Our Regcast Security: Knowing what you don’t know – and what you can do about it (on demand version here) brought together Raimund Genes, CTO of Trend Micro, and Freeform Dynamics’ Tony Lock, chief security nagging officer of the analyst community. They gave us a fascinating insight into how the security landscape has changed and how your behaviour – and your users’ – might have to change with it.
The slides we use, which feature a lot of best practice and the results of recent Freeform Dynamics research, are available in a Powerpoint document here.
Lock drew a comparison between friendly fire (attacks from within) and enemy fire.
“When we talk about enemy fire, it’s not just one guy,” Genes added. Script kiddies are now joined by hacktivists, professional criminals and even national governments, he said.
Are things getting better or worse, a reader asked Lock. “According to the chart, the answer is almost uniformly that they are going to get worse,” he replied.
So it is not surprising that there were a lot of questions, too many to answer.
There is too much information in our hour-long Regcast to summarise here so do watch the Regcast. But we brought Lock and Genes together again to talk about some of the questions we didn’t have time, or were too specific, to answer in the video.
Q: Would you say there is a tendency to place more trust in technology than in procedure?
Lock: Good security must combine technology, procedures, policy and people, especially education. Many organisations put their trust in technology because it is a simple thing to sign off and audit. It is not enough.
Genes: Agreed. By implementing technology you can tick checkboxes, regardless of how good or bad the implementation is. When I talk with customers it is sometimes shocking to realise that they invest in the technology but don’t have processes in place to deal with a data breach.
Q: Users are one of biggest vulnerabilities within organisations. What is the best way to get users to buy into, and listen to, security awareness programmes and presentations?
Lock: Educating users, in all aspects of security, is one of the most effective things an organisation can do to improve its security posture.
Education needs to be ongoing and must include time spent on why security solutions are used, why some things are not permitted, and what the consequences of not following set procedures and solutions could be for the organisation and the individual.
It is important users understand why things are the way they are, especially anything that they think limits their freedom.
Q: Some virus programs claim to offer “holistic” scanning. What do they mean by that? Is it better than normal scanning?
Genes: Holistic scanning is a marketing buzzword used by some vendors. But actually every serious security player does this.
We know that just looking for a binary match does not help against variants, repacked malware, so you look at different angles.
In the Regcast I used the example that you could look for the initial handshake of Poison Ivy, that you could spot communication with a known Command and Control Server.
So security is not just about looking at files anymore, but looking for multiple events and different protocols, and then connecting the dots.
In the past companies had a strategy of buying security solutions from different vendors. But if you want to connect the dots, we think it is better to rely on one vendor, as the products talk to each other and spot the needle in the haystack faster, while reducing false positives.
Q: We hear a lot about endpoint security, which is really aimed at network measures. But surely the best protection is to encrypt data and control the keys and who has access?
Lock: I believe the use of encryption will grow, and eventually will become ubiquitous. In the past it was complex and placed too much overhead on systems, especially when a user wanted to open a document.
The overhead problem is going away but getting encryption in place across all systems is still complex, especially as managing keys over long periods of time – potentially decades, if not centuries – is a major effort.
It requires exceptionally robust solutions and operational procedures. Lose a key and that data is essentially gone.
Genes: Agreed. But as encryption should be easy and transparent to end-users, you need security solutions that shield your key management servers, the back-end infrastructure. That’s where the attackers are focusing now.
Q: Isn’t allowing customers to generate their own signatures, that they don’t share with the community at large, simply going to allow attackers to re-use the same tools against another target? It sounds very similar to the argument for not publishing security vulnerabilities.
Genes: Yes, it does. I would love to get all the used samples and attack vectors so that we could protect our customers better. But we need to respect our customers, and unwillingness to share normally comes from the bigger organisations and government.
But it’s not all bad. If the tool is used several times, we will probably get it from other sources. If it is highly targeted, it is likely to affect only one company, and for this they need the ability to generate custom signatures.
Q: Most attacks rely on finding poor allocation of memory, which allows the attacker to overwrite adjacent memory allocation. Why have we not learned how to exercise better memory allocation to prevent this type of attack?
I use WinPatrol, which immediately informs me when any unknown or unusual activity occurs on my system. It also warns me immediately if my computer is attempting to send out data that is not authorised.
Genes: You are an expert and you can manage the log files and alerts. Unfortunately a lot of people can’t.
Think about a small company without IT experts, where someone visits once a month to ensure that the systems are up and running. Or think about a widely published case like the Target incident, where POS infections have been reported by the security solution but the warnings have been ignored by the staff.
Lock: Better use of monitoring tools is a good way to improve security but the monitoring tools must be effective and not generate too many false alarms. They must also be easy to use and not require too much time from IT professionals.
Genes: For poor allocation of memory, or buffer overflows, there are ways to prevent or spot this stuff while coding – like canary values. But few people use them because it adds to their workload.
Q: Do the new security enhancements to Java 8 successfully address the known security issues uncovered in Java?
Genes: Java 7 and Java 8 are addressing a lot of issues that we saw in Java 6. So I highly recommend you upgrade to version 7 or higher. Time will tell if new security issues have been introduced, though.
Q: Do you see a push for a “full forensics” approach to security analysis? We wouldn’t switch off CCTV every five minutes to save HDD space. Why are the current gaps in many systems accepted and should this be a concern?
Lock: All gaps should be a concern. Many business managers do not understand many aspects of security and often see it as a type of insurance. They do the minimum they think they can get away with, or do not think their organisation is really under any threat.
Genes: Yes, we need to support a rethinking process. Your logs are valuable, and data collection about normal and abnormal network traffic behaviour is key.
Business owners need to accept that their neck is on the line if something is happening. They need at least to ensure that processes are in place to call for help and know who to call.
Everybody has emergency procedures posted about what to do in case of a fire. How many have done the same for cyber attacks? Unfortunately, not many. ®