Trust is a major differentiator between financial institutions and internet companies. Ask most people if you would take a loan from Yahoo and the answer would likely be yes. Ask the same people if you would deposit your life savings with Yahoo and the answer would likely be no. Banks have established trust with consumers based on hundreds of years of keeping deposits safe, managing capital efficiently, and oversight from appropriate regulatory bodies. Once consumer trust is eroded you could argue there is no difference between internet companies and financial institutions. So protecting consumer trust is critical to maintaining market presence and a viable business in the digital world.
Protecting consumers is largely dependent on a company’s commitment to a robust security culture and layered defences. Here follow the tales of two companies with very different security capabilities and cultures.
Our first company, let’s call it Company A, had a mature cyber intelligence function that monitored external threats and fed this information into their security operations centre (SOC) for analysts to digest. The intelligence team consumed both non-commercial and commercial information feeds and used this information to defend their company from attackers. Knowing how a current actor compromised other companies allowed the team to craft countermeasures and ensure their systems did not have the same vulnerabilities. They could also assess if the information was relevant to their operations and formulate an appropriate response.
By comparison, Company B had a compliance mentality. They were not deeply concerned with a quality security outcome but rather more interested in ticking boxes. They had a small, underfunded security operations team and had no formal intelligence function.
One day, in the very recent past, a public announcement of vulnerability within the Apache Struts web framework was announced. The identified vulnerability allowed an attacker to execute their own malicious code on the vulnerable web server which essentially gave them full access to do whatever they wished.
Within days of the public release of the vulnerability, an example exploit was published on the internet to demonstrate how to make use of it. It didn’t take long for this exploit to become widely used by actors with malicious intent who then commenced scans of all web servers on the internet to see if they were vulnerable to compromise.
A security strategy must be based on defending against both known and unknown vulnerabilities
The Company A security team were well informed by the intelligence team and had already declared a high priority security incident. Customers and staff were also provided guidance on steps they could take to protect their web services. Staff analysed the exploit and wrote signatures for Web Application Firewalls (WAF) to thwart attempted compromise. Simultaneously, they commenced an emergency patching response and organised developers to recompile their web applications using an updated Apache Struts framework. There was no impact to the company despite observing hundreds of attempted exploits over the days that followed.
Company B did little and did not seem to understand the risk that the vulnerability announcement represented to their company. Attackers quickly identified their website as vulnerable and compromised it by installing their own malicious tools.
Company B was oblivious and several months went by.
The mainstream media broke the story that millions of consumer’s private information and credit card details had been stolen from Company B. With its reputation in tatters, Company B’s share price dropped dramatically and new revenue opportunities stalled. Eventually, some Board members and executive management took opportunities elsewhere.
The story demonstrates the complexity of cyber defense. Staying safe in a digital world takes a deep commitment - Commitment to quality security skills, processes, and to security across the whole enterprise. This means attracting good people and continuously developing them to ensure they maintain the currency of skills and experience. And it means connecting those people across the industry to share and learn from peers in a meaningful way.
It demonstrates the important role of Intelligence in cyber defense and a deliberate commitment to sharing intelligence with peer groups. Sharing intelligence does not threaten competitive advantage and one day it may be a piece of information received from a peer that prevents your company from being front page news. The story also highlights how important it is to have a strategy of layered defenses, which is a simple recognition that you cannot rely on a single control to be totally effective.
So a security strategy must be based on defending against both known and unknown vulnerabilities.
Start by making sure all code is checked and a penetration test is performed before an application is released to production to protect against common, known vulnerabilities. Install web application firewalls in block mode as the second layer of defense. Adding Anti-virus to the web server and keeping tight controls on user access and administration permissions add further layers of defense. Establishing tools that allow searching of systems for known intelligence indicators of badness is also very useful.
Configuration and file integrity monitoring help identify unknown vulnerabilities by detecting unauthorized changes to the server that the SOC can investigate adding further layers of defense. Restricting network access of a server using network segmentation and or network access controls contain where an attacker can go if he does manage to take control of your server. And behavioral analytics alert when something unusual is happening regardless of if the attack method is known or unknown. If all else fails, your people can be the first or final layer of defense, if armed with the ability to recognize and report suspicious activity (e.g. emails) and understand the importance of technology hygiene routines, like patching.
Without a robust security culture and mature layered defenses, it is just a matter of time until a breach occurs. Even with these in place, it is still difficult to defend, but the risk is greatly reduced and the damage can usually be contained to a less catastrophic outcome.