A few well-known UK brands have hit the headlines recently as a result of a breach or security issue. For instance, Tesco Bank announced 40,000 customer accounts were affected by a “sophisticated” attack. Half of those had money taken from them. As a result, Tesco Bank could incur a severe penalty imposed by regulators. That fee would be in addition to the cost of refunding customers affected by the incident. To date, Tesco Bank has not revealed how the attack occurred, but it has stated that it fell victim to online criminal activity. Even so, a number of security technology specialists including Cliff Moyce, global head of financial services at DataArt, have estimated the likelihood of this being a “remote attack” at less than 50 percent. It’s far more likely that the breach was a result of human error, a weak process, or a possible insider threat. Let's be clear: defending against human-centric breaches can oftentimes prove to be difficult but it's not impossible. Sometimes it boils down to a question of using the right solutions. Let's explore how the right technology can help protect against these types of incidents.
Securing the Human
We know that organizations that have strong security processes minimize the impact of a security incident. Those who have a mature security posture, conduct regular vulnerability scans and asset discovery to ensure that backend systems are not susceptible to the latest software vulnerability. But all organisations face a common enemy. No matter how secure your systems are, how tight those controls are implemented, there is always that “insider threat” – that employee who may be disgruntled and who has privileged access to customer record management, as well as to systems that contain personally identifiable information. It doesn’t necessarily have to be a disgruntled employee that causes an incident. What about that employee who is responsible for implementing an approved change request on the firewall? What if they didn’t have enough coffee the night before and made a change to the firewall that inadvertently left the environment insecure? It does happen. One technology that can help organisations in that case is a good security configuration management (SCM) solution that can help detect changes in the environment. Within that SCM solution, there should be a File Integrity Monitoring (FIM) component that helps detect changes in key files. FIM is the process of validating the integrity of operating system (OS) and application software files by comparing the current state of the files with their “known-good” baselines. In addition to files, SCM should be able to monitor changes to Directory Services, such as Active Directory, to spot those being added to restricted groups; monitor changes in databases by looking at permissions, ACL’s and content changes; monitor changes on network devices, such as firewalls, routers and switches; and show the differences in the file before and after the change. According to the 2015 Verizon Data Breach Investigation Report (DBIR), in 60 percent of cases, attackers were able to compromise an organisation within minutes. Verizon also states that one of the primary challenges in the security industry is the growing “detection deficit” between attackers and defenders. Having a good SCM solution in place that encompasses FIM can help detect deviations from the baseline and help identify abnormalities in the configuration of the system in question. FIM is an important component of SCM. What if a system’s OS or critical configuration has already been weakened, either by accident or maliciously? How would you know? SCM helps prevent attacks by creating a known and trusted state for your endpoints, or ‘nodes.’ FIM will automatically detect changes in this state and alert you to a potential threat. Furthermore, a good SCM solution will allow you to import a number of policies and create your own based on those policies. Each policy will have the following four component:
- Tests – a check into the state of a specific configuration setting
- Scores – a measurement of the overall conformance of a system or device
- Weights – indicating the relative importance of a test
- Thresholds – setting the colour and score ranging from the lowest to the highest to separate low-severity failures from critical ones.
When it comes to achieving regulatory compliance, which I’m sure is the case for financial institutions like Tesco Bank, the SCM solution will need to cater to common regulations, the most popular ones being PCI DSS; the Centre Internet Security (CIS) for hardening operating systems; and ISO 27001, a standard which a lot of companies adopt as the baseline. Lastly, another technology that will help is having a good vulnerability management solution. This technology will aid in discovering new or unidentified assets within the organisation and help identify potential weaknesses by revealing exploits that could lead to compromise. By staying on top of patching and securing critical assets, organizations place themselves one step closer towards preventing external threat actors from compromising their systems. In conclusion, a good SCM solution can help detect unauthorized changes on the endpoint, whether it’s a malicious file dropped on a critical server or an admin adding an unauthorized user to a restricted Active Directory group outside of change control. It can also help prevent breaches by continually monitoring those critical assets for drift out of compliance against a standard or regulatory requirement. Is your organization looking for a good SCM product? If so, look no further. Tripwire Enterprise is a market leading SCM solution that helps identify what systems are not compliant and helps you get them back into compliance through automated and scripted remediation. To learn more about Tripwire Enterprise, please click here.
