The gaps between strategic security improvement and keeping the wolves out, today!
The Cyber Realities in 2021
Most organisations today honestly don’t have great cyber security postures. Cyber security has improved since the 80’s and 90s’s but still common gaps can be found in the same old areas.
So, whilst security possibilities and technical capabilities for defence have greatly improved, this hasn’t really translated into the level of change we would like to see on the ground inside organisations.
I’m writing this post after giving a talk today about the challenges I see in cyber security across different organisations but also after watching a talk by Dave Kennedy which from my perspective emulates my experiences and largely my views.
Challenges I see today
I could write a really long list about this area, so I’ll try and keep this short, focusing on some of the things that I think really impact organisations:
- We have a broad lack of understanding about cyber security from a business leadership perspective, partly I think this is because “techies” and “business people” talk in a different language.
- An over reliance on tools.
- This isn’t helped by the misconception people seem to have that simply adding or changing products will solve their security challenges.
- Not enough focus on hunting for and eliminating or reducing weaknesses exploited by threat actors today.
- High levels of technical debt and not enough understanding of their “systems” create a 4th painting the 4th bridge scenario or simply create such a volume of backlog that seeing the woods through the trees probably feels impossible to many.
- A lack of investment in areas that are fundamentally required to improve posture
- Ensuring staff are suitable trained and enabled
- Looking at fundamental weaknesses and what can be done today to address these
See each organisation is unique however I’m going to look at the broad stroke position of the 80-90% of organisations that have a reactive and weak security posture. Now I know it’s hard to swallow but that’s honestly where so many organisations are today.
See I wrote an article an age ago:
https://www.pwndefend.com/2019/05/29/things-to-do-before-you-conduct-a-red-team-assessment/
This went into some of the weeds so I’m going to try and look at this problem for a more security management perspective.
Strategic Change
Now we know that security change requires investment, in people, process and technology. We also know that these things take time. Do I believe that organisations absolutely need to have a cyber security strategy and a roadmap, aligned to business risk and with long term investment strategies? Absolutely. However, if focus is only given to long term and large-scale change where does that leave organisations today and between that future strategic realisation position?
It probably leaves them vulnerable, so what can organisation do about this? Well, they could wait it out, relying on hope. Not a plan I’d want to go with personally, so let’s think about tactical projects they can do to keep the wolves at bay, or at least reduce the impact an incident might have.
Tactical Security Improvement Plan
Now without a specific scenario outlined this is going to be a rather generalised view, but bear with me, this would fit a lot of the organisations I’ve worked with (I’ve literally done this with orgs as well so it’s not untested ground).
Let’s think about what we can do near term to shore up our security:
Category | Activity | Remediation |
Active Directory | Run an audit (Pingcastle is a great starting point), identify common weaknesses such as:
Conduct an AD password audit |
|
Endpoint Security | Review endpoint security, check for:
|
|
Monitoring | Monitoring is a complex area, many organisations don’t have SOC’s or SIEMS, but even when they do, they aren’t always monitoring for known bad behaviours. Look to review your estate and understand your monitoring requirements. Leverage rapidly deployable capability and build a data-based picture of your environment. |
|
Server Security |
|
|
Network Security | Scan your networks
Identify weak services and protocols Audit network equipment patch levels |
|
High Privileged Access | Review your userbase and identify users that require high privileged access
Identify and group services Rate areas for criticality |
|
Now I’m not going to list everything and some of the “basic” areas above aren’t two-minute jobs but some of them really don’t require a lot of investment. Organizations have a range of different architectures, operating models and business requirements to consider.
Commercial solutions for EDR and logging will clearly require investment, however there’s a range of security enhancement that rely more on time and attention that large commercial investments.
