NEW FROM CSX
Defending Against Modern Hackers
By Ted Harrington
The Nexus | 3 August 2015
In the current digital era, corporate executives face a daunting challenge in defending against newer, more advanced adversaries. These modern adversaries are much more sophisticated and their attack methods are ever-evolving. Traditional defenses alone are no longer effective. However, enterprises should not lose hope, as there are techniques that all companies can adopt to deploy a more effective defensive posture. Here are just a few of the security methodologies proven to be effective against evolved attackers:
- Secure assets, not just perimeters. Traditional security methodologies have been based on the assumption that the adversary is coming from the outside, and, thus, defenses have focused on hardening the perimeter. Though worthwhile, this is no longer a wholly effective strategy in the context of modern attacks, as current attacks deployed by sophisticated adversaries are launched from within trusted boundaries. In today’s highly interconnected environments, third-party solutions are so widely integrated that the distinction between internal and external has become quite blurred. Modern adversaries often compromise systems through stepping-stone attacks, whereby they attack a victim’s trusted vendor in order to compromise the victim. By leveraging the vendor’s trusted access, the adversaries are able to circumvent perimeter defenses of the ultimate victim. A method to account for these modern attacks is to build layers of defense-in-depth, a paradigm based on the assumption the adversary is already inside. Start by identifying your most valuable assets, and then build layers of defense emanating outward from there.
- Build security in, not bolt it on. If we can agree that it is important to secure valuable assets, it begets the question: What is the most effective way to do so? The most effective way to build systems that effectively and consistently protect assets is by building security into each stage of the process. As a system or infrastructure is being built, new features and functionality are added, which inevitably introduce new attack surfaces. When building security in, these attack surfaces go through security evaluation at each of the various stages of development, and as such, the risk is significantly and consistently reduced throughout the entire development process. By contrast, organizations that only consider security at the end of the development process are unable to effectively mitigate risk at the moment when new attack surfaces are introduced.
- White-box security assessments, not black-box penetration tests. Once we accept the importance of protecting valuable assets and adopt the most effective approach to building robust systems, how does an organization know it has succeeded? Validation is most effectively done through third-party security assessment. The most suitable approach for most industries is white-box security assessment. Yet, confusion about different security approaches has led many executives to commonly request the notably ineffective approach of black-box penetration testing. Unlike a penetration test, a security assessment seeks to identify all ways in which asset compromise might be possible. It considers assets, threats, workflow, whole system configuration, internal defenses, and future developments of the infrastructure or application. The results of a white-box methodology are of very high value in calculating risk, because it can be determined with a high level of confidence that most or all of the vulnerabilities present in the target technology have been identified. By contrast, black-box penetration tests provide only a binary outcome—breached or not breached in the time allotted—with no mitigation strategies nor a full understanding of risk related to breach methods not attempted.
Drives thought-leadership initiatives for Independent Security Evaluators, the elite organization of security researchers and consultants widely known for being the first company to hack the iPhone. Harrington holds several special security appointments, including to the University of Southern California (Los Angeles, USA). He was recently named 40 Under 40, where he was not only one of the youngest inductees in the class, but was also the only honoree from the field of information security.
© 2015 Ted Harrington