The changing nature of security threats
In our first installment of the two-part series on emerging security threats (August/September Muse), we examined how the evolving hacker model could affect the cyber security of not-for-profit (NFP) organizations. In this second installment, we take a closer look at how cybercriminals are targeting new technologies like social media, as well as outline specific technical solutions for combating these growing threats.
The reputational risks of social media
Emerging technologies - social media, mobile devices, cloud solutions - are high on the cybercriminal’s list of targets because that’s where the most severe vulnerabilities have been and continue to be discovered. Consequently, they are the new frontier for all types of cybercriminals, hacktivists included. Rather than dive into an analysis of all the new technologies, we will focus on the technology that has become a business-critical platform for NFPs – social media.
For entities that are reliant upon donations from the public for their survival, platforms such as Facebook, Google+ and LinkedIn are indispensable. However, they also present significant risk for the unwary. The most immediate threat from social media is the reputational damage that may result from uncontrolled messaging coming from the organization. There have been a series of high-profile gaffes over the last few years in which social media communications, whether official or unofficial, coming from an entity have resulted in significant public backlash. While the reputational damage is bad enough for a normal organization, for entities that rely on goodwill for survival, including NFPs, the results can be devastating.
There are few, if any, technical controls that will effectively reduce the reputational risks inherent in social media. The solutions to this problem are largely an exercise in proper governance and processes. Employees must be trained to understand what they are allowed to say on behalf of the organization or even within their personal networks if they are openly affiliating with the organization.
Assessing social media risks
To determine the adequacy of your current social media policy, ask yourself these questions:
- Does your organization have a social media policy?
- Does it explain the risks of social media?
- Does it define acceptable social media outlets?
- Does it define what types of comments or information are not allowed to be posted on personal sites if the person links their personal site to the organization’s official site?
- Does it discuss information that is never allowed to be discussed or posted on social media?
- Does it identify the key person responsible for maintaining and managing your organization's presence on social media outlets?
- Does it identify the key person responsible for monitoring your organization’s social media presence?
- Does it address any regulatory compliance requirements?
- Does it identify who is responsible for employee training?
- Is training conducted regularly and repeatedly?
An additional reputational issue facing NFPs is that donors are prime targets for attackers pretending to act on behalf of the organization. In the last year, for example, in the aftermath of natural disasters, it took only a few hours for malicious Web pages to spring up pretending to be charities. Donors are lured to these sites through email or postings on social media pages and may attempt to make donations. What they don’t know is that these sites collect their payment information so that attackers can make charges on their credit card or drain their bank accounts. Organizations should regularly communicate to their donor population with messages warning of such tactics and with clear instructions on how to find the official donation pages.
Technical risks of social media
In regards to more technical risks, cybercriminals are increasingly leveraging social networks to attack users. The reasons are simple. First, by its very nature social media is more difficult to monitor and control. Email infrastructure is normally controlled directly by the company that owns it, while social media infrastructure falls largely out of their control. Second, because of the inherent friendliness and trust relationships that characterize social media, users are more likely to fall for scams and frauds that appear to come from trusted contacts. Malicious attachments, links to dangerous websites and other tricks that would normally be screened out by corporate spam filters can be delivered directly to users via messaging and file transfer functionality built into social media platforms.
Attacks delivered through these methods have a higher rate of success because they occur inside the castle, meaning they have already passed through basic defenses such as firewalls, and are executing on the user's system, with local anti-virus software as the last and only line of defense. Since attackers have the ability to rapidly alter their malware so that it is not recognized by anti-virus software, this is a tenuous defense at best.
Additionally, social media makes it easier for attackers to find and target individuals in positions of privilege. It allows attackers to perform extensive research on potential victims and to launch their assaults against the users who, if the attacks are successful, will provide the greatest level of access to their environment.
Controlling the technical risks
Before you undertake the task of addressing today’s advanced threats, make sure you first tackle the basics. Evaluate your baseline security system, including patching, access control, segregation of duties, inventory and asset control. In essence, don’t try to build the roof before you’ve laid the foundation. While some attackers do have the capability to deliver highly advanced attacks, all attackers will gladly take advantage of a five-year-old vulnerability or trivial configuration mistake that you somehow overlooked.
