Tried, Tested and Proven

Portcullis regularly gets contacted by organisations seeking help with regards to cyber attacks. Motivation varies, with some taking a proactive stance against a perceived threat, others may have been warned of imminent threats to their organisation and some may consider themselves to be under attack. Are traditional security measures capable of handling many cyber attacks?What constitutes a ‘cyber attack’ varies, and I’m not going to try to define it here (nor do I much like the term), but at Portcullis we are exposed to client’s challenges relating to; state sponsored espionage, hacktivism, criminal gangs, malware, SCADA, DDoS, etc. My role in Portcullis sees me working with clients to design and manage our response to the client’s requirements in this space.

Some organisations demonstrate a good security posture and the route to meeting their security goals is comparatively straight forward. However, we find that good number of organisations demonstrate poor security posture; for whatever reason, they have managed to survive with security someway-off good practice. We encounter cultural issues, where security is a low priority, poor patching, no segregation, lack of assurance, poor monitoring, unsupported legacy systems and more.

When providing cyber defence solutions to clients with poor security posture, it becomes clear that there is so much to do that our options in the short-term are limited. Where we would hope to be improving security by a few percent, we’re actually looking for quick wins and talking about long-term improvement strategies. We can get these clients to where they wish to be, but the process is not as simple as first hoped. Quite simply, without effective traditional security controls, any kind of response against cyber threats will be limited. Furthermore, as is detailed below, traditional security measures are perfectly capable of handling many cyber attacks.

Given the frequency of these challenging projects, and questions from clients regarding where cyber security fits in alongside current practice, it seemed like time to state the case for adhering to what is considered traditional security good practice.

There is an assumption that cyber attacks are very sophisticated, launched by expert hackers, using brand new ‘zero day’ exploits that leverage holes in operating systems that not even Microsoft (and others) know about, let alone have issued patches for. Not true. It is true that attackers can use these advanced measures (and working from a solid platform, Portcullis can step up to identify and stop such attacks), however, in most cases the attacks are pretty rudimentary relying on well known weaknesses.

Assuming that the attackers have the capability to launch sophisticated attacks (and not all do), few will want to roll out their greatest weapons straight away. In the first instance they’ll use tools requiring low operator skill levels and leverage known vulnerabilities. Why would they make something more challenging than it need be? Furthermore, keeping sophisticated attack methods out of general release means that they have a much longer shelf-life before virus signatures are generated, patches released etc.

In most attacks (including those wrapped up in the cyber banner) it is common to find that the attacker has taken advantage of a readily identifiable and trivial to leverage security issue. This may include weak Internet accessible systems due to password weaknesses, insecure network services, vulnerable web applications, poor network topology or insufficient patching. Patching issues also extend to malware based attacks against internal systems, where the malware typically leverages known, patchable, weaknesses in desktop applications and the workstation operating system. Even if the attacker has some success, good network segregation, system hardening, robust password policies and many other traditional security methods would limit the attack; showing the value in the long-standing ‘defence in depth’ mindset. If being asked to investigate a security issue, access to reliable, detailed logs stretching back weeks and perhaps even months will prove immensely valuable. All of the methods in this paragraph, and many other successful techniques not mentioned, fall into the remit of traditional security good practice and really are successful in resisting, limiting or identifying the vast majority of attacks.

With confidence that the fundamentals are in place, organisations can be comfortable that they are handling a wide range of security threats, including many that are wrapped up within the term ‘cyber’. It is also reassuring to know that even if an attacker is successful at one level, they will find it challenging to further infiltrate the network and in particular that key assets are well hived off. If there is an appetite to take specific action against a threat, then organisations with a good security posture will find it achievable, cheaper, and quicker if they have a solid foundation.

Written by: Simon Saunders of Portcullis.

Any questions/feedback?