Government // Cybersecurity
News
1/18/2013
12:25 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%
Repost This

4 Steps For Proactive Cybersecurity

Tired of having malware punch you in the face? The time's not right to hit back, but here are moves to make now.

InformationWeek Green - Jan. 21, 2013 InformationWeek Green
Download the entire Jan. 21, 2013, issue of InformationWeek, distributed in an all-digital format as part of our Green Initiative
(Registration required.)
We will plant a tree for each of the first 5,000 downloads.

Storage Innovation

In our dive into the theory behind offensive cybersecurity, Gadi Evron summarized the legal and ethical problems of fighting back against an attacker. There are also some purely tactical problems: How do you know you're not blasting some grandmother in Akron whose PC is a zombie? Are you prepared to come under the glare of organized criminals?

I share Evron's outlook that for most, if not all, nongovernmental entities it's too soon to go down the path of all-out, offensive security counterattacks. Many other security professionals agree, and you can get a good summary of the academic and government research on cyber espionage, cyber deterrence and cyber offense by reading a recent post by Dave Dittrich, a member of the HoneyNet Project: "No, Executing Offensive Actions Against Our Adversaries Really Does Have High Risk (Deal With It)."

But you can do a lot more than read and hope. Here are some ways to take action now that will at least let your team start taking a more offensive security mindset.

Step 1: Do active risk analysis to know what attackers may strike at, and how.

Intelligence gathering is an arduous task for even well-funded government agencies, so it is highly unlikely that your company can achieve the level of detail required for true cyber intelligence about attackers. Further complicating intelligence gathering is that private-sector chief information security officers don't share details of successful breaches, even though such collaboration would be critical to understanding and linking methods and attackers. But that's another article.

For now, focus your effort on the intelligence gathering you do control: knowledge of your own systems, networks and business.

Our full report on offensive cybersecurity free with registration.

This report includes 21 pages of action-oriented analysis. What you’ll find:
  • Strategic Security Survey data on the top reasons for increased vulnerability
  • Top breach/espionage threats: cybercriminals tied for No. 1
Get This And All Our Reports

Conventional cyber defense involves security engineers trying to figure out what attackers can do, how they might break in and what system holes could be exploited. But this is where IT could learn from traditional engineering disciplines, which take a more proactive approach. For example, mechanical engineers are taught to approach problems using failure analysis. This technique involves identifying the conditions where a failure can occur instead of trying to figure out what failures can occur. Think of an explosion caused by an oily rag. Without oxygen, oil, the rag and fire that ignites everything, an explosion won't happen. Yet most security engineers trying to keep their networks from being blown wide open look for flames via log data (the attack) rather than finding the oxygen, oily rags and sparks -- what must be present for an explosion.

Your intelligence gathering needs to focus on identifying hazardous conditions. You will then learn each condition also has a subset of conditions, and this chain continues until you have an addressable condition. For example, instead of trying to detect or prevent a zero-day exploit from installing malware on a machine, ensure that the conditions for a breach are not present. Eliminate easily guessed passwords, weak permissions on files and folders, and administrative permissions, all which are under your control, instead of trying to figure out where and how any given piece of malware, which you don't control, might strike.

This approach requires that your security team know how attackers accomplish their mischief once inside, and that means spending time learning how exploits, penetration testing and underlying applications work. This isn't easy, but it's why mechanical engineers spend years being trained about potential conditions.

While there are several failure-analysis methods, including Alex Hutton's Risk Fish, discussed recently in Dark Reading, here's how we recommend you go about it:

To read the rest of the article,
Download the Jan. 21, 2013 issue of InformationWeek

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MyW0r1d
50%
50%
MyW0r1d,
User Rank: Strategist
1/25/2013 | 10:35:56 PM
re: 4 Steps For Proactive Cybersecurity
Mr. Dittrich's blog post was extensive and thought provoking. While reading through it though, he repeatedly referenced the one critical aspect of past work and discussion on the issue which seemed to in its own way support Mr. Bardin's (CSO Online) proposal of "active defense." That is that the CISO world has been in discussion since the mid 1990s with no definitive agreement or recommended course of mitigation. Any person or company so immobilized by lack of decision as to do nothing over the course of 15 years will likely fall victim or fail. Absolute minimums then is to do the analysis, assess the risks, and don't forget to take action on the results.
dharani
50%
50%
dharani,
User Rank: Apprentice
1/23/2013 | 10:37:05 AM
re: 4 Steps For Proactive Cybersecurity
Cyber security is important in any organizations to prevent the risks of ID theft and wire fraud. Just came across an informative whitepaper on the very same topic Gǥ Wire fraud and Identity theft : Risks and prevention for Banks and consumersGǥ, readers will find it very helpful @ bit.ly/S639ew
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
1/23/2013 | 3:57:44 AM
re: 4 Steps For Proactive Cybersecurity
Very simply put - if your attacker knows more about your environment than you do, the odds are very good that you're going to be breached.

Most attackers are lazy and will go for whatever low hanging fruit is available - but once they start on the tree (i.e. your infrastructure), they'll try to pick it clean and work their way to the top.

Andrew Hornback
InformationWeek Contributor
Cyber Security Standards for Major Infrastructure
Cyber Security Standards for Major Infrastructure
The Presidential Executive Order from February established a framework and clear set of security standards to be applied across critical infrastructure. Now the real work begins.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 - 2014
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
Video
Slideshows
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.