You're hacked - get over it

Here's a sobering thought. Phil Lieberman, the President of Lieberman Software, says, "Every day you wake up, you know somebody is in your network. You just don’t know where they are, what they're getting and what you can do to stop them".

The overwhelming theme of this year's RSA Conference has been that border protection, while an important layer in our security, is not enough. The distribution of end points, characterised today by increased numbers of mobile devices but expanding rapidly as the Internet of Things becomes a reality, and the distribution of critical systems out of private data centres into shared service providers has changed the nature of our information systems and infrastructure.

"The perimeter is porous," said Lieberman. "It doesn’t mean we've lost the war. Those who are successful on the Internet, the only ones who will be successful, are those who have their eyes open and understand that whatever technology they have will have a limited lifetime of protection. The question is not whether they're going to get in but how far can they go".

That changes the focus from vulnerability protection to more complex threat management. Lieberman's company develops and distributes identity, utility and password management tools for securing environments. But there are broader applications.

"Our clients are doing regular red/blue warfare where they use our tools on both sides," he said.

This technique is not new. These war games pit teams in a game of hacking and reacting so that the business has practice in dealing with threats. This has been an important but overlooked element of many security strategies. While companies have been diligent in ensuring software is patched and appropriate controls are in place they are often caught out when there is a breach as they are unsure as to how to react.

Lieberman's observations of the behaviour of large cloud service providers are that they do this war-rooming constantly. "They suffer massive DDoS attacks on an almost daily basis. They have people who are ex-intelligence, ex-military and ex-NSA who, as part of their career path left and are no conducting cyber-defence on the other side," he said.

Many companies we've seen talk about how they undertake regular audits, have policies in place to change passwords regularly and issue new certificates periodically. Lieberman did not see those as poor practices – most people would agree that these fall under accepted best practice activities – but he pointed out that these may give a false sense of security.

For example, if a business' policy is to force users to change passwords every 90 days, what happens if the hash for that password is hacked the day after a password is changed? The malicious party will have unfettered access until the hash is changed. Similarly, certificates that are valid for long periods of time – three years are not uncommon – can provide long windows of opportunity for parties invading systems.

"What we see as best practice is a rethinking of ages of things like passwords, thinking of ages of certificates