Skip to main content

Cyber Security Part III - Enterprise Protection

This is the third part of the cyber security series (Part I, Part II), with this week focusing on enterprise protection.  Any device connected to the internet is open to attack from either highly complex botnets right through to an individual port scanning for on line ftp or database servers.  Corporate networks are no stranger to being specifically targeted, or infected with malware that is delivered via the public network.

Attack Vectors and Entry Points

Firewall & Network Perimeter - Historically, enterprise security was often viewed with an 'us and them' mentality.  Everything on the internal LAN was safe, anything past the DMZ and on the internet was potentially bad.  The main attack vector in, was through the corporate firewall and any other perimeter network entry points.  The firewall was seen as the ultimate protection mechanism and as long as desktops had anti-virus software installed, that was as much as many organisations needed to do.

USB - Desktop PC's where the end goal and they were attacked either through HTTP payloads from websites of dubious origin, or malware was often distributed via email, in attachments such as Excel spread sheets or files containing macro's.  The profileration of USB devices also assisted in the distribution of malware, as large files were often easier to copy offline.

BYOD - Whilst those issues still exist in many organisations, cyber threats have evolved significantly.  Smartphones are omnipresent in the enterprise, whether via Bring Your Own Devices (BYOD) or via internally managed hardware.  This brings another dimension.  Not only is malware common across a variety of smartphone operating systems, but the smartphones alter the perimeter of the 'safe' internal network.  Smartphones will have separate data network access, either via 3G/4G or wifi, for access on unsecured networks (or at least unmanaged from the corporations perspective).  Add to that fact that they can also be used as network 'hotspots', bringing a smartphone to work, could easily be creating a un-firewalled, un-managed router on every desktop.

Social Media & Social Engineering - The onset of social media has also brought different angles.  Not only are the numerous social media sites used for malware distribution and botnet control, they also give an attacker a new level of information when it comes to spear phishing or targetted attacks.  Publicly held information about senior individuals within an organisation, makes social engineering attacks more sophisticated and more likely to succeed.

Basic Defence in Depth

Cyber protection (like any information security protection) is best applied when done in depth.  Having one secure layer of protection, no matter how complex, will be breached at some time in the future.  When it is, it's imperative to have several obfuscated layers underneath.

Network Security - The network perimeter needs protecting.  No doubt about that.  Next-generation firewalls provide high and low level OSI stack scanning.  Gone are the days of simple port blocking rules.  Intrusion detection systems are also a default for many larger organisations.  The recent concept of advanced evasion techniques, brings in to question the ability for the current batch of network perimeter devices, to be able to detect complex network delivery configurations, that help to distribute malware payloads.

General network asset management and scanning is also important, not only to help identify smartphone related hotspots and 'leaks' out to the internet, but also for unauthorised devices, especially those configured to use IPv6 on IPv4 only networks.

Access Management - A long time problem for larger organisations, is the constant provisioning and de-provisioning of user accounts.  The use of least privilege is a must as is regular certification (the checking of existing users and their access levels).  Role based access control can also be a major benefit, especially when it comes to the user on-boarding process, however this can be complex to implement.  Device level access should also be well managed.  Root or administrator equivalent access should be restricted, a long with restricted file system access, with device management and configuration changes not permitted.  Unless it's required for the individuals role, policies should be restrictive but not inhibitive.

Patching - The age old issue of patching.  Software of course should be updated to the level recommended by the vendor.  The simple reason, is that from a management perspective, the best support will be received from the vendor or partner, if the most recent patches and service packs are installed.  Zero-day attacks are now common practice, with vulnerabilities being exploited before a patch has been provided.  In this case, there is a counter argument, to say that newer software could well be more 'buggy' and vulnerable to attack, as it had less time in real world implementation environments.  From a simple risk management perspective however, applying patches as soon as possible, can help to get the vendor to accept some of the recovery process, if a breach or issue has occurred.

Anti-virus and URL Scanning - Anti-virus is again an age old issue from a management perspective.  From the initial anti-virus installation and build, to the distribution of new definitions and then the scanning of machines and recording of infections, anti-virus is key, but also a major headache.  You're only as strong as the weakest link and it takes only one machine not to be covered to cause an issue.  Virus protection must now cover a range of devices, from laptops, smart phones and print devices, to routers, firewalls and switches, if they're sophisticated enough to have a basic operating system.