Once the basics are in place, you can begin to evaluate whether your environment is equipped to handle today’s threating environment. The primary concept to keep in mind is that you will fail. Your goal is to fail gracefully, which means that you should aim to identify the failure quickly, respond effectively and get back to normal working order as soon as possible.
While the historical focus for information security specialists has been on preventative controls (i.e. making sure the bad thing doesn’t happen), modern threats are specifically designed to bypass these defenses. Organizations should continue to heavily invest in traditional measures such as anti-virus and patching solutions, but they need to expand their capabilities within the detective (i.e. security monitoring) and corrective (i.e. incident response) areas.
For security monitoring the concept is simple, log everything, bring it together, and have the capability to make sense of it. Verizon’s 2010 Data Breach Investigative Report showed that 87 percent of their customers had the evidence in their logs that they had been breached, but those customers simply did not have the technology or skill set to understand what they were seeing.
In order to avoid being part of this statistic, organizations should consider building out their capability to perform some level of automated log analysis. There are a variety of Security Information and Event Management (SIEM) solutions built specifically for this purpose. Commercial tools such as ArcSight, enVision, QRadar and many others are very popular, but can be expensive. Similar functionality can be deployed more economically using open source tools such as OSSIM and Security Onion, or free versions of commercial tools such as Splunk.
Be aware, however, that no matter which tool set you choose, the process will not be as simple as plug and play. Security monitoring tools are meant to help you detect deviations from the norm, which means the tool must first be taught what is normal for your network. This tuning process can take anywhere from a few weeks to a few months depending on the size and complexity of the environment.
What’s in your plan?
While deploying a robust monitoring capability is a great first step, it will not do you much good if you cannot effectively respond to the events that are detected. With this in mind, the logical next step is to flesh out a formal incident response program for your organization. Some businesses may have a plan but these are commonly a few pages long, with some vague wording about the IT folks performing an investigation and a couple of phone numbers users should call if their system seems to be acting oddly. In today’s complex threat environment, plans need to be far more complete, and more importantly all key stakeholders need to be thoroughly trained in the role they are expected to play. This can occur through classroom training, table top exercises or even live breach simulations.
Keep in mind that the key stakeholders include far more than your IT staff. Ask yourself:
- Do we have a plan for the public relations aspect of the event?
- What if we have to notify individuals, law enforcement or the media?
- Do we have pre-planned templates for letters and public statements?
- Is our legal team experienced in these matters or should we retain external counsel that specializes in these issues?
To avoid getting caught by surprise, organizations should pre-plan as many scenarios as possible. For example:
- Have detailed playbooks for the most common types of events:
- Virus or worm outbreaks
- Live hacker on the network
- Denial of service attacks
- Social engineering campaigns
- Plan for worst case scenarios
- What if internal sensitive data is exposed?
- What if client and patron data is exposed?
- What if the breach or infection cannot be contained?
- What if business critical systems are breached and can’t be taken offline?
- Plan for various outcomes
- What if we have to rebuild a significant number of systems?
- What if we have to rebuild critical systems from backups?
- What if we have to fail over to our disaster recovery site?
- How will we run the process if we want to find the responsible party and take legal action? How will we run the process if we don’t?
As you can see, the process can get complex very quickly. Thinking through the various scenarios beforehand will help keep you on a pre-planned path and out of a panicked response mode.
Consider an insurance policy
Lastly, make sure you understand what level of coverage you have within your organization’s general policy, if any, for adverse cyber events. A good policy should protect the organization against typical issues such as data loss or theft, malware outbreaks, physical equipment theft and denial of service attacks. Be very careful, however, about taking the position that it is cheaper to simply pay your insurance premium and file a claim for damages if an event does occur. Insurance companies are slowly incorporating investigative techniques into their claims response processes that are meant to determine if the breach was somehow due to negligence or fault. Organizations that choose not to deploy effective controls and who expect that insurance will cover the damages may find themselves left holding the bag if the insurance company denies their claims.
For more information
For more information on security standards and practices for your organization, please contact Daimon E. Geopfert, national leader, Security and Privacy Consulting, Technology Risk Advisory Services, McGladrey LLP, at 312.634.4523 or Daimon.Geopfert@mcgladrey.com.