The 6 D’s of Cyber Security
In this article, we will discuss the 6 D's of cyber security and how you can implement them in your own cyber-defense strategy -- Deter, Detect, Defend, Deflect, Document, and Delay. Creating a holistic approach to your cyber-security plan using these six references can drastically reduce your organization's risk.
Creating preventative measures will discourage hackers and protect your network. Use these techniques to deter your attacker from causing serious damage.
For starters, don't have public-facing systems return automated error messages that are so detailed they give the attacker information he can use against you. For example, when a user specifies an incorrect password, do not say "Incorrect password" because it alerts the attacker that the username he entered does in fact exist. Instead, say "Incorrect username or password." Privileged accounts (especially those with giveaway usernames such as admin, administrator, or root) will benefit from this by not giving their usernames away if an attacker guesses them properly.
You should also implement Account Lockout policies, where a user who enters the incorrect password multiple times in a row will be locked out. Give the account access again after a certain amount of time passes or after an administrator unlocks the account. This prevents attackers from guessing a large number of password combinations in a short amount of time and also deters them from trying again after they are locked out. This is especially important on privileged accounts, which may be the target of brute force attacks.
Further, you can prevent password guessing attacks by limiting the number of login attempts from a single IP address within a certain time period. If an attacker only gets 5 guesses to your administrator's password, chances are he won't get it right and will have to come back later to try another 5 times… and so on. As you can imagine, attackers can get discouraged by this and usually try to move on to an easier target. You can't possibly stop every kind of attack from happening, but you can certainly impede an attacker's progress.
It's always a good idea to have automated intrusion detection systems in place, whether network-based or host-based, but it is also important to watch logs for suspicious behavior.
Connections from suspicious IP addresses, logins at unusual times of the day, or a high number of login attempts are all possible signs that an attacker may be trying to get in (or has already obtained access to your network). Auditing and alerts are very important in detecting suspicious behavior. For example, you could determine if a certain administrator account is falling victim to a brute force attack by checking the logs and seeing that the account has a large number of failed login attempts. When detecting suspicious behavior, it is helpful to have reference material consisting of what normal traffic looks like at a given time of the day – by having a set of data that is considered normal, you can notice abnormalities in other sets of data by comparison.
Defense is both a passive and active word when it comes to information security. The network and its systems should be secure, but what happens when an attacker finally does get in?
Establishing strong defenses across your network and its connected systems typically starts with keeping software and operating systems patched and up to date. This ensures that known vulnerabilities and weaknesses are fixed, limiting the number of possible attack vectors and attacker can use to get in to your systems.
However, if an attacker does manage to get onto your network, reactionary measures should be taken. Blocking the attacker's IP address via a firewall is a good course of action. More importantly, notice what the attacker is targeting – if he is attacking a web server using a potential vulnerability, make sure the server is not vulnerable to it after thwarting his attempt to get in. The attacker may be back under a different IP address later and will likely continue the same line of attack. If the attacker is trying to guess the password of a privileged account, you should consider changing the name of that privileged account to hide the usernames of privileged accounts from the public – an attacker's password guessing job is exponentially harder if he also has to guess the username.
Wouldn't it be nice if an attacker went after a fake system instead of a system with your real data? It's possible. All you have to do is set up a honeypot, which is with a fake system with fake sensitive data, specifically made to attract attackers and divert them from your real data. Honeypots are widely used today. By attracting attackers with desirable data and sub-par security, system administrators can monitor the attackers' behavior on the honeypot while the rest of the network is isolated and protected by a firewall. Honeypots come in several variations, each ranging in cost to maintain and effectiveness in simulating a real machine. The cost will depend on how much insight and monitoring you will want for behaviors happening within the honeypot.
Always document incidents whether they were successful attacks that did damage or not. A large number of data breaches in 2014 were revealed to the public months after the attackers gained access and stole the information already, proving that documenting incidents is important even if they seem small and insignificant.
If an incident occurs, you should record this type of information:
- IP address that was connecting to the machine (the attacker's machine)
- IP address of the machine that was being connected to (which server was being attacked?)
- Type of attack
- Date and time the attack occurred
- Logs generated from the incident.
Using this information, you can notice patterns in an attacker's behavior, deduce his goals based on what type of attack he is attempting, predict his possible next moves, and filter logs in the future to search for repeated attacks of the same type.
Every wall an attacker hits on his way to your sensitive data slows him down. That is why it is a good idea to practice setting up layers of defense in case the first one fails. A firewall facing the outside world is a good start, but depending on your organization, many ports can be open that are necessary to provide services to customers and keep business moving every day. So when an attacker finds his way past this first layer of defense, what happens next? There should be more obstacles in his way before he gets to the sensitive data he wants.
Access control lists help restrict who can log on to systems and when, meaning an attacker may have trouble moving throughout a network without leaving a glaringly obvious trail of failed login records.
Long and complex passwords are a very basic delay tactic that are not used nearly often enough. They protect against password guessing, brute force attacks, and Pass the Hash attacks. Even if the attacker obtains password hashes and is attempting to obtain the plaintext passwords by using a cracking tool, it will take significantly longer for him to do this – meaning more time for you to change the password to something else.
While stopping an attack completely is desirable as opposed to merely slowing it down, buying your team time to react to the attack and follow your company's incident response policy could very well allow for machines to be patched and passwords to be changed before the attacker has a chance to successfully extract any sensitive data.
While no company wants to take its systems offline, that may be necessary if you are under a serious attack, and you should have a plan for when you would do this and who makes the call. Doing so is the most effective way to stop many attacks and prevent an attacker from connecting to your system. Taking a system off of the network so attackers have no way to get into it is the best delay tactic there is, and buys you as much time as you need to patch the system and correct whatever vulnerabilities allowed the attacker to get in in the first place.
Want to talk security with our IAM experts? Next week we'll be attending RSA Conference in San Francisco. Stop by booth #2121 in the South Hall to discuss your 2015 security strategy and to meet our team.