EDITOR’S QUESTION
/////////////////
B
usinesses need to consider the
risks not only from technical
vulnerabilities and concerns such
as unpatched software, but also from
attackers who understand the business
processes of a particular target. We have
seen from indictments that attackers are
using publicly available social networking
profiles to build contextually relevant social
engineering attacks and are explicitly
targeting employees that they know will be
handling sensitive or valuable information.
One example would be employees who are
handling company filings to a regulator.
We have also seen the technical exploitation
of systems in order to facilitate fraudulent
bank transfers such as the Bangladesh bank
attacks that targeted the SWIFT access
systems and the FASTCash attacks that
targeted retail payment systems. In both
cases, the attackers understood how the
business processes of the targets functioned,
in particular the approval process for
transactions, and used technical means to
32
INTELLIGENTCIO
subvert the business processes and thereby
make fraudulent bank transfers.
More broadly, Digital Shadows recommends
a defence in depth approach. By this we
refer to multiple, partially overlapping
security controls that mutually reinforce
each other to provide increased resiliency to
network intrusions. These are fundamental
and widely used security principles, which
are reusable across all different types of
attackers and relevant to business process
compromise attacks. They are:
1. Only provide access where it
has been explicitly granted,
otherwise deny. This is a useful
principle to apply to firewalling and
other techniques for managing traffic
flow such as IP whitelisting.
2. Principle of least privilege.
Restrict workstation-to-workstation
communication to only that which is
necessary, and segment networks so
that the compromise of one endpoint
does not automatically give access
to the entire network. The principle
of least privilege should also be
implemented for file, directory and
network share permissions.
3. Attack surface reduction. Any feature
of a piece of software or hardware that is
enabled increases your attack surface. By
going through the process of discovering
which protocols or features are explicitly
required for a system to function
and disabling all other unnecessary
features, a system is hardened against
attack. Applying vendor patches in a
timely fashion to reduce the number of
exploitable vulnerabilities in installed
software as part of a continuous
vulnerability assessment programme is
also important here.
4. Need to know compartmentalisation.
Restrict access to important data to
only those who are required to have it.
Read/write access should only be
granted where there is an explicit
business requirement.
www.intelligentcio.com