Considerable damage has been done to organisational reputations and a great deal of information has been lost in organisations that do not have fully effective incident response plans in place.
Without an incident response plan, an organisation may not discover an attack in the first place, or, if the attack is detected, the organisation may not follow proper procedures to contain damage, eradicate the attacker’s presence, and recover in a secure fashion. Thus, the attacker may have a far greater impact, causing more damage, infecting more systems, and possibly exfiltrating more sensitive data than would otherwise be possible were an effective incident response plan in place.
After vulnerabilities are discovered and reported, attackers engineer exploit code and launch that code against targets. Any delays in fixing software with dangerous vulnerabilities provides opportunity for persistent attackers to break through, gaining control over the vulnerable machines and getting access to the sensitive data they contain. Organizations that do not scan for vulnerabilities and address flaws proactively face a significant likelihood of having their computer systems compromised.
As vulnerability scans become more common, attackers are utilising them as a point of exploitation. It is important to carefully control authenticated vulnerability scans and the associated administrator account. Attackers will take over one machine with local privileges, and wait for an authenticated scan to occur against the machine.
When the scanner logs in with domain admin privileges, the attacker either grabs the token of the logged-in scanning tool, or sniffs the challenge response and cracks it. The attacker then can pivot anywhere else in the organization as domain admin.
Any organisation that hopes to respond to attacks effectively must find the gaps in its knowledge and provide exercises and training to fill those gaps. A solid security skills assessment program can provide actionable information to decision-makers about where security awareness needs to be improved, and determine proper allocation of resources to improve security practices.
Training is also closely tied to policy and awareness. Policies tell people what to do, training provides skills to do it, and awareness changes behaviors so that people follow policy. Training should be mapped against the skills required. If after training, users are still not following the policy, that policy should be augmented with awareness.
The following are the skills of five groups of people constantly being tested by attackers:
- End-users are fooled via social engineering scams, tricked into providing passwords, opening attachments, loading software or visiting malicious web sites.
- System administrators are also tested when attackers attempt to trick the administrator into setting up unauthorized accounts.
- Security operators and analysts are tested with new and innovative attacks introduced on a continual basis.
- Application programmers are tested by criminals who find and exploit the vulnerabilities in the code that they write.
- System owners are tested when they invest in cyber security but are unaware of the impact a compromise and data exfiltration would have on their mission.