Hewlett-Packard’s Cyber Security Report 2013, released this week, includes an analysis of the huge attacks on computers in South Korea, which crippled banks and television networks through a remote access Trojan. Some sources said the hard disks of around 48,000 computers were wiped. Here’s six lessons it says can be learned. All images from Shutterstock.com.
Don’t rely solely on traditional perimeter security
It’s not enough. One of the key characters of targeted threats is their ability to compromise networks and keep a low profile. They may be missed. In South Korea authentication and session details from SSH clients were used to gain remote server access, so consider PKI rather than passwords for authentication to critical servers.
Not all information and network assets are equal
By getting hold of the credentials for an enterprise patch management server, the attackers were able to use it to serve the malware to multiple computers. Systems that facilitate centralized management functions and play a central role in establishing trust in networks are highly prized targets of compromise and could be used to make other security controls useless. Prioritize resources to identifying and protecting critical assets first.
People are part of your organization’s perimeter
So educate them to identify spear phishing attacks, drive by downloads, watering hole attacks. Make sure they view with suspicion requests for certain information (like passwords), types of behavior that might indicate a compromise and how to report suspicious messages or behavior.
Make security and response a continuous process
Continuous monitoring and gathering of event data enables you to know what’s normal and what’s not. That way you can increase the likelihood of detecting advanced threats that have breached the perimeter before they take hold and create more damage. Tools include data visualization and SIEM.
Expect to be compromised
So not only perform daily backups of critical data, but practice recovery. Have an emergency communications plan in case the network fails. Isolate critical systems to ensure they can be brought up independently of other systems. And ensure that sensitive data is encrypted.
Enterprises should share their experiences of compromise with the greater security community and other organizations. Often attackers use campaigns that target multiple organizations at once, so sharing information on current attacks and methods makes everyone less vulnerable and the attackers less likely to succeed. We are stronger together, the report argues.