Do not rely on employees to protect yourself from data leakage.
Malware is becoming more sophisticated and aggressive, and columnist Rob Enderle believes that it’s not always possible to rely on employees to fight them. He proposes his plan to counter this threat.
The company data is hacked, and your managers shrug their shoulders and supposedly have nothing to do with it. It was this phrase that came to my mind the other day at breakfast at RSA with the employees of Intel security division, where I accidentally heard the story described below. I pricked my ears when I heard the word “spearfishing,” which was key in a real story told by an executive at Intel. Spearfishing refers to an attack on a specific employee of a company in order to steal his personal data and / or disrupt the work of his equipment.
Apparently, this manager received an email with a PDF document from a suspicious Chinese graduate student. This letter contained personal information about the program of additional education, in which this leader had previously participated, and also provided enough specific data about the educational institution so that the letter looked real. It was requested to check the attached dissertation in PDF format. Although there were no warnings about the possible danger of the PDF file, and it seemed harmless, the recipient did not open it, and instead sent it to McAfee's laboratory for verification.
')
Not intentionally! According to the lab report, the file contained many instances of previously unseen malware. In other words, hackers didn’t just choose the specific guiding person as the target of the attack, but also developed a special package, the uniqueness of which did not allow malware detection systems to identify it as dangerous. We have long been warned that PDF files are especially dangerous, but judging by the event described, even intermediate software fixes did not eliminate the threat.
What scares me most of all is that this malware was written specifically to “hunt” for the head of the security company. In this sense, executives of security companies are welcome loot, as information stolen from them can provide access to all of the company's customers.
In critical situations, you can not rely on employees
In this particular case, the manager did the right thing, but how many of his colleagues in this or other companies received a similar e-mail attachment? And the main question: how many of them opened a personalized investment addressed to them personally, and how many as a result of these companies were hacked?
We know that our children's computers are very vulnerable to hacking, and since our PCs and devices are often on the same network, our systems can also be hacked. After that, we can become “carriers” if, by negligence, we bring these systems back to the office. Suppose we are cautious enough to scan these machines before admitting them to the network, but scanning is often unable to detect unique malware written specifically to hack specific employees.
And since we know that our own leaders are not so careful, the likelihood that we will be hacked is extremely close to inevitable.
The Golden Hour
The guys from Intel talked about the "golden hour", that is, how much time there is from the moment of hacking to the moment when it should be identified and eliminated. The other guy at the table said that the largest banks now have to make instant money transfers, which means that the standard deferment period, which allowed banks to check transactions, will soon be eliminated, and the “Nigerian princes” who so generously dispose of their fictitious money be able to get rich at the expense of your own.
If we thought about the fact that a hack could have already happened, then our approach to security would undergo very serious changes. We are now focused on the prevention of threats, but this is obviously not enough. If you know that a malicious object is already functioning in your company, then you will pay more attention to aggressive threat detection (McAfee SIEM), response to them (Invotas) and improving information security (Varonis). In other words, if the robbers are already in your house, it is too late to change the locks. Instead, it’s time to hide values and look for methods to eliminate uninvited guests.
The same is true in our case: if we accept as a fact that our security is violated, then we must first try to prevent our intellectual property from going where we don’t want, and then focus on identifying and eliminating unauthorized access.
The SIEM (Security Information and Event Management; information security and security event management) technology integrated into the universal console (supplied by Intel / MacAfee), combined with the automatic response system supplied by Invotas, gives you a weapon to “banish” uninvited guests, and protection The IP addresses from Varonis will provide enough time for action before your valuables are stolen.
The optimal data leakage protection system includes 3 levels of protection.
Although I know that at Sony, after they were hacked, some of these tools were deployed, I have not yet found anyone who installed this particular combination. I believe that you need all three components — SIEM, Automated Threat Response (automatic response to threats) and Automated Unstructured Data Protection (automatic protection of unstructured data) —to have the time and opportunity to cope with the increasing invasion.
I listed these vendors above because I am well acquainted and sometimes work with them, and also because this is a good option to start with (McAfee, Invotas and Varonis). I chose McAfee because of their connection with Intel and the corresponding change in interaction-oriented strategy, Invotas - because they look the most aggressive in terms of responding to threats, and Varonis - because they are the best in protecting unstructured data today. However, ensuring the effectiveness of the interaction of individual components (especially the first two) will obviously be just as important for an ideal combination.
Over the coming weeks, I'm going to look for someone who has already installed this toolkit and report back to you about what the perfect combination of solutions really can be.
In the meantime, you should remind all your managers and IT professionals to refrain from opening investments sent by unknown persons or those whom they did not expect (in case of imitation of sending a letter by a known person) on anything other than a special isolated PC - unless they want to earn notoriety in their company.
And if they still opened the attachment (especially the PDF), which they did not expect to receive, it is necessary to send it to the security service for analysis. If it was harmless, great. If not, security specialists should immediately begin the process of repairing the damage and ensure isolation and the impossibility of repeating this event.
I feel that this will be a bad decade for security managers (CSOs).
Rob Enderle
Rob Enderle is the president and principal analyst of the Enderle Group. Previously, he served as a senior fellow at Forrester Research and the Giga Information Group. Prior to that, he worked at IBM, taking positions in the internal audit, competitive analysis, marketing, finance and security departments. Currently Enderley writes about technology, security, and Linux for various publications, and also appears on national news channels, including CNBC, FOX, Bloomberg, and NPR.
