The threat landscape is constantly evolving. It is increasingly important for organizations to invest in security to mitigate both internal and external malicious actors. New threat vectors are emerging including:
- Internet of Things (IoT) devices with weak security
- Bring Your Own Device (BYOD)
- Remote workforce
However, the preferred attack vector according to Verizon’s 2017 Data Breach Investigation Report is still stolen credentials. Basic steps to mitigate this risk include:
- User training
- Security policies
- Strong passwords
- Frequent password change
- Minimal permissions
- Multi Factor Authentication (MFA)
- Mobile Device Management (MDM)
Kaspersky Global IT Risk Report 2016 lists the top causes for data breaches as:
- Viruses, malware and trojans
- Lack of diligence and untrained employees
- Phishing and social engineering
- Targeted attack
- Crypto and ransomware
Defense in Depth
The most vulnerable component of our defense strategy are the people who own and operate it. All the available research shows that most attacks succeed because a user’s identity has been compromised. These stolen credentials are then used to create weaknesses that can be exploited to damage the organization.
The first and most important layer of our defense strategy must therefore be practical security polices that are easily understood by our users. Each user should be fully trained on security practises and be given regular refresher training as threats, tools and processes evolve. This is especially important to high value users like administrators, developers and systems operators.
Building from the bottom up our defense in depth strategy needs to protect our infrastructure. Depending upon the specific technology choice there are a range of tools and best practices that will enable us to secure, monitor, alert and respond to security incidents. The big take away from this section are that we need to compartmentalise our network infrastructure to prevent lateral movement from the periphery our network towards our critical Data at Rest servers.
Software that we create to run in the Data Presentation, Data in Motion and Data in Action zones needs to provide two different kinds of protection:
- Software vulnerabilities need to be eliminated by training developers and running static analysis tools to detect the common threat vectors including:
- SQL Injection
- Buffer Overflow
- Cross Site Scripting
- Structured Exception Handler Overwrites
- Transport vulnerabilities need to be eliminated by:
- Validating the identities of the users or applications involved in each transaction.
- Enforcing compartmentalisation of each service so that all data flows across an intrusion detection device.
- Ensuring that all data is encrypted as it crosses a security boundary.
- Ensuring that data has not been modified during transport.
Data at Rest
As described above the primary targets for a targeted attack will include:
- Directory Servers
- Email Servers
- File Shares
- Database Servers
Whilst Data as a Service generally doesn’t have much to add to Directory and Email Servers, there is a lot we can do with File and Database Servers.
Firstly, encrypt the media that the data resides on. This is especially important for physical media stored on-premise. When media is being disposed of, ensure that it is first erased and then physically destroyed to prevent dumpster diving attacks. Even when storing information in the cloud utilise available storage level encryption mechanisms.
Next encrypt the content of the data itself in a way that is transparent to the user accessing it – make it easy for the user to implement the security policy! For data files, use Information Protection tools that lock data based on security levels and restrict access. These tools can be extended across mobile endpoints to prevent data leaking from emails.
- Enforce row level security checks on users accessing the data.
- Implement row-level version control to identify and recover from data manipulation attacks.
- Implement auditing and machine learning to identify threats and abnormal activity.
- Use vendor analytic tools for threat analysis and alerting