Implementing cost-effective cyber security (part 1 of 2)

"Cyber security 101"

Cyber security and cyber defence are massive-sounding terms and ones that we are likely to connect with critical infrastructure and national-level operators. For many smaller operators cyber defence sounds foreign and even unnecessary.

When the defence contract giant Lockheed Martin was hacked for the first time using the information security giant RSA as a stepping stone, many information security experts started believing that there is no way to ward off a targeted attack. The idea is partially right: a skilled, motivated and determined attacker can break down defences. But this type of thinking is also wrong, because a security breach alone will not be the end of the world: the attacker has to be able to get his hands on the goods.

According to a study conducted by FireEye last year, 97% of the studied organisations had been breached and 60% had malware running in their networks that communicated with the attacker. According to Mandiant's report from last year, the median time before an attacker's presence is noticed is 212 days. In the credit card information theft from Target it took the attackers three weeks before the first card numbers were sent to the attackers.

Stop an attacker before the information leaves your system

Preventing security breaches is usually not a question of seconds or minutes, but days or even weeks. If an attacker can be prevented from getting the goods, the attack has failed and no significant harm is done. Even small organisations have the resources to ward off a strong attacker if the security breach is detected early.

Detecting security breaches doesn't need to involve wildly expensive malware busters – smaller measures can bring excellent results. Next, I will present some tactics that can be implemented even on a small budget but are effective in detecting a significant portion of malware before the programs have time to send information to the attacker.  For this type of detection to work, all devices equipped to log traffic on the internet interface must actually do so. At the very least the firewall must log all incoming and outgoing packages and the DNS server must log all queries. It is also necessary to filter unnecessary traffic at the internet interface. We discussed ways to detect security breaches from DNS queries in a blog post last spring.

The primary goal is to detect malware command and control channels (C&C).

This will be discussed further in the second part of this blog post.

The author, Pekka Viitasalo, works at Nixu as a leading consultant on the Adaptive Solutions Team (or Zone in Nixu terminology) with cost-effective cyber security as his motto.