The company data is hacked, and your managers shrug their shoulders and supposedly have nothing to do with it. It was this phrase that came to my mind the other day at breakfast at RSA with the employees of Intel security division, where I accidentally heard the story described below. I pricked my ears when I heard the word “spearfishing,” which was key in a real story told by an executive at Intel. Spearfishing refers to an attack on a specific employee of a company in order to steal his personal data and / or disrupt the work of his equipment.
Apparently, this manager received an email with a PDF document from a suspicious Chinese graduate student. This letter contained personal information about the program of additional education, in which this leader had previously participated, and also provided enough specific data about the educational institution so that the letter looked real. It was requested to check the attached dissertation in PDF format. Although there were no warnings about the possible danger of the PDF file, and it seemed harmless, the recipient did not open it, and instead sent it to McAfee's laboratory for verification.
')
Not intentionally! According to the lab report, the file contained many instances of previously unseen malware. In other words, hackers didn’t just choose the specific guiding person as the target of the attack, but also developed a special package, the uniqueness of which did not allow malware detection systems to identify it as dangerous. We have long been warned that PDF files are especially dangerous, but judging by the event described, even intermediate software fixes did not eliminate the threat.
What scares me most of all is that this malware was written specifically to “hunt” for the head of the security company. In this sense, executives of security companies are welcome loot, as information stolen from them can provide access to all of the company's customers.
In critical situations, you can not rely on employees
In this particular case, the manager did the right thing, but how many of his colleagues in this or other companies received a similar e-mail attachment? And the main question: how many of them opened a personalized investment addressed to them personally, and how many as a result of these companies were hacked?
We know that our children's computers are very vulnerable to hacking, and since our PCs and devices are often on the same network, our systems can also be hacked. After that, we can become “carriers” if, by negligence, we bring these systems back to the office. Suppose we are cautious enough to scan these machines before admitting them to the network, but scanning is often unable to detect unique malware written specifically to hack specific employees.
And since we know that our own leaders are not so careful, the likelihood that we will be hacked is extremely close to inevitable.
The Golden Hour
The guys from Intel talked about the "golden hour", that is, how much time there is from the moment of hacking to the moment when it should be identified and eliminated. The other guy at the table said that the largest banks now have to make instant money transfers, which means that the standard deferment period, which allowed banks to check transactions, will soon be eliminated, and the “Nigerian princes” who so generously dispose of their fictitious money be able to get rich at the expense of your own.
If we thought about the fact that a hack could have already happened, then our approach to security would undergo very serious changes. We are now focused on the prevention of threats, but this is obviously not enough. If you know that a malicious object is already functioning in your company, then you will pay more attention to aggressive threat detection (McAfee SIEM), response to them (Invotas) and improving information security (Varonis). In other words, if the robbers are already in your house, it is too late to change the locks. Instead, it’s time to hide values and look for methods to eliminate uninvited guests.
The same is true in our case: if we accept as a fact that our security is violated, then we must first try to prevent our intellectual property from going where we don’t want, and then focus on identifying and eliminating unauthorized access.
The SIEM (Security Information and Event Management; information security and security event management) technology integrated into the universal console (supplied by Intel / MacAfee), combined with the automatic response system supplied by Invotas, gives you a weapon to “banish” uninvited guests, and protection The IP addresses from Varonis will provide enough time for action before your valuables are stolen.
The optimal data leakage protection system includes 3 levels of protection.
Although I know that at Sony, after they were hacked, some of these tools were deployed, I have not yet found anyone who installed this particular combination. I believe that you need all three components — SIEM, Automated Threat Response (automatic response to threats) and Automated Unstructured Data Protection (automatic protection of unstructured data) —to have the time and opportunity to cope with the increasing invasion.
I listed these vendors above because I am well acquainted and sometimes work with them, and also because this is a good option to start with (McAfee, Invotas and Varonis). I chose McAfee because of their connection with Intel and the corresponding change in interaction-oriented strategy, Invotas - because they look the most aggressive in terms of responding to threats, and Varonis - because they are the best in protecting unstructured data today. However, ensuring the effectiveness of the interaction of individual components (especially the first two) will obviously be just as important for an ideal combination.
Over the coming weeks, I'm going to look for someone who has already installed this toolkit and report back to you about what the perfect combination of solutions really can be.
In the meantime, you should remind all your managers and IT professionals to refrain from opening investments sent by unknown persons or those whom they did not expect (in case of imitation of sending a letter by a known person) on anything other than a special isolated PC - unless they want to earn notoriety in their company.
And if they still opened the attachment (especially the PDF), which they did not expect to receive, it is necessary to send it to the security service for analysis. If it was harmless, great. If not, security specialists should immediately begin the process of repairing the damage and ensure isolation and the impossibility of repeating this event.
I feel that this will be a bad decade for security managers (CSOs).
Rob Enderle
Rob Enderle is the president and principal analyst of the Enderle Group. Previously, he served as a senior fellow at Forrester Research and the Giga Information Group. Prior to that, he worked at IBM, taking positions in the internal audit, competitive analysis, marketing, finance and security departments. Currently Enderley writes about technology, security, and Linux for various publications, and also appears on national news channels, including CNBC, FOX, Bloomberg, and NPR.
Source: https://habr.com/ru/post/259325/
All Articles