Monthly Archives: January 2011

The Importance of the Insider Threat to Security Experts

"I trust everyone, it is the devil inside that I do not trust," is a great line from the movie The Italian Job. Every single person has the potential to do harm if the right circumstances occur. Yes this includes employees. This presents a great deal of trouble to security experts. Why is it that once a total stranger is hired at your company, you now completely trust that person? Just because they are now called an employee does not mean they have loyalty to your organization and would do nothing to hurt the company. Many organizations perform no background checks and no reference checks and as long as the hiring manager likes them, they will hire them. Many people might not be who you think they are and not properly validating them can be an expensive, if not a fatal, mistake. Because most organizations hire complete strangers, without consulting security experts, and then give them access to sensitive data, all organizations must worry about the insider threat. Too much paranoia can cripple an organization but the right amount can protect it. Just ask yourself a couple of simple questions:

  • If someone was fired from a previous company for stealing or unethical activity, would you know?
  • If someone was currently stealing or perform stealthy activity against your organization today, how would you know?

When an organization posts a job opening, it can take weeks until the first interview occurs. All a competitor has to do is prep someone to ace the interview and then they are in. The fact that it can be this easy to get on the inside is a pretty scary thought for organizations and security experts. Once that competitor insider is hired by the company, the competitor organization has the potential to steal sensitive organizational data. Think about it, this is the same process that foreign governments use to plant a spy in a United States agency. Foreign governments know that a key criterion for that person is passing the polygraph, so they will put that person through intensive training so that he or she can pass the polygraph with no problem. This points out a key disadvantage that organizations, and even security experts, have. The attacker knows what process you are going to follow to hire someone and all they have to do is prep someone so they ace that part of the process. Because these attacks are being perpetrated by trusted insiders, you need to understand the damage they can cause; how to build proper measures to prevent the attack; how to minimize the damage; and, at a minimum, how to detect the attacks in a timely manner. Many of the measures companies deploy today are ineffective against the insider. When companies talk about security and securing their enterprise, they are concerned with the external attack, forgetting about the damage that an insider can cause.

Since everyone uses different terminology, it is important to define what we mean by insider threat. The easiest way to get a base definition is to break the two words apart. According to, insider is defined as "one who has special knowledge or access to confidential information" and threat is defined as "an expression of an intention to inflict pain, injury, evil, or punishment; an indication of impending danger or harm; or one that is regarded as a possible danger." Putting this together, an insider threat is anyone who has special access or knowledge with the intent to cause harm or danger. While no one wants to admit it, it is worth looking around your organization and consulting security experts to see if there are any insiders that are causing harm to the success of your organization.

Advanced Persistent Threat (APT)


APT, formerly known as the Advanced Persistent Threat, is the buzzword that computer security specialists and everyone else is using.Companies are concerned about it, the government is being compromised by it and computer security specialists are using it in every presentation they give.

One of the main reasons organizations are broken into today is because they are fixing the wrong vulnerabilities. If you fix the threats of 3 years ago, you will lose. APT allows organizations and computer security specialists to focus on the real threats that exist today.

While APT is important, we need to clear the smoke and hype, focusing on why it is important and what it means to you. Instead of just using it as a buzz word, if we understand the core components of APT, we can use it to improve our security. In APT, threat drives the risk calculation. Only by understanding the offensive threat will an organization and their computer security specialist be able to fix the appropriate vulnerabilities.

What is APT?

APT is the new way attackers are breaking into systems. APT is a sophisticated, mercurial way that advanced attackers can break into systems, not get caught, keeping long-term access to exfiltrate data at will. The following are the important things to remember:

1) APT focuses on any organization, both government and non-government organizations. Some people make the mistake of thinking that the APT is only focused on Department of Defense (DoD) sites. When it comes to the Internet the lines between government and commercial are blurring and anything that could cause harm to a country will be targeted.

2) While the threat is advanced once it gets into a network, the entry point with many attacks is focusing on convincing a user to click on a link. However, once the APT breaks into a system, it is very sophisticated in what it does and how it works. Signature analysis will be ineffective in protecting against it. Advanced attacks are always changing, recompiling on the fly and utilizing encryption to avoid detection.In other words, even a computer security specialist needs to be on their toes.

