+
EDITOR’S QUESTION
RICK HOLLAND, CISO,
DIGITAL SHADOWS
/////////////////
B
usinesses need to consider the risks
not only from technical vulnerabilities
and concerns such as unpatched
software, but also from attackers who
understand the business processes of a
particular target.
We have seen from indictments that
attackers are using publicly available social
networking profiles to build contextually
relevant social engineering attacks and
are explicitly targeting employees that
they know will be handling sensitive or
valuable information. One example would
be employees who are handling company
filings to a regulator.
We have also seen the technical
exploitation of systems in order to facilitate
fraudulent bank transfers such as the
Bangladesh bank attacks that targeted the
SWIFT access systems and the FASTCash
attacks that targeted retail payment
systems. In both cases, the attackers
understood how the business processes
of the targets functioned, in particular the
approval process for transactions, and used
technical means to subvert the business
processes and thereby make fraudulent
bank transfers.
More broadly, Digital Shadows recommends
a defence in depth approach. By this we refer
to multiple, partially overlapping security
controls that mutually reinforce each other
in order to provide increased resiliency to
network intrusions. These are fundamental
and widely used security principles, which
are reusable across all different types of
attackers and relevant to business process
compromise attacks.
www.intelligentcio.com
1. Only provide access where it has been
explicitly granted, otherwise deny. This is
a useful principle to apply to firewalling
and other techniques for managing
traffic flow such as IP whitelisting.
2. Principle of least privilege. Restrict
workstation-to-workstation
communication to only that which is
necessary, and segment networks so
that the compromise of one endpoint
does not automatically give access
to the entire network. The principle
of least privilege should also be
implemented for file, directory, and
network share permissions.
3. Attack surface reduction. Any feature of
a piece of software or hardware that is
enabled increases your attack surface. By
going through the process of discovering
which protocols or features are explicitly
required for a system to function
and disabling all other unnecessary
features, a system is hardened against
attack. Applying vendor patches in a
timely fashion to reduce the number of
exploitable vulnerabilities in installed
software as part of a continuous
vulnerability assessment programme is
also important here.
4. Need to know compartmentalisation.
Restrict access to important data to
only those who are required to have
it. Read/write access should only be
granted where there is an explicit
business requirement n
INTELLIGENTCIO
19