ISACA Journal Author Blog

ISACA > Journal > Practically Speaking Blog > Posts > How to Battle Hackers on an Even Plane

How to Battle Hackers on an Even Plane

Chris Sullivan
| Published: 9/14/2015 3:03 PM | Permalink | Email this Post | Comments (8)

In the movie The Untouchables, a hit man pulls a knife to stab Sean Connery, then Connery pulls a shotgun on the hit man. The lesson from this scene is do not bring a knife to a gunfight.

A lot of corporate IT security staff must not have seen this movie. They are bringing knives to the data security fight while hackers bring guns, cannons, tanks and jet fighters.

With increasingly clever malware and phishing tactics, hackers are snagging users login credentials at a frightening pace and gaining access to networks. It can be as easy as exploiting a security hole in a web browser while the user is surfing the web to seize credentials and access privileged services.

While hackers poke, prod and probe networks every hour of the day looking for weaknesses, most corporate IT staff only review access privileges semiannually, quarterly or, if they are particularly diligent, monthly. The reviews are often perfunctory affairs that do not offer much in the way of detection or prevention.

That is not even bringing a knife to a gun fight; that is like remaining at the scene of the crime until the police arrive. Hackers have little fear of getting caught. The hacker who infiltrated Anthem’s customer database was not caught at all; Anthem did not detect the theft until 7 months later.

All of this responsibility does not necessarily have to fall to the corporate IT function. They are doing the best they can with what they have. If IT had to constantly examine and recertify user access with their current access management systems, they would not have time to do anything else. Their systems are typically a patchwork of manual or minimally automated security functions native to individual applications and databases. They do not exist in an integrated data security framework that enables IT to monitor usage of all key resources.

IT does not stand a chance of preventing more Anthem-level data losses until companies automate and analyze. Automating data extraction and cleansing provides a constant stream of user data. Analytical applications spot orphan accounts and irregular usage as they occur, not 7 or more months later. Arming IT with this kind of access management systems mean they are not going into the gunfight with a knife. It means they are ending the fight because the other side knows it cannot win.

Read Chris Sullivan’s recent ISACA Journal article:
Accelerating Access Management to the Speed of Hacks,” ISACA Journal, volume 5, 2015.

Comments

How to Battle Hackers on an Even Plane

I think continuous auditing may help to detect hacker activity if not preventive.
MenSanduco at 9/15/2015 4:36 AM

Educating users of IT

I agree that IT should have the tools required to manage identity and access management, but should the IT function not also play a role in awareness training, thereby minimizing the likelihood of compromised user credentials?
Richard831 at 9/15/2015 7:57 AM

RE: Educating Users

Hi Richard,
I agree that security awareness is one important tool for managing down your overall threat surface, but how many companies even know what that is? Do you measure it? How would you? We (ISACA) are starting some important work in that area now :)
Chris Sullivan at 9/15/2015 12:21 PM

Thinking like a hacker

My mother always told me, "don't start a fight if no one is messing with you!' However, we must always be vigilant against the risks that plague the digital landscape and learn how to think like a hacker to defend against one. Policy with strategy can be a winning combination.
Ralph832 at 9/15/2015 10:35 PM

Tools only work with a security culture

automated tools works very well in the enviroment where the overall security awareness is high. Because you can buy the tools for IT but without the education and awareness they are not effective.
JoseLuisGuzman at 9/21/2015 3:51 PM

RE:Tools only work with a security culture

Jose,
Agree that awareness is important, something that you should work at, but it is also hard and fleeting. IMHO, automation is ALSO required because the complexity and change in our current security models is FAR too great for a human mind to handle. Best, Sully
Chris Sullivan at 9/23/2015 10:41 PM

Security Mechanism and Tools not efficient enough

What is the use of deploying security tools such as IDS, IPS etc. when your IT users are not aware of their role in  achieving an effective secured environment?

I will stick to the suggestions which others have posted as to the awareness of IT users.

IT users awareness can be audited by staging social engineering attack exercise. This can only be effective if the users under study are not given prior notice to the exercise.
Abdulbaqi528 at 10/24/2015 5:36 AM

Security Mechanism and Tools not efficient enough

What is the use of deploying security tools such as IDS, IPS etc. when your IT users are not aware of their role in  achieving an effective secured environment?

I will stick to the suggestions which others have posted as to the awareness of IT users.

IT users awareness can be audited by staging social engineering attack exercise. This can only be effective if the users under study are not given prior notice to the exercise.
Abdulbaqi528 at 10/24/2015 5:36 AM
Email