3) Many organizations make the mistake of thinking of attacks like the weather. There will be some stormy days and there will be some sunny days. However, on the Internet you are always in a storm. In the past, attackers would periodically attack an organization. Today attacks are nonstop. The attackers are persistent,and if an organization or a computer security specialist lets their guard down for any period of time, the chance of a compromise is very high.

4) Attackers want to take advantage of economy of scales and break into as many sites as possible as quickly as possible. Therefore the tool of choice of an attacker is automation. Automation is not only what causes the persistent nature of the threat, but it is also what allows attackers to break into sites very quickly.

5) Old school attacks were about giving the victim some visible indication of a compromise. Today it is all about not getting caught. Stealth and being covert are the main goals of today's attacks. APT's goal is to look as close {if not identical} to legitimate traffic. The difference is so minor that many security devices cannot differentiate between them.

6) The driver of APT is to provide some significant benefit to the attacker, the benefit being either economic or financial gain. Therefore the focus will be all about the data. Anything that has value to an organization means it will have value to an attacker. Since data has become so portable, and with cloud computing increasing in popularity, data is now available from the Internet, via many sources.

7) Attackers do not just want to get in and leave, they want long term access. If someone is going to spend effort breaking into a site, they will make sure they can keep that access for a long period of time. Stealing data once has value, but stealing data for 9 months gives the attacker even more payoff.
Putting all of this together means that you will be constantly attacked and compromised, making it necessary for an organization to always be in battle mode. This is a never ending battlefor computer security specialists. Since the APT is meant to be extremely stealthy, there is a good chance that an organization might be compromised and not know about it for several months. Before you discount this, if you were compromised and the attacker was not doing any visible damage, how would you know?

How to Defend Against the APT?

Prevention is ideal, but detection is a must. Most organizations focus solely on preventive measures but the problem with the APT is that it enters a network and looks just like legitimate traffic and users. Therefore, there is little to prevent. Only after the packets are in the network do they start doing harm and breaking in.

Based on the new threat vectors of the APT, the following are key things organizations and computer security specialists can do to prevent against the threat:

1) Control the user and raise awareness–the general rule is you cannot stop stupid, but you can control stupid. Many threats enter a network by tricking the user into clicking a link that they shouldn't. Limiting the actions a user are allowed to do with proper awareness sessions can go a long way to reduce the overall exposure.

2) Perform reputation ranking on behavior – traditional security tries to go in and classify something either as good or bad, allow or block. However with advanced attacks, this classification does not scale. Many attackers start off looking like legitimate traffic, which means they would be allowed into the network, and then once they are in they turn bad. Therefore, since the goal of attackers is to blend in, computer security specialists need to track what the behavior is and rank the confidence level of whether it is looking more like a legitimate user or more like evil.

3) Focus on outbound traffic – Inbound traffic is often what is used to prevent and stop attackers from entering a network. While it will catch some attacks and is still important to do, with the APT it is the outbound traffic that is more damaging. If the intent is to stop exfiltration of data and information, looking at the outbound traffic is how you detect anomalous behavior,which is tied to damage to an organization.

4) Understand the changing threat – it is hard to defend against something you do not know about. Therefore, the computer security specialists need to understand and know how the offense operates. If organizations do not continue to understand the new techniques and tactics of the attackers, they will not be able to effectively tune their defensive measures to work correctly.

5) Manage the endpoint – while attackers might break into a network as the entry point, they ultimately want to steal information that exists on endpoints. If you want to limit the damage, controlling and locking down the endpoint will go a long way to protect an organization.
While the current threat is advanced, persistent, stealthy, and data focused, organizations can implement effective measures to protect their sites.

