Wednesday, February 8, 2012

Krav Maga

If Krav Maga has ever taught me anything it is the importance of counter-attacks. Of course blocks are effective but a block combined with a punch will give you an advantage you'll be happy to have in any confrontation outside the dojo. A nice and caring opponent that throws you a punch just where and when you want it is something and the guy on the street is something else.


I was thinking if we weren't fooling ourselves in a similar manner on issues related to our information security. Do we only prepare for attacks we want to receive? Can we do more?

Back to Krav Maga then for a possible approach; our response time can determine the outcome of the attack. On a similar note, it's also very difficult to defend yourself against an attack you don't see at all. On the street you will easily spot a potential threat your instincts will provide you with priceless feedback on most situations, all you have to do is to listen.

When it comes to information and physical security some further measures need to be taken. First of all we need a way to "see" the attack; monitoring the incoming internet traffic can easily give you some clues about the type of the attack. On a second level system and network events can also be helpful keeping in mind that attacks can also come from the inside (think end user).

This again doesn't do much on its own, you need to have a plan for when an attack is occurs. Same ideas can be extended to the physical security of your company, how do you know no one has entered your offices, data center or warehouse last night?

Anything of value moves

Anything of value within the company will have tend to be on the move. Money, information and the goods all move in various directions which makes it hard to keep an eye on them and also makes them vulnerable to attacks.

This is a security nightmare as this movement is usually paired with routine. Something moving is easy to get/hit/grab/steal/change as it has lost many advantages realted to stability. Something moving within a pattern and at regular intervals can be a dream for anyone with questionable motives.

Trying to constanly monitor moves and trying to find alternative routes is hard unless the good has a certain value for example a gold mining operation in Russia constantly changes its shipment method between land, rail, sea and air because they can afford it. As we don’t have unlimited ressources we will have to accept certain risks and things moving in a pattern might just be one of them. The least we have to do then is to be aware of the things that move, their values (for us and for the bad guys), when they are most vulnerable, etc…
Because it came up: things don’t always have the same value for us and for others. Your customer list can be taken for granted by your Sales Team and yet be a very valuable asset fort he competitor’s salesman.

Back to prioritization then, what moves and what’s it worth? You will see that even by doing this part of the work you will find movements and exposures you don’t really need thus avoiding the risk related to them altogether.

Incertainty and decisions (2)

After having answered the “what could happen?” question we can move forward by asking ourselves “what can I do?”

In the corporate world this question can be a real nightmare as you (technical knowledge) have to convince the management (decision making) to approve a purchase (financial approval). This in itself would be hard enough, however, to this we need to add the lack of technical knowledge of the management and the already prioritized budget. In summary you are stuck with the below table where everyone has limited knowledge thus creating a very thin path to be navigated for a successful investment decision.




The initial prioritization will avoid the formation of unnecessary bottlenecks. Have you ever met the IT guy who thinks the company never approves his purchase demands? This can be one of the reasons, you ask for too much and you get nothing.

IT, just like any other department should work on “interdepartemental communication”. Sales, Accounting, Human Ressources, Business Development all have different mentalities. A salesman can feel that a discussion on a specific tax form made in a foreign language just as a technical document would be at least “difficult to understand” for someone in Human Ressources. IT should be able to provide concrete threats and simple answers to the Management which in turn should explain Finances why this purchase shouldn’t be trivialized.

The “what can I do?” question should also be reformulated as “what can we do?”, simply because security can NOT be the responsability of IT alone. Everyone who operates a computer within the organization and anyone who has or has access to “sensible knowledge” must take responsability. “Sensible knowledge” about a comany is very easy to spot, it’s anything you wouldn’t like to see on the Frontpage of tomorrow’s newspaper.

A minimum level of security can only be reached if all stakeholders do their part. Otherwise that firewall will only be “another IT purchase” and not the superman you were hoping it to be.

Incertainty and decisions (1)

Security for the majority of us is a decision making game. Unless we are a terrorist or a mercenary we will most likely be on the defensive side of the operations. Being on the defensive side is often trying to fill holes with a limited budget while being everywhere at the same time, it sucks and we all know it. You have a limited budget, uninformed or misinformed managers, ignorant vendors and you’re trying to protect company data.

The limit on the security budget is often parallel to the limit of the support you get from upper management.

Is everything really lost then? Isn’t there anything we can do?
There are many things that can be done but the most important one is to be able to decide correctly. We don’t know who the attacker will be or where he’ll come from, we don’t know when he will attack and we don’t even know what he’s looking for. The only thing we can be sure of is that he’ll attack.

We can look at the company we work for, a 50 employee, family owned shoelace manufacturer for example. Who would attack us and why? Shoelaces aren’t worth much on the black market and the patent drawings you have in the safe… well it’s basically a string right?

Unless you use solid gold machines for the production we can dismiss any physical attack, thus minimize our physical security investments. Today’s technology allows us to have highly effective systems such as motion detectors and alarms at rather low costs which would be enough to stop thieves and delinquents. We can also dismiss any attacks on the personel except for some extreme scenarios like hostage situations or looting, both of which are police business.

The main targets then would be information and financial.
Defacing the company website, stopping all internet communication (mails and VoIP), accessing employee records or gaining access to bank accounts can be the most imminent threats we would have to cover.

These categories would be mainly reversed for a jewelry shop where physical security would be more important. An initial prioritization of threats will help us get better direction for our security investments. We then have to think “what would they go after?”.

A blog on everything?

Yes, this is how you might describe it. This blog is about everything related to security simply because you can NOT have security on a single level. A single level security can easily be described as "locking the door while the windows are open".

To be able to talk about security, even at a very basic level, you have to be sure that you have covered the main bases. Make sure your information is safe, your physical location is safe, your money is safe and you are safe. In other words, this is where you stand;




Or at least this is where you have to stand. Anything less or favoring one side for the other leaves you open to threats.
Today threats are many and different, from a 13 years old "script kiddie" to an old employee who hates you, everyone can be a threat. It would be almost impossible to be prepared for every different potential attack so we will have to keep things very simple.
Just as the great Archilochus said: "the fox knows many tricks, and the hedgehog only one; but that is the best one of all!"

MITRE ATT&CK Gerçek Hayatta Ne İşimize Yarar?

  Rusya kaynaklı siber saldırılar webinarı sırasında üzerinde durduğum önemli bir çalışma vardı. MITRE ATT&CK matrisini ele alıp hangi...