The Foundations
Your endpoints are your gateway to your digital world, so looking at endpoint security is NEVER a bad thing, consider looking at:
- Windows Defender Firewall (WDF)
- Windows Defender Application Control (WDAC)
- Windows Defender Antivirus/Microsoft Defender ANtivirus
- Windows Defender Credential Guard
- Windows Hello
- Hardening Baselines
- Sysinternals SYSMON
- Group Policy
- Mobile Device Management
- Protective DNS
There’s great guidance from a range of places:
https://www.pwndefend.com/2020/11/04/modern-windows-device-security-assurance/
https://www.ncsc.gov.uk/collection/device-security-guidance
Changes in Mindset
Ok so I’ve talked a bit about some high-level tactical activity and then about a few specifics, but what’s the real changes we need to think about? Mindset. There’s a ton of myths and misconceptions about security I think are part of the root cause, so let’s look at some of those:
Myth | Reality |
Pen testing should be conducted once a year and should cover just the external website | Seriously how did the world get this view? Probably compliance driven. Security testing should be really a continual activity, you don’t want to be waiting a year to “check you are ok”. Adopt a range of red, blue, and purple team activities to increase posture and reduce attack surface now. Head after those kill chains, we know about to kick start your defensive programme. |
Security needs to be perfect | Perfect tomorrow (or never) is the enemy of better today. Small incremental security improvements trump monolithic programmes that ignore the tactical improvements that can be made. |
We have ISO27001:2013 so we must be secure | Compliance != Security. Almost every organisation in the news who has suffered a major cyber incident has ISO27001. Compliance has it’s place but don’t confuse it with security. |
A penetration test is the goal | If your budget is stretching to fit in a pentest then I have some bad news for you, you need to realise that a pentest is one of many potential starting points, not the goal! Plan your budgets and activities around this theme. Also one test is unlikely to cover the whole enterprise, again that’s an important reality to be aware of. |
A product with solve all your security challenges | They really won’t. Organisations that spend large sums of money still have major security incidents, there is an old adage… a fool with a tool is still a fool. Security solutions are useful tools, but you need to deploy people, process and technology to succeed in the security game. |
The IT Team can just do all this | Honestly, this isn’t about reporting lines but if your enterprise security is left to a small time slice of someone’s already likely constrained time where there are competing objectives you will likely struggle to adopt a strong security culture and strong defensive posture. |
This list is by no means exhaustive but hopefully it gives some insight into the challenges I have and continue to see in my travels across companies of all shapes, sizes, and verticals.
Key Points
Some key elements here include:
- Ensuring there is strategic investment and a long-term plan that is supported by tactical activity
- Taking a risk and threat-based approach to enabling capability in the short term
- Leverage threat intelligence
- Leveraging offensive security capability to test, drill and enable prevent, detect, and respond capability
- Focusing on ensuring common weaknesses that are exploited in kill chains are adequately defended
- Leveraging existing investments
- Adopting a crawl, walk, run approach
Summary
According to NCSC Cyber Security is:
“Cyber security’s core function is to protect the devices we all use (smartphones, laptops, tablets and computers), and the services we access – both online and at work – from theft or damage.”
Whilst we have made strides forward from the 80’s and 90’s, organisations cyber security postures are generally still not where they need to be. Major breaches are occurring all the time, criminal enterprises are infiltrating and extorting organisations. Risk management and protecting your organisations computer systems from harm (inside and out) isn’t a nice to have, it’s part of doing business. With the shifting attitudes in response to major cyber incidents, with customer demand for security increasing, it’s important that organisations take a realistic, pragmatic, and effective approach to cyber security that not only looks at the long-term strategic changes required but also that acts today to defend networks against current and emerging threats. To achieve this, we need leadership to understand the cyber landscape, decision making with the wrong intelligence can be incredibly costly, it’s not a matter of if you have an incident, it’s a matter of when. Being prepared, trained, and hardened is going to significantly change the level of impact your organisation feels.
Cyber security is a people, process, and technology game, we need our leadership to understand all three, a major gap in any of those areas is going to lead to risks your organisation may not wash to see realised.