APT is only going to increase in intensity over the next year, not go away. Ignoring this problem just means there will be harm caused to your organization. The key theme of dealing with APT is "Know thy system/network." The more an organization and their computer security specialist can understand about network traffic and services, the better they can spot/identify anomalies through clipping levels, which is the better way to defend against the APT. The ultimate way to make sure an organization is properly protected is to run simulated attacks (i.e. penetration testing, red teaming, ethical hacking) and see how vulnerable an organization is, and most importantly how quickly you detected it. The key to making this successful is to 1) always get explicit approval 2) run benign attacks 3) make sure the people running the test are of equal expertise to the true attacker; and 4) fix any vulnerabilities in a timely manner. The good news is, by focusing in on understanding the threats and an organization's vulnerabilities, you can properly defend against the APT.

What are the 20 Critical Controls to Becoming a Cyber Security Expert?

As a cyber security expert, one of the questions I often receive is what are the twenty critical controls? Details can be found at but the general approach of the controls, and becoming a cyber security expert, is to begin the process of establishing the prioritized baseline of information security measures and controls that will lead to effective security. The consensus effort that has produced the controls has identified 20 specific technical security controls that are viewed as effective at defending against the most common methods of attack. Fifteen of these controls can be monitored, at least in part, automatically and continuously. The consensus effort has also identified a second set of five controls that are essential but that are more difficult to be monitored continuously or automatically with current technology and practices; however they are critical to achieving an optimal level of security. Each of the 20 control areas includes multiple individual sub-controls, each specifying actions an organization can take to help improve its Defences and become a cyber security expert.

The 20 critical controls to becoming a cyber security expert are:

1: Inventory of Authorized and Unauthorized Devices
2: Inventory of Authorized and Unauthorized Software
3: Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
4: Secure Configurations of Network Devices Such as Firewalls, Routers, and Switches
5: Boundary Defense
6: Maintenance and Analysis of Security Audit Logs
7: Application Software Security
8: Controlled Use of Administrative Privileges
9: Controlled Access Based On Need to Know
10: Continuous Vulnerability Assessment and Remediation
11: Account Monitoring and Control
12: Malware Defenses
13: Limitation and Control of Network Ports, Protocols, and Services
14: Wireless Device Control
15: Data Loss Prevention
16. Secure Network Engineering
17. Penetration Tests and Red Team Exercises
18. Incident Response Capability
19. Data Recovery Capability

Cyber Security Expert Skills Assessment and Training to Fill Gaps

Additionally, the controls are designed to support agencies and organizations that currently have different levels of information security capabilities, but are striving to become a cyber security expert. To help organizations focus on achieving a sound baseline of security and then improve beyond that baseline, certain subcontrols have been categorized as follows:

  • Quick Wins: These fundamental aspects of information security can help an organization rapidly improve its security stance generally without major procedural, architectural, or technical changes to its environment. It should be noted, however, that a Quick Win does not necessarily mean that these subcontrols provide comprehensive protection against the most critical attacks. If they did provide such protection, there would be no need for any other type of subcontrol. The intent of identifying Quick Win areas is to highlight where security can be improved rapidly, driving you towards becoming a cyber security expert. 
  • Improved Visibility and Attribution: These subcontrols focus on improving the process, architecture, and technical capabilities of organizations so that the organization can monitor their networks and computer systems, gaining better visibility into their IT operations. Attribution is associated with determining which computer systems, and potentially which users, are generating specific events. Such improved visibility and attribution support organizations in detecting attack attempts, locating the points of entry for successful attacks, identifying already-compromised machines, interrupting infiltrated attackers' activities, and gaining information about the sources of an attack. In other words, these controls help to increase an organization's situational awareness of their environment and ability to be a cyber security expert. 
  • Hardened Configuration and Improved Information Security Hygiene: These aspects of various controls are designed to improve the information security stance of an organization by reducing the number and magnitude of potential security vulnerabilities as well as improving the operations of networked computer systems. This type of control focuses on protecting against poor security practices by system administrators and end users that could give an adversary an advantage in attacking target systems. Control guidelines in this category are formulated with the understanding that a well-managed network is typically a much harder target for computer attackers to exploit.
  • Advanced: These items are designed to further improve the security of an organization beyond the other three categories. Organizations already following all of the other controls should focus on this category.

For additional details on the controls, please go to Portions of the above are taken from version 2.0 of The Twenty Critical Controls.

