Know Your Enemy: Are you prepared to handle security incidents?

Saul Steenbok Avatar

lqmqas91hhoeacmdh5cjAs an IT Consultant, I have frequently come across the notion expressed by a number of clients here in Zimbabwe and surrounding countries that they would be of no interest to any Hacker or malicious intruder. Shocking then that there are a number of incidents, some undisclosed, that have taken place within our borders, proof then that this thinking is potentially dangerous.

Regardless of the size of your company, your industry or your location – you are exposed to a broad range of threats ranging from “script kiddies” (malicious users with limited knowledge but access to tools) or a security enthusiast practicing on live systems, automated attacks to highly skilled individuals who have various reasons for wanting to see just how far they can get or how much information they can retrieve. Every attack has its own motives and going into a discussion of them might take up a lot more than I can put in this article, it all breaks down to the fact that you are at risk in one way or another.

Even if you do not use the Internet (and this would be a limited number of people) there are other ingress points for these threats to enter and disrupt your operations or cause loss of data such as thumb drives (flash sticks) or programs obtained from less than trustworthy sources installed on corporate computers. It is not a matter of IF an incident will occur but rather WHEN it will.

Hiding your head in the sand
Unfortunately, a number of organisations choose to simply ignore the threat or incident and as you can imagine this is a very risky thing to do. I bring this up because a number of companies have simply stated to me “ we haven’t had an incident yet so why should we worry?” The truth of the matter is that they have probably had a number of incidents but because they failed to detect them or simply “formatted the server” (yes, I have seen this happen) they effectively ignored the incident and as I stated before – this is dangerous thinking. It’s only a matter of time before this catches up to you – the root of the problem has not been dealt with, the threat has not been evaluated – the incident was simply ignored and the threat not realized or prevented from reoccurring.

So how do we handle all this?  Knowledge and planning is all it takes – knowing the potential threats you are exposed to and what your security posture is. Every organization has their responsibility to ensure they secure data they are entrusted with and maintain the stability of the infrastructure they have heavily invested in. The ability to plan for incidents and how they will be handled and save a company a huge amount of money and downtime and prevent legal or other complications associated with a security breach or malicious attack.

Lets start with making sure you are trained to identify and deal with these incidents.

There are a number of “security experts” or “Advanced Hacking Courses” out there that claim to do a lot. The simple fact of it all is that anyone can train you how to hack in theory (same as me telling you how to drive a car, it’s a different experience when you actually try) but the training is almost pointless without the practical knowledge.

Ever watched Oceans 11?
I use the plot of this movie often to explain the thinking you need to use when security testing. You have a Goal – Get into the network by finding and exploiting weaknesses in the security infrastructure – and you need to be really creative when planning how you’re going to do this. Having the knowledge that Metasploit can be used to generate payloads or that Nmap is used for scanning doesn’t adequately give you the skills even if you know how to run a basic scan. You need to take into account that all systems are different, they have different security measures in place. You’re not going to be much good if you just run any scan and risk being detected or your IP Address blocked.

In the movie, they come up with ingenious ways to achieve their final goal (getting the money) by identifying all the steps they need to take to get away with it and how they would achieve each step. It’s the same with security testing, you have to identify and come up with inventive ways to exploit the weaknesses you discover, get in, stay in and clean up your tracks. Once you know how to do this, you have basically the same knowledge the attackers use to exploit YOUR weaknesses and are better prepared to mitigate risk to your infrastructure.

Incident Handling
Now that you have the knowledge, planning on how incidents are handled in your organization is the next step.  When it comes to Incident Handling, planning is everything. If you are prepared an know what to do, dealing with an incident can be pretty straight forward whereas if it catches you unprepared it can bring on a number of sleepless nights, disruption to your network and other potentially serious repercussions.

Don’t be discouraged if you plan and nothing happens – when it does you will be glad you did. It’s the same as System Backups, you do it so you are prepared in the event you experience data loss or a server crash.

Besides the actual usefulness of Incident Response Capabilities, you organization should also take into account that without these capabilities, you may not be following general acceptable practice of due care for your industry. But equipped with the skills to effectively test your exposure, understand the risks and with the plan in place to respond to incidents that come as a result of these risks – you can begin to effectively manage and mitigate them.

This is a guest post authored by Saul Steenbok, an Infrastructure & Security Engineer working with an initiative called Educate-it. Saul has 18 years experience implementing and training information systems security. He’s worked with organizations in the Middle East, Europe, South Africa, Nigeria, Zambia, Zimbabwe and Kenya. His company is hosting a one week security course in Harare called “Know Your Enemy”, which you can find more about here.