In this post and the next, we will use a bank robbery as a metaphor for a cybersecurity breach to explain how bad guys get in, how they find valuable information and how they get out with the goods. We will also describe the places where cyberdefenses can help. As you will see, the metaphor is apt, and it will help you to better understand the domain of a Chief Information Security Officer (CISO).
For the metaphor, imagine a simple bank layout with a lobby, a back room behind the lobby and a vault accessible from the back room. The lobby and the back room have doors, of course, and the lobby has windows. Alarms are set on the doors and windows and motion detectors are armed in both rooms and the vault. The alarms are silent, they trigger an alert, and a human being monitoring the site determines if the signal is true or false.
Step 1: Getting In
Let’s consider three ways the robbers might get in: they could break in, they could steal a key and walk in or they could be let in by an insider.
Breaking in might include checking all of the doors and windows to see if any are unlocked. It might involve testing the locks to see if any can be quickly picked. It could include more complex tactics like checking for ways in via the air conditioning or sewerage. It could involve building a tunnel.
Each of these breaking-in approaches demonstrates how bad guys might attack the perimeter of your enterprise. They probe for unsecured ports through your network firewalls. They try to sneak in software that will open a path into your enterprise.
Protecting the perimeter is where many security staffs spend the most time and effort. There is a feeling that if you can keep the robbers outside, you are safe. Virus scans and penetration testing are designed to provide perimeter defenses. Network monitoring exposes the probes sent by bad guys. Perimeter defense is critical but, as you will see, not sufficient.
Stealing a Key to Get In
Stealing a key is a metaphor for finding a user ID and password that unlocks the perimeter defenses and lets you into the bank. Phishing for a user ID and password is one way to get a key. Sometimes cybercriminals find keys in somebody else’s bank by stealing the keys from an unsecured database and selling them to other criminals on the Dark Web who use them to try to open the door to your bank. If staff reuse the same user IDs and passwords across sites, this can expose a key into your Enterprise. Sometimes, criminals get a user ID and try to guess the password to unlock a door.
To protect against this attack, you have to secure the passwords that open doors. You must force password changes often so that keys that leak out become unusable. It means reminding staff repeatedly to guard against phishing attacks and exposing keys.
An Inside Job
An inside job is when an employee of your bank gives the bad guys a key or opens the door for them. Stopping this sort of entry is difficult. Fortunately, it is also tricky, but not impossible, for bad guys to recruit insiders.
Once They Get In
If the cybercriminals get through a door with a key, there may be nothing odd about the activity. Staff use an ID and password to come in through that door all the time, but it may be strange to see someone coming through the door at two in the morning. It may be unusual to see the same person come through the door at odd hours for several days in a row. So the next level of cyber defense looks for access patterns to identify suspicious activity and the diligent CISO has tools in place to identify these odd patterns.
At this stage in our metaphor, we have discussed how we protect our perimeter from break-ins, how cybercriminals work to defeat those protections and how we might detect suspicious activity once they get in. In the next section, we will look at other steps the bad guys must take and explore ways to stop them.
Step 2: Establishing Communications
Breaking through the defense perimeter does not usually drop the bad guy into a spot in your enterprise where there is valuable data. They end up in the lobby of your bank. They have to look around. They have to grope around. They still have to get to the vault.
To get to the vault, they first have to get through the vault room door. The crooks have to look around to find a key to that door. Because they are blind, either in the bank or in your network, they have to communicate out and ask for instructions. Should they go left or right? Is this thing they found, this data, a key? Establishing communications out is a crucial part of the bad guys’ plan. They have to communicate out to continue their exploit.
Network administrators usually work with your CISO to lock down ports through your firewall into your enterprise. But the same effort should be made to lock down paths out. Locking these down prevents bad guys from communicating, stopping them in their tracks.
Step 3: Getting the Next Set of Keys
Usually, the keys into the enterprise come from a regular user, but systems administrators and other super-users control access to the loot. So the robbers have to crawl around and find a better set of keys, first to get through to the back room and then to get to the vault. They may do this from the outside by phishing but, once inside the outer door, they can find admin IDs and passwords laying in the open. Staff thinks that the perimeter alarms protect them, so they leave keys out in prominent places. Clear text passwords are exposed when systems administrators build automated scripts with super-user IDs and passwords stored as open text. It is critical to encrypt all user IDs and passwords, and especially super-user IDs.
There is another option to protect admin passwords. You can expire super-user IDs and passwords daily and make admins request a new password each day. Frequent password changes are a burden on the system administrators for sure, but locking down the inside doors is just as important as locking the outside doors. In other words, you need to develop multiple layers of defense and not believe that a secure perimeter layer is sufficient. Note that there are software products that make it relatively easy to check out a new admin password each day.
At this point, the bank robbers have broken into your bank and made it into your vault.
In the next post of this series, we will see what they must do to get out with the loot and look at what you might do to stop them.
Rob Klopp is part of the GovLoop Featured Contributor program, where we feature articles by government voices from all across the country (and world!). To see more Featured Contributor posts, click here.