You can also follow Dr. Eric Cole on twitter at drericcole or email with any questions.

2011 Cyber Security Expert Emerging Trends

It is important to understand the new trends that are occurring amongst cyber security experts to make sure you properly protect your organization. The following are some key trends that you need to be aware of.

1) More focus on Data Correlation

Before adding more devices to a network, perform data correlation across the existing devices first. Networks are becoming so complex that no single device will be able to give enough insight into what is happening across an organization. To better understand both normal and anomalous traffic, data correlation has to be performed across all critical devices. Each device/server has a piece of the puzzle and only by putting all of the pieces together, can organizations understand what is really happening and become cyber security experts.

2) Threat intelligence analysis will become more important

Many of the products in the security industry are becoming more commoditized. Many consoles and network devices are very similar in how they work and operate; the key differentiator is having accurate and up to date threat data. Organizations cannot fix every single risk. Therefore as the risks grow more focus has to be put against the real attack vectors. In order to become a cyber security expert, you have to adapt to the threats.A growing theme is the defense must learn from the offense. Threat must drive the risk calculation so that the proper vulnerabilities can be addressed. Only with properly threat data, can the avenues of exploitation be fixed.

3) Endpoint security becomes more important

A cyber security expert needs to protect all facets of their operation.As more and more devices become portable, the importance of the endpoint becomes more critical. In terms of the data it contains, there is little difference between a server and a laptop. A server might have more data but laptops still have a significant amount of critical information. However the server is on a well protected network and the laptop is usually directly connected to untrusted networks, including wireless. Therefore we need to move beyond traditional endpoint protection and focus on controlling, monitoring and protecting the data on the end points.

4) Focusing in on proactive forensics instead of being reactive

Attacks are so damaging that once an attacker gets in it is too late. In addition, with technologies like virtualization and SCADA controllers, performing reactive forensics is very difficult, if not impossible, for any cyber security expert. Therefore more energy and effort needs to be put against proactively identifying problems and avenues of compromise before major impact is caused to an organization. With the amount of intellectual property that is being stolen and the reputational damage, proactive is the only way to go.

5) Moving beyond signature detection

Signature detection works because the malicious code did not change and it took awhile for large scale exploitation to occur. While signature detection is still effective at catching some attacks, it does not scale to the advanced persistent threat (APT) that continues to occur. Therefore signature detection must be coupled with behavioral analysis to effectively prevent and detect the emerging threats that will continue to occur. Since the new threats are always changing and persistent, only behavior analysis has a chance of being able to deal with the malicious attacks in an effective way.

6) Users will continue to be the target of attack

Everyone likes to focus on the technical nature of recent attacks like Zeus and Aurora, but when you perform root cause analysis, the entry point with most of these sophisticated APT attacks are a user, someone who is not a cyber security expert, clicking on a link they are not suppose to. After that, the attack became very sophisticated and advanced but the entry point with many attacks is traditional social engineering. Advanced spear phishing attacks that trick the user in performing some action they are not suppose to. While you will never get 100% compliance from employees, organizations need to put energy against it because they will understand the short and long term benefit.

7) Shifting from focusing on data encryption to key management

Crypto is the solution of choice for many organizations, however they fail to realize that crypto does not do any good, if the keys are not properly managed and protected. Crypto has quickly become pain killer security because organizations are focused on the algorithms and not the keys. The most robust algorithms in the world are not any good without proper management of the keys. Most data that is stolen is from encrypted databases because the keys are stored directly with the encrypted data.

8) Cloud computing will continue regardless of the security concerns

Even though there are numerous concerns and security issues with cloud, not even a cyber security expert can argue with free. As companies continue to watch the bottom line, more companies are wondering why they are in the data center business. By moving to both public and private clouds can lower costs and overhead; however as with most items, security will not be considered until after there are major problems. Attackers will always focus on high payoff targets. As more companies move to the cloud, the attack methods and vectors will also increase at an exponential rate.

9) New Internet protocols with increase exposure

As the Internet continues to grow and be used for everything, new protocols will continue to emerge. The problem is the traditional model of deploying new protocols, no longer works. In the past, a new protocol was developed and would take a long term to achieve main stream usage. This allowed the problems to be worked out and security to be properly implemented. Today when a new protocol comes out it is used so quickly, the problems are only identified after there is wide spread use, which quickly leads to widespread attacks.

10) Integrated/embedded security devices

Not only is technology becoming integrated into almost every component, more functionality is being moved to the hardware level. Beyond the obvious implication of having more targets to go over, embedded devices create a bigger problem for a cyber security expert. It is much hard to patch hardware than it is software. If software has a problem, you can run a patch. If hardware has a vulnerability it will take no longer to fix and increase the attack surface. Smart grid is a good example of items 9 and 10 combined together.

Security Experts, Are We Missing the Point?

Recently, between citizens and security experts, there has been a lot of talk about nuclear weapons, terrorism and peace treaties. At the end of the day, the question remains how do we protect a country and its citizens from attack? If that is really the purpose of the summits, the meetings and Washington, why isn't cyber security part of the discussion - more importantly the insider threat? They deserve to be.Security experts will agree that nuclear weapons or biological warfare is much more damaging and could cause greater loss of life, but the likelihood of such an attack is low. When it comes to a cyber attack, the impact is high, the likelihood is high and the ease in which the attack can be performed is high. National security experts manage and mitigate risk, and therefore more attention should be given to these cyber weapons of mass destruction. At the top of the agenda should be better protecting critical information from the insider. Why there have been a lot of very technical, sophisticated attacks recently. We sometimes forget that the entry point for most of these attacks is an insider clicking a link or going to a site that they should not have gone to.

When a security expert evaluates a threat there are many aspects (too many to mention in this posting) that need to be evaluated. Some of the primary ones are clearly impact, likelihood and ease of which the attack can be performed. Using this as a basis, things become very interesting. While the impact of a nuclear or biological terrorist attack is clearly very high, the likelihood is more in the medium level and the ease of which it could be performed is medium to low. When it comes to cyber attack, the impact is high, the likelihood is high and the ease is high. Therefore since national security expertsmanage and mitigate risk, shouldn't more attention be paid to the cyber weapons of mass destruction and controlling access to our critical information?

If we start to peel back the layers, things become even more interesting based on the overall exposure and scope of the problem. Physical weapons have to cross international boundaries and there are checkpointsmanned by security experts that have to be cleared. The three important points to remember are 1) you cannot clearly cross international boundaries with physical weapons without going through physical checkpoints; 2) weapons are illegal in most countries so clear possession of them could get someone in significant trouble; 3) it is relatively difficult to obtain these weapons.

When you start to apply this to cyber and insider threat, things start to fall apart very quickly. On the Internet there are no international boundaries monitored by security experts. An attacker/insider can seamlessly cross boundaries without even knowing they are entering systems located in a different country. Not only are the tools easy (say free) to obtain, but in some countries possessing and use of the tools are not illegal.
There is a lot of legislation being proposed to cover cyber, but are we focusing in on the correct areas. Are we looking at controlling the boundaries and in/out of countries and working on universal laws? Having different laws for different countries makes sense when there are clear boundaries and physical separation, but when connectivity is seamless that model falls apart. While changing laws can take a long time to perform, there are things organizations can do today to help protect the critical infrastructure from the accidental or deliberate insider. First, identify and clearly control and manage ALL boundaries in and out of your organization. For critical information, air gaps or complete separation should be looked at to better control the boundaries. Focusing on wanted trusted insiders have access to the information. Second, focus on critical information. Why would your organization be targeted and what information would cause the greatest impact? Who inside the organizations has access to this information and can be targeted? Third, the entry point for most attacks is the end users. Focus time and energy on protecting and controlling the endpoint, especially untrusted endpoints. Always remember that while it is difficult to stop stupid, with proper controls and focus on the insider, you can limit or minimize the impact of stupid.

We are going to have to deal with this problem one way or another. Option one is to be proactive and fix the problem before it is too late. Option two is to wait for there to be a major problem and fix it in a reactive manner. Personally, I vote for option one.