Recent Hacks and "Security Products"

Recently, a colleague of mine asked me:

Whats your take on the Sony hack and who would you turn to for security products?

Below is my thoughts and response:

I haven't been following it closely, but there are a few things to take from it. 

I don't think "products" are the answer, specifically I don't think that you can buy security, security is a mentality and a process that everyone needs to be involved in. In the Sony hack, while I don't know how they got in, I see a lot issues with security once they were in. For example, having passwords stored in a file called "passwords" or keeping your secrets in a file call "private", and having file shares / unc paths with out any access restrictions.

These can all be fixed within the tools that provide the access to the people who need it by restricting access to only those people.

There are tools I would use to audit for these types of issues but they need to be checked against the actual need. When I was at Valley Oak systems, I was the IT and Security manager, I performed a manual audit on all the file servers and all of the shares, then went to the department head and asked about the file permissions and the contents of the directories, (also using the current file owners). then went to those people and asked about the permissions. Then we adjusted the permissions and created security groups to allow access only to those teams that needed it. Finding some of this would have been easier with a tool such as GFI LANguard or the like, but it still requires a lot of manual work.

I would probably implement Data Loss Prevention (DLP) tools to look for files being access, although this is more of an after thought as well it might reduce the amount the hack is able to get before you get on top of it. The problem with most DLP tools is they don't see anything if it is encrypted and they don't know if the person should have access to the files they are accessing, so it goes back to people, processes and access.

This particular malware according to one website I read would have been missed by 90% of all anti-malware tools. Instead, if I could I would do application and execution whitelisting, instead of signature based blacklisting. as well fingerprint applications that attempt to run, if it has run in the past without issue, it's probably ok. I am not sure of specific tools for this type of protection, but again, that needs to be managed by only allowing approved applications to run.

Ultimately (Utopian vision) it comes down to:

  • know what and where your data is (label it as well), 
  • know who your people are.
  • know who should have access to what
  • know what software / applications are supposed to be there
  • allow only that
  • monitor and log everything
  • watch for and prevent anomalies and changes