Metrics for coverage rates and infection rates are important, as it not only helps with issue detection, but can also provide return on security investment data too - which will help fund projects and build business cases.

URL scanners are also popular.  This is more about the new concept of reputation based analysis.  By using data from other infected parties, databases can be built that can check a formed URL to see if it has been involved with malicious activity or malware distribution.  The same concept can also be applied to public subnets.

Offense and Response

A key message from any CISO to the management board of an organisation, is that they will be attacked and breached as some point.  There is no such thing as total protection.  The same can be said of risk management.  Risk's of a great scale can never be removed entirely, simply reduced or transferred.

Incident Response - With that said, a strong process and control centre for data breach and cyber attack recovery and incident response is important.  That should include both technical forensic tools and the correct people and processes in place to make them effective.  An incident should be properly assessed, with an understanding of the impacted parties and the scope of the attack.  Once a full understanding of the attack has taken place, some 'stop the bleeding' style actions should be taken to limit the impact and exposure.  This could include tactical short term fixes or changes.  Following this should include a detailed root cause analysis phase, with more strategic remediation steps.

SIEM, Logging and Forensics - For an incident response to take place, that requires the detection of an incident in the first place.  In order to detect an attack requires several interlinked and correlated pieces of security data.  Security Information & Event Monitoring (SIEM) tools should be used to centrally store and manage logs from multiple devices.  Signature based analysis can certainly help with the scanning of known attacks, with behaviour profiling technologies helping with the unknown.  Forensics style analysis for post-incident management is also popular, with secure duplication of logs and files often hashed to confirm a snapshot has taken place.


I think the main overriding aspect for enterprise cyber protection, is that as a large scale organisation, you will be attacked at some point.  That maybe a virus infection, data theft, or a defaced website, but both proactive and reactive measures must be in place to make risk management of the situation effective.  Those measures must also be both technical and personnel related.


Popular posts from this blog

2020: Machine Learning, Post Quantum Crypto & Zero Trust

Welcome to a digital identity project in 2020! You'll be expected to have a plan for post-quantum cryptography.  Your network will be littered with "zero trust" buzz words, that will make you suspect everyone, everything and every transaction.  Add to that, “machines” will be learning everything, from how you like your coffee, through to every network, authentication and authorisation decision. OK, are you ready?

Machine Learning I'm not going to do an entire blog on machine learning (ML) and artificial intelligence (AI).  Firstly I'm not qualified enough on the topic and secondly I want to focus on the security implications.  Needless to say, within 3 years, most organisations will have relatively experienced teams who are handling big data capture from an and identity, access management and network perspective.

That data will be being fed into ML platforms, either on-premise, or via cloud services.  Leveraging either structured or unstructured learning, data fr…

Customer Data: Convenience versus Security

Organisations in both the public and private sector are initiating programmes of work to convert previously physical or offline services, into more digital, on line and automated offerings.  This could include things like automated car tax purchase, through to insurance policy management and electricity meter reading submission and reporting.

Digitization versus Security

This move towards a more on line user experience, brings together several differing forces.  Firstly the driver for end user convenience and service improvement, against the requirements of data security and privacy.  Which should win?  There clearly needs to be a balance of security against service improvement.  Excessive and prohibitive security controls would result in a complex and often poor user experience, ultimately resulting in fewer users.  On the other hand, poorly defined security architectures, lead to data loss, with the impact for personal exposure and brand damage.

Top 5 Security Predictions for 2016

It's that time of year again, when the retrospective and predictive blogs come out of the closet, just before the Christmas festivities begin.  This time last year, the 2015 predictions were an interesting selection of both consumer and enterprise challenges, with a focus on:

Customer Identity ManagementThe start of IoT security awarenessReduced Passwords on MobileConsumer PrivacyCloud Single Sign On
In retrospect, a pretty accurate and ongoing list.  Consumer related identity (cIAM) is hot on most organisation's lips, and whilst the password hasn't died (and probably never will) there are more people using things like swipe login and finger print authentication than ever before.

But what will 2016 bring?

Mobile Payments to be Default for Consumers

2015 has seen the rise in things like Apple Pay and Samsung Pay hitting the consumer high street with venom.  Many retail outlets now provide the ability to "tap and pay" using a mobile device, with many banks also offer…