DarkReading recently published an interesting article entitled “BT Study: Most Enterprises Expect to Get Hacked This Year.” I’d say that that’s a safe assumption, since in the case of most large organizations, their electronic footprint is everywhere. When you pair that with unmanaged parts of an organization setting up servers and machines, accounting for all resources is practically impossible.
Interestingly enough however, many of the organizations quoted in the BT study expect that they are less likely to get hacked if they pen test. But unless you have unlimited resources and endless stretches of time, that conclusion is very wrong.
In reality, the amount of resources that most organizations have to dedicate to pen testing is limited. According to the DarkReading article, this happens for a variety of reasons; everything from upper management not understanding the importance of pen testing to organizations worrying that “the results of a pen test ‘could be embarrassing’” causes vulnerable systems to go untested. But no matter what the reason, the bottom line is that this issue is only going to become more prominent as the role of technology in organizations continues to expand.
So, if there’s no avoiding the fact that we should expect to get hacked even if we pen test, what should we do? Easy: Find out what we can do to minimize the impact of compromises and continue to make sure we have a strong foundation to work on.
This idea goes back to one of the ongoing themes we have here on the site, which is getting back to basics and doing them well. Start out by identifying what you are trying to protect and work your way out—take a defense in-depth approach. Most organizations are looking to protect data, so that’s where we’ll start.
First, we need to determine the sensitivity of the data we are trying to protect. What would happen if a hacker, competitor, or nation-state was able to get to that information? Would lives be at stake? Would the loss of a competitive advantage result in losing a contract? How much would it cost to clean up after your customers’ credit card details were sold on the web?
Based on this data value analysis, say you come up with three sets of data: A, B, and C, with A being your crown jewels. Maybe it would make sense to store the A set in a segmented area of the network where you need to log into a special terminal for access. Perhaps the B set could exist on your organization’s intranet protected by traditional OS and network access controls. The C set may not be too sensitive, so maybe it’s available in public areas on your intranet.
In this instance, an attacker may be able to get through your first line of defense and into your intranet. Any information stolen there wouldn’t be too sensitive, so the effect of compromised data would be minimized. Maybe the hacker is very skilled and is able to bruteforce someone’s password over a period of several weeks. They’ve broken through you second layer of defense and now have access to the B set of data. Although this data is more sensitive, the required skills and time commitment necessary to gain access to this information may minimize the compromise if the data is time sensitive. Finally, you have the
A data set. In this case, the attacker would not only have had to access the intranet and compromised someone’s account, but would have also had to physically gain access to a secured terminal. The hope is that at this point, the attacker will give up and focus on a less secured target.
You can make this scenario a lot more complex, but this example illustrates the basic concept of assuming you are going to get hacked and using defense in-depth to segment your network and employ protections relative to the value of the compartmentalized data.
Besides disconnecting your organization’s network from the Internet completely, this is the best that I could come up with. What are your thoughts on how we can minimize the effects of getting hacked? Comment below or send me a tweet @grecs.
o o o o o
One of the best ways to get back to basics is to have a good foundation. We’ve put together a list of useful books that will help you get on track and do the basics well.