?
RICK HOLLAND,
CISO, DIGITAL
SHADOWS
B
usinesses need
to consider the
risks not only
from technical
vulnerabilities and
concerns such
as unpatched
software, but also from attackers who
understand the business processes of
a particular target. We have seen from
indictments that attackers are using
publicly available social networking
profiles to build contextually relevant
social engineering attacks and are
explicitly targeting employees that
they know will be handling sensitive
or valuable information. One example
would be employees who are handling
company filings to a regulator.
We have also seen the technical
exploitation of systems in order to
facilitate fraudulent bank transfers such
as the Bangladesh bank attacks that
targeted the SWIFT access systems
and the FASTCash attacks that targeted
retail payment systems. In both cases,
www.intelligentciso.com
|
Issue 10
the attackers understood how the
business processes of the targets
functioned, in particular the approval
process for transactions, and used
technical means to subvert the business
processes and thereby make fraudulent
bank transfers.
More broadly, Digital Shadows
recommends a defence in depth
approach. By this we refer to multiple,
partially overlapping security controls
that mutually reinforce each other in
order to provide increased resiliency
to network intrusions. These are
fundamental and widely used security
principles, which are reusable across all
different types of attacks and relevant to
business process compromise attacks.
They are:
1. Only provide access where it has
been explicitly granted, otherwise
deny. This is a useful principle
to apply to firewalling and other
techniques for managing traffic flow
such as IP whitelisting.
editor’s question
2. Principle of least privilege.
Restrict workstation-to-workstation
communication to only that which is
necessary and segment networks so
that the compromise of one endpoint
does not automatically give access
to the entire network. The principle
of least privilege should also be
implemented for file, directory and
network share permissions.
3. Attack surface reduction. Any
feature of a piece of software or
hardware that is enabled increases
your attack surface. By going
through the process of discovering
which protocols or features are
explicitly required for a system to
function and disabling all other
unnecessary features, a system is
hardened against attack. Applying
vendor patches in a timely fashion
to reduce the number of exploitable
vulnerabilities in installed software
as part of a continuous vulnerability
assessment programme is also
important here.
4. Need to know
compartmentalisation. Restrict
access to important data to only
those who are required to have it.
Read/write access should only be
granted where there is an explicit
business requirement.
Applying vendor
patches in a timely
fashion to reduce the
number of exploitable
vulnerabilities in
installed software as
part of a continuous
vulnerability
assessment
programme is also
important here.
29