IT security is as old as IT itself. That said, simply relying on the strategies of yesterday isn’t enough to combat modern threats. Case in point: over the past year we’ve witnessed two of the largest and most effective IT security breaches ever; Heartbleed and the Target breach. The most stunning detail about both of these attacks is that neither of them relied on some revolutionary new attack vector. They relied on tried and true methods for penetrating network defenses. Understanding how Heartbleed and the Target breach were allowed to become such hugely successful attacks provides a clear understanding of steps that we, as IT pros, can take to head off the next threat to come over the horizon.
Heartbleed is simply a flaw in the coding of the open-source OpenSSL library. Unfortunately, OpenSSL is a software library used by probably 75 percent or more of the websites on the Internet. This elevated Heartbleed from a minor problem into a major headache. Heartbleed wasn’t the result of malicious intent. It was just an accidental oversight by a well-meaning developer. A mistake that could happen to any developer working on any project.
It should surprise no one that coding errors happen and that occasionally they slip through the cracks and make it into a released product. The lesson here is to stop assuming that all errors will be caught. Instead, assume that at some point an error will show up in production software. It’s a matter of when, not if. This simple change in ideology reminds us to constantly monitor our systems for suspicious activity and to never ignore the warning signs of a problem.
Ignoring the warning signs is exactly what spelled doom for Target. While the attackers were installing their malware, Target’s outside security monitoring firm sent an alert about suspicious activity. Had Target reacted to the alert, and taken appropriate measures, the data collected by the malware would never have been transmitted outside of the Target network. No 40 million credit cards exposed, no 70 million personal records leaked, and no billion dollar plus cost.
Perhaps even more troubling about the Target breach is the fact that it all began with the legitimate credentials of an HVAC contractor being compromised. That’s right, the whole problem began with the age old security concern of valid credentials ending up in the wrong hands. Again, nothing new to the IT world.
One simple action could have stopped the Target attackers dead in their tracks. Stopped them before they were able to elevate privileges to a level allowing them to install malware on Target’s PCs and servers. What action? Change auditing. Consider what might have happened if an effective change auditing system would have been in use at Target. Change auditing could have exposed suspicious activities such as:
- The HVAC contractor’s credentials being used to access unusual resources at unusual times
- The HVAC contractor’s credentials being added to elevated permissions groups or granted access rights to unusual resources
- Changes in privileged group memberships
- Unexpected newly installed software on servers
Of course, the list goes on and on. The fact is, change auditing could have screamed to anyone listening that a problem was brewing. Ignoring a suspicious activity warning from an outside contractor is one thing. Ignoring dozens of inexplicable events occurring on the network is another thing entirely. I’ll just come straight out and say it. Had Target been actively auditing changes, the amount of data exposed would have been relatively minor. Certainly much less than the 11+ GBs that ended up in the hands of attackers.
Our concern as IT pros isn’t limited to just preventing the next Heartbleed or Target breach. It really falls on us to prevent the next security breach, whatever it may be. We must learn from the past while anticipating the future. Years ago I began saying “it’s typically not what we know that gets us in trouble, it’s what we don’t know.” This axiom reminds us to remain vigilant and not be lulled into a false sense of security. Now, more than ever, we need to take an active role in defense of our networks. Conventional defenses are still absolutely required in our networks. Good firewalls, excellent malware protection, and all the other security staples need to be in place and working. On top of that though, I believe recent security threats prove that we need to take action beyond just automated defense systems. We must integrate active strategies such as change auditing and reporting into our daily routines. Only this type of evolved strategy will put us in position to react quickly and effectively against the next unknown threat. How the threat comes at us isn’t important. Whether we’re watching and ready to defend our networks, and our information, is all that really matters.