Based in Denver, CO, Agile Ideation collects the thoughts and experiences of Ed Schaefer. His posts explore agile and devops related topics as he works to maximize team effectiveness and minimize waste through continuous learning, coaching and empowering teams.

Defense in Depth

Business Challenge

Information security has always posed a substantial challenge to organizations, but today these challenges are greater than ever before. Historically an organization had to be concerned with preventing or dealing with technical attacks including viruses and worms, attacks to physical infrastructure, various forms of espionage and even vulnerabilities posed by employees. These dangers still exist, but in a world where technology has become ubiquitous and attackers are more sophisticated, there is an even greater potential for an organization to come under attack, and the damage that can be done is even more substantial.

This poses a great challenge for all organizations, and makes it difficult for an IT department to be prepared to protect against security threats. This is especially true when there is a divergence between how things are handled from a business perspective versus a technology perspective. On the business side of things, often contingency planning is a big part of moving forward and making progress. All possible conditions must be considered and a plan is developed to deal with any set of events. In the world of finance, for example, a plan may be developed under assumptions that business partners will agree to certain terms, the economy will behave in a particular way, and certain previous investments will play out as anticipated. Many of these assumptions are based on history, things that have been consistent over time, and the probability of certain events can be determined. With this in mind, it is not especially difficult for a business to plan for the unexpected – there is a certain probability the economy will behave one way, but the probability of an alternate series of events occurring can also be considered and, based on how this impacted the organization, other organizations, or the economy as a whole, predictions can be made and contingency plans can be developed so an organization is prepared to deal with any circumstances. Completely new and unexpected events are very unlikely to occur in the grand scheme of things on the business side.

With technology changing so rapidly and becoming such a substantial aspect of business both internally and externally, it is impossible for an organization to be prepared for every threat, find and resolve every vulnerability or have a plan in place to deal with every incident that may arise. In the past it may have been possibly to apply a mentality similar to that of business planning, to throw time and money into IT to be prepared for every type of attack, spend time and money to try to test every aspect of each piece of software used or released by an organization, but this has become to expensive and time consuming. If an organization were to try to maintain this methodology, it would not be surprising for the business side of an organization to believe that security from an IT perspective was bloated, ineffective and too costly to be worthwhile to pursue. It becomes the responsibility of IT to try to protect the organization in the most effective ways possible – in terms of time, money, posed threats and potential impact to an organization. This means that IT must primarily devote resources to the most common, or most likely to occur, threats and vulnerabilities, but also have plans in place to effectively solve unexpected problems that may arise.

 

Solution

Prediction

            Trying to predict what attacks an organization may face can be an extremely daunting task. The most effective way to handle prediction is to look at (a) the most common types of attacks overall, internet-wide, across industries and organizations, (b) attacks specific to the organization’s industry, or to their primary competitors, (c) any attacks that may be specific to the organization, or areas of the organization. Examples for a financial firm might include SQL injection attacks at the top level, phishing attacks made by sending clients fake emails at the middle level, and finally social engineering attacks made by groups contacting a call center attempting to gain more illicit information. When discussing prediction it is often impractical to list every possible threat or vulnerability an organization may face, but costs associated with resolving problems can be minimized by being prepared for the most common, frequently occurring of these issues.

Prevention

            Depending on the potential issues faced by a firm, prevention can be handled in a number of ways. Clearly what has been determined in the prediction phase holds a lot of weight for what can be done to help prevent issues. Some general steps for prevention include always keeping systems up to date with the latest patches and updates to software tools. Development of software or other tools should be done with security in mind, and having strong security policies in place can also be an excellent tool when it comes to preventing issues. Additionally training employees about best practices including demonstrations about how attackers may try to infiltrate through email, websites, or social engineering is a great preventative measure against attackers. Finally, staying up to date on the latest vulnerabilities or attacks, and utilizing third parties that specialize in preventative tools, gives IT security a better chance of being able to make changes or install protections to try to stay ahead of attackers.

Detection

            As was previously mentioned it is not always possible to predict what may happen, and given the extensive networks of attackers working together it is possible that even the best preventative measures may not be enough. That is why it is imperative that tools are put in place and utilized to detect any sort of intrusion or malicious activity as quickly as possible. This may include specific tools that look for unusual network traffic, someone accessing the intranet from an unexpected location, making data highly visible, regular audits, or even regular monitoring or activity in conjunction with segregation based on an individuals responsibilities within an organization. The next biggest threat to an organization after an attacker gaining access, is that same attacker having continuous regular access without being noticed or discovered. These tools must also be protected, though, so an attacker cannot manipulate the system or data to continue hiding themselves. As they become more effective, tools that are able to dynamically monitor traffic and using a form of artificial intelligence learn normal use patterns may be an excellent choice as it may be difficult, if not impossible, for an individual to differentiate normal expected traffic when compared to unusual, malicious traffic.

Response

            Detecting an intrusion or attack is only one piece of the puzzle, as there must also be a plan in place to respond to the attack. Taking a system offline is only a temporary solution, and even stopping and removing a virus doesn’t solve a problem if there is still a security hole out there. When it comes to response, the right people must have a plan in place for what to do and how to handle any problem that may arise. This may include temporarily taking a system offline, reviewing the intrusion detection logs to find and resolve, as quickly as possible, whatever vulnerability may have come up. In some cases this may involve rolling software back to a last known secure state. This may also involve the use of internal and external security auditors to determine how an attacker gained access and rolling out a security patch or update to all systems to close the hole. Response is not just fixing whatever caused the incident itself, but also responding to any impact this may have had on the business. This may include responding to theft or leak of proprietary company information, private customer data, or even information about business partners. An organization must have the tools and personnel to respond to the fallout from any incident, and the flexibility to deal with things that could never have been anticipated.

 

Conclusion

            When defending against threats, IT must make smart choices about the most effective and efficient ways to handle security to ensure what is being done is practical. It is important for IT to follow a specific set of procedures to not only provide protection as best as possible, but to also ensure that the needs and priorities are also being considered from a business perspective and the objectives of the organization are being met. While it may seem like the best way to handle security is to install protections and be prepared to handle every possible threat, it is clear this is not only impractical, but impossible given the ever changing nature of technology. With strong business continuity, incident response and disaster recovery planning, an organization has already made tremendous strides towards resolving any issues and getting the company back up and running following any type of attack or disaster. Being prepared for the incidents most likely to occur, and having strong procedures in place to deal with the unexpected will help limit downtime for any organization.

Legislative Trends

Security Policies in the Application Development Process