Before I even start, I have to admit that I’m every bit as guilty of this as anyone else. I love tech and gadgets and have been dazzled, then disappointed before. As I was thinking about this, I was picturing stones flying around my own glass house, so don’t take this personally if you find yourself looking back in the mirror as well. After all, GI Joe flooded my childhood with messages of, “knowing is half the battle.” It’s what we do with the knowledge that will let us prevail in the other half of the battle. Hopefully my experiences and bad decisions can help some of you.
Now that I have that off my chest, I can go ahead and tell you that if you are investing time and money in high-tech “solutions” without addressing non-technical or low-tech solutions, you are really screwing up. Yep, 100% screwing the pooch, making a mess of it, etc., etc., etc., so stop it!
If you haven’t noticed already, those signs you see at the airport, the ads in magazines, the internet, or anywhere else are put together by a special type of person called a “Marketer”. These people aren’t evil on purpose, but I see a lot of them going to the “dark side” (I hear they have cookies). It could be the pressures of lead generation or competition, but whatever it is, some fall in the dark well of snake oil sales. They start making ridiculous claims like, “With our WAF, data breaches are a thing of the past” or “The ‘cloud’ will fix all of your ailments”. When you see these people at trade shows, they even begin to believe their own rhetoric and will pitch it to you with a confident smile on their face. What’s worse is, you may start to believe it yourself. Your executives may start to believe it, your boss may start to believe it. Best case, big $ goes out the door and your security situation still hasn’t improved dramatically. Worst case, big $ goes out the door and you are in worse shape than when you started.
Avoiding the Gut Punch
How do you avoid this unpleasant experience? It will take a conscious effort of will to step back and see through the smoke.
First, if something says it’s a “solution”, put on your skeptical hat and hold on to it. In security there is reduction of risk, but I have never seen a professed “solution” be an actual end to something meaningful. Many times I have seen a “solution” open up a whole other can of worms that was unexpected.
Second, compare to other similar devices/platforms and see if the fancy new feature is just different wording for something already being done by someone else. If there is a key feature that gets you all spun up, don’t assume you know what it actually is doing. I have convinced myself that things are going to do one thing, when in fact they do something altogether different, simply because I really WANTED them to do what I thought they meant. Make sure you take a deep breath and understand the limitations of the feature you are so hot for. It can save many tears down the road.
Third, understand how things are going to work together. There are few things worse than getting a new device only to find out that managing it takes a lot of time and effort because nothing integrates with your current infrastructure.
Finally, and most importantly, consider if you are trying to throw a high-tech fix at a low-tech or no-tech problem. In many cases, risk can be decreased dramatically through policy, procedure or easy architecture changes. Sometimes you are using the tool wrong and can’t even see it.
Examples of Your Hair-Brained Scheme?
Let’s use ransomware attacks as an example. Not only has WannaCry and Petya/NotPetya caused issues, but Cerber and others have been doing it for a long time. Let’s look at some easy things that would have made these attacks less of an issue, maybe even trivial, had they been done.
Patching – MS17-010 was exploited in a couple of these, but other patched vulnerabilities have been exploited time and time again. Most of the time, 0-days are not what is used, it’s old exploits on vulnerable machines. Sure patches are a pain to keep up with, but time spent here can pay of greatly. Imagine if MS17-010 was applied globally before WannCry, it would have been a minor nuisance rather than a global event. Review your patching process and give it the attention it deserves. If you can’t patch, using mitigating controls or isolate the device from anything it doesn’t NEED to communicate with.
Network Segmentation – It still boggles my mind how many “flat” networks are out there. These days, the cost of segmenting networks is nearly trivial and the implementation is well understood. What is segmentation, simply put it’s the practice of limiting communication between devices or groups of devices. Consider this, does your receptionist need to be able to get to a login screen for your SQL server? Does finance need to get to the Development environment? Does Dev even need a direct connection to Production? Anywhere you can limit this communication, you provide a mechanism of containment. Now if your receptionist launches malware, it can’t ever reach important resources. Clean up is now easier and real damage avoided. With a little planning and work you can significantly limit how far malicious programs or hackers can get within your network for little or no cost. WannaCry spread by being able to get to servers on port 445. Had they been segmented damage would have been much more contained.
Backups – Sure you get the email every day/week that says your backups ran, but do you really read the email and have you ever tested your backups by restoring them? Maybe the backup successfully backed up 40kb worth of data, but nothing else. If the job is whacked and it only thinks it’s supposed to backup 40kb, it’s going to tell you it was successful. Make sure you know what’s going on. I suggest restoring some random critical data at least once a month and ensuring you can get it. This will help you understand the time it takes and the process so you aren’t doing it when the world is on fire and the pressure is on. Also, do a full restore at least twice a year. Make sure it all works. Backups are a great way to fight ransomware and the ability to quickly restore would have made WannaCry just a nuisance.
Have An Incident Response Plan – Figuring out how to respond sucks when you are in the middle of it all. Put some effort in to having a plan that at least covers the basics for common scenarios. Having things like contact information for execs, law enforcement and online resources can really help take some pressure off when responding to an event. Know where your software and licensing is in case you need to reload things. Know how to reach your vendors or cloud providers and have that documented. Something will eventually go wrong, so be ready when it does.
Get Visibility In One Place – If at all possible, get your logs, alerts and events feeding in to some sort of a SIEM or central spot. Easy stuff like firewall logs or endpoint protection alerts going to one place can make a huge difference in your ability to notice and identify potential attacks or events. For example, if a bunch of your endpoint protection agents start throwing alerts, you can spot it quickly and take action. This is one of the more technical things I do think needs to be done, however the cost does not have to be significant. Look in to ELK Stack (aka Elastic Stack) or AlienVault OSSIM for free ways to get some visibility in to your network. A quick reaction can significantly reduce damage in an attack.
Work On Your Organizations Security Culture – Teach your users how to spot phishing attacks and avoid falling for scams. Changing the security culture of your users is one of the best ways to avoid attacks. People need to know that they are targets so then can protect themselves. They need to know what to look for in order to spot attacks and have a way to report them quickly. Understand that you may not be the best person to put training together. We tend to be technical people and that does not always resonate with the users. Employ other departments, such as marketing if you are going to do it on your own, or better yet use a 3rd party like my company KnowBe4 to do it for you. It’s not expensive and it works well. Reminding users that attacks like ransomware impact them at home as well can really help them pay attention in the training. Fostering an attitude of helpfulness from the security/IT team will go a long way to getting the users to want to engage. Don’t shame folks when they screw up, and they will. Instead, reward them for doing the right thing. Kudos at a company meeting or in a company-wide email or even a pizza party for the department that does the best, can really impact the culture. Have fun with it and remember that it’s a scary topic for some folks, so they may need a little reassurance before they start to play well with others. Be patient and the reward can be great.
If you put some effort in to the things I have listed above, you can significantly improve your security posture with very little cost. When looking for ways to solve problems, try to separate yourself from the marketing hype and focus on the task at hand. See if there is another way to accomplish your goal and keep your mind open to all options, not just the shiny ones.
Erich Kron is the Security Awareness Advocate at KnowBe4, and has over 20 years’ experience in the medical, aerospace manufacturing and defense fields. He is the former security manager for the US Army 2nd Regional Cyber Center-Western Hemisphere.