By Mike McGrew, Advisory Practice Consultant, RSA Advanced Cyber Defense Services
This blog discusses five of the high level missteps common to organizations that have experienced needlessly prolonged negative effects of cyber security incidents.
1) No security team
A fair percentage of clients that I have provided incident response services to over the last 12 months are operating without security or oversight on the Internet, meaning not a single person employed at that organization is solely dedicated to working on security issues. While this is common for small companies and startups, these clients matured over the years to the point where they had hundreds or thousands of employees and even more computing devices on the network. What had not occurred, however, was the investment in security commensurate with the growth of the company.
When a company consists of 10 people operating on a shoestring budget and an idea, realistically it’s hard to justify spending money on anything that doesn’t have a tangible ROI. When those companies grow, however, the potential losses in intellectual property or corporate reputation began to justify expenditure towards a comprehensive security program. Add to that potential regulatory compliance requirements and most successful companies should have no problems demonstrating a true business need for security implementation.
2) No budget for enterprise level security tools
These companies are slightly better off than the organizations with no security team at all. What I typically observe at these clients is a dedicated though undersized staff that spends a lot of time trying to convince management of the necessity of enterprise security tools. At least that’s how they start out on the job. By the time I am called in to consult, I typically find that the IT managers accept as fact that executive leadership will not dedicate funds towards the purchase of enterprise security tools. Often these managers hope that the single biggest result of a breach is that executive leadership will finally see the true value of implementing these tools.
3) No management support for an information security program
Both of the previously mentioned conditions can be summed up by this one condition. That being said, I have still occasionally seen organizations that are reasonably staffed and tooled, but end up not implementing security properly because of the perceived negative impact to the business. For example, take a company that has an intelligent web proxy up and running on the network. Since executive management does not champion network security, creating exceptions to the policy is relatively easy. Before long, that company will have entire pockets of personnel whose web traffic bypasses the proxy. If a company has adequate security in place, but lacks management support, users will often find a way to bypass that security.
4) Over-reliance on tools; under-reliance on skills training
At these organizations, what I have found to be the common denominator is that tools and security staff are both implemented, but the weak link in the chain is the capability of the personnel that are hired to deal with incidents. Consider a case where a critical client system was compromised via targeted email attack. Two users clicked on a URL in similar LinkedIn phishing emails, starting the chain of infection that ultimately led to an attempted payroll theft months after the initial infection. Multiple opportunities existed for this client to detect and remove the threat from the network prior to the attacker trying to steal money; original emails were still present in the gateway storage, both compromised systems were beaconing to a known bad IP address, both hosts had AV alerts that fed into a central server, both users created help desk tickets as a result of their computers acting strangely, and this exact attack had been sufficiently blogged about for a security analyst to gather information and perform discovery in their own network. On the surface, this organization appeared ready to be able to efficiently handle any network security issues that came up. The reality, however, was that though there was an extensive trail of evidence that could have easily been queried and analyzed, there were no truly qualified personnel on staff that could put the pieces of the puzzle together.
5) Sysadmins assigned to remediate AV alerts, end up running scan tools that don’t wipe out the threat
I understand the motivation of the sysadmin who sees an AV alert and responds by running eradication tools like Malwarebytes. More often than not I find that in targeted attacks, at best these tools only kill the portion of the malware that was causing the AV alerts. For the motivated but untrained sysadmin, no more AV alerts means no more compromise, situation resolved. Incomplete remediation is a dangerous situation, since the possibility now exists that the host is still compromised but no longer alerting anybody about it. In a corporate environment, AV alerts should be treated as a notification to rebuild the system in any case where a thorough forensic examination cannot rule out persistent compromise.
Mike McGrew is an Advisory Practice Consultant within RSA’s Incident Response practice. Mike provides network and host-based incident response services for intrusions involving sophisticated adversaries that target intellectual property and other critically sensitive data. Mike has been a CISSP for over 10 years and was previously a Navy cryptologist supporting the National Security Agency (NSA).
