Monday, May 4, 2009

Tunnel Vision

When waging our battles on the security front, most organizations just put all the big guns on the front line. We buy expensive load balancers to prevent D.O.S attacks, state of the art firewalls to prevent penetration, VPN products to secure our backdoors etc. Whenever some major threat comes along, everybody jumps out of bed, and rushes over to plug the hole, but at time like that, we often forget one of the oldest tricks in the burglars book - the diversion (a.k.a "Steaks for the dogs").

Unlike the movies, hacking into a network is not a wham-bam, thank you, ma'am deal. A hacker spends a long time conducting surveillance and gathering intelligence, and when he does move in, it will hardly seem like a commando attack. There won't be alarms ringing or security-doors closing and sealing people off in safe rooms, and no SWAT teams will show up with mega-phones yelling. More often than not, some minor file will be found to be missing or altered several days, weeks or months later, and that will lead to investigation that will show the break in. If you get that dreadful 4 AM phone call, telling you that the Firewall's alerts are all over the place, or that your security center detects multiple attacks, that doesn't mean that someone is actually attacking your firewall.

Just like a commando unit trying to break into an army base will distract the guards with some explosions at the front gate, while trying to sneak in through the back, a computer attacker will most likely try to get the entire security team to focus everything on the very visual notification mechanisms. He will use multiple mechanisms to trigger every possible alert on your security devices, and he will do it at past-midnight so that you and your security team will be tired, angry and less-effective. He will try to get you guys to spend as much time as possible blocking the DOS attack and plugging the holes, while he quietly sneaks in through some back door that's less obvious and less protected. You will find yourself running from server to server, trying to find your hands and feet in gigabytes of logs, and chances are you'll spend days on it. When things quiet down, you might find the actual leak or penetration, but by that time, the attacker will be long-gone.

If this has happened to you, don't be surprised. After all, most information security people are technology gurus, not military-trained commanders, and it's only normal to focus our attention on the most visible threat, just like a driver would focus his attention on the tree he's about to crash into rather than another car that's about to crash into him (that is referred to often as "Tunnel Vision"). However, there is a way to handle this, and that is by preparing properly. Your organizations security policy should have this scenario specifically laid out, and the team needs to be trained not to treat any alert as an alarm. One way is to assign responsibilities to people, and sticking to them. If there is a virus rampant on the network, the backup administrator shouldn't be told to forget about the backups "for now" and help clean up machines. On the contrary! He should continue his work and keep an eye out for anything suspicious or wrong with the procedure. If the firewall appears to be breached, the PC-Technician crew shouldn't be assigned to reviewing logs, but should continue to monitor the user-request queue. Maybe an innocent account lockout request could reveal an account breach that is masked by the pointless firewall attack? Perhaps the virus was unleashed intentionally on the network so that the attacker could have uninterrupted access to the data on the backup server?

Another technique that has worked well for the physical security industry is the emergency level system. A company could create an emergency level scale, and assign specific duties to each. If a file was found to be altered, that would raise the threat level, which would have people deflect some duties and investigate, but wouldn't throw the entire IT group into chaos and mayhem.

No comments: