In a previous article I introduced the three top causes of security breaches in 2011: SQL Injection, Weak Passwords and Social Engineering Attacks.
No mitigation strategy for these would be complete without first establishing success criteria. The objective is, therefore, to delay, hinder or otherwise deter an attacker from targeting your business.
This might mean setting up enough detection countermeasures so an attacker cannot make a move without being alerted, or hindering the attacker enough to buy you time to investigate and take appropriate action. Or you might make the whole operation too time consuming and complex to be worth the bother when there are other, softer, targets out there. To paraphrase an old Lord of the Rings joke - you don't have to be able to outrun the dragon, just the Halfling.
SQL injection is well over a decade old now and so thankfully, our methods of addressing this vulnerability are relatively mature. The most obvious method would be to prevent it in the first place. Teaching developers secure coding practises, using development frameworks with embedded security controls (.NET) or secure APIs (OWASP's ESAPI) are probably the best preventative measures.
Validate the data going into your applications and escaping out to the database. Use parameterised queries and stored procedures on your database, and configure it so that access by the application is limited to only the data required. Reactive measures could include the use of source code analysis tools (a relatively mature market offering now) and web application firewalls that integrate database monitoring.
Weak passwords - much like social engineering – are a more difficult problem because this attempts to contend with human nature. The war against weak passwords is largely lost. In line with recommendations, password strength has been moving beyond 12 characters, but this is well beyond most people's ability to remember. It means people often resort to predictable passwords, and this has been exacerbated even further by password aging and the inability to reuse previous passwords.
Despite this, password lengths under 12 characters can generally be defeated. If your environment or application is sensitive, you'll also want something more than a password. Separate access to critical infrastructure and applications by using trusted networks and DMZs. Use bastion hosts where all users must authenticate at least once, preferably using a form of 'step-up' authorisation - such as two factor authentication.
Smartcards are becoming more trusted than hard or soft tokens, but even these can be defeated. Password aging ensures that if passwords become known, there is a time limit they can be used. A greater password length and complexity also serves to increase the time required for brute force attacks. However, applying any of these unilaterally across your entire enterprise is costly, inefficient and typically raises the ire of users, so prioritise your targets and to paraphrase Seraph from The Matrix, "Protect that which matters most."
Social engineering is by far the most challenging security risk. Educating your users should be done - opening attachments from strangers, watching for strangers tailgating through secure areas – there is a long list of areas to consider. I might be alone here, but generally, I don’t think it really works. I still agree it’s a useful exercise requiring staff to undergo some form of security awareness training, but the reality is, someone won’t stick to it, while still others will be blissfully ignorant. I really wouldn't put too much effort into it. Try to make it a standardised training program that all new staff go through, and must complete at least once every year so. I would put a far greater emphasis on exploring the probable results of a compromise and how to prevent it.
Staying up to date with incident reports and following attack trends is crucial to building defences that actually work. File attachments must be scanned, preferably using tools that offer a sandbox environment, don't rely on pure signature detection. Restrict administrator access to desktops - except for key staff. Harden all desktops and ensure all internet access is via proxies, logged and monitored regularly. Setup intrusion prevention systems at key internal nodes to monitor (and prevent) ‘abnormal’ connections.
Some of these approaches will become far more common as enterprises increasingly permit employee-owned assets on the network. You are unlikely to prevent everyone from opening up malicious attachments, but you can diminish the ability of any one user to compromise the network.
As mentioned, nobody can built a bullet proof network any more than it is possible to design an unbreakable safe. But, if you can harden your business so it is more secure than the next one, you're ahead of the game.