP address and the country where the attempt originated. The recipient will be advised to click a button to verify the sign-in attempt or click another link to change the password.
Watch out, scammers might misuse this text for phishing!
LinkedIn also presents the verification prompt after an extended absence according to one report on Twitter. Another sighting on Twitter suggests that LinkedIn might be checking for frequent login/logout actions from a single location, though specifics of this logic are a bit unclear.
To reduce the likelihood that the sign-in verification prompt will come up, LinkedIn recommends against signing out “each time you use LinkedIn during the day.” Strangely, the service also suggests that “you sign out at the end of each day.” (I doubt that’s very practical advice.)
It’s great to see that LinkedIn has been taking measures to strengthen its authentication practices!
Update: LinkedIn now offers two-factor authentication. For some thoughts on this feature, see my Google Plus post on this topic.
If this topic interests you, you will also like:
There is much we can learn about coordinated online activities of skilled attackers with nation-state affiliations. The following two write-ups provide a wealth of information about one such attack group, which has been targeting organization in South Asia over the past few years and appears to reside in India:
According to these reports, the group engaged in industrial espionage and spying on political activists. The victims resided in many countries, but Pakistan stood out as the most targeted location. The attackers relied on spear phishing to gain initial access to the targeted environment. The emails were thematically appropriate to the targets and included malicious documents that exploited unpatched vulnerabilities. Some of the malware was digitally signed.
The analysts attributed these cyberattack activities to specific source by examining:
As the result, Norman and Shadowserver researchers concluded that the attackers apparently operated from India “and have been conducting attacks against business, government and political organizations.” Similarly, ESET analysts concluded “that the entire campaign originates from India.”
In addition, Norman and Shadowserver researchers concluded that the malicious software used in these campaigns was created by multiple software developers who were “tasked with specific malware deliverances.” The developers collaborated, “working on separate subprojects, but apparently not using a centralized source control system.”
In the past weeks I published several posts describing malware analysis tools and approaches at other blogs:
Also, on my own blog I took a look at Cylance’s Accelerify tool for speeding up the lab system’s clock for malware analysis.
Some organizations have encountered Advanced Persistent Threat over 5 years ago—earlier than most of us. Because of the types of data they process, these initial APT victims were exposed to carefully-orchestrated, espionage-motivated attacks before they spread to a wider range of targets.
Now, half a decade later, might the time to look at the attacks that the initial APT victims are fighting nowadays to forecast the threats that will eventually reach other companies. I am wondering:
It’s hard to answer these questions without first-hand access to the companies that witnessed the first wave of APT attacks. Furthermore, the dilution of the term APT by marketing departments makes it harder to differentiate between reliable APT insights, such as what Mandiant has been publishing, from generic APT-themed sales collateral peppered throughout the web.
Based on public information and observations, I suspect the threat landscape over the next few years will involve:
These are just conjectures. I don’t have the answers to the questions I posed above; however, I thought I’d at least ask them and explore the idea of looking at early APT targets’ current state to anticipate advanced threats that will later affect other organizations.
Related articles you might like:
In the field of IT in general and digital forensics in particular, you become obsolete the moment you stop learning. Here are several free recorded webcasts related to reverse-engineering and malware analysis that will help you keep your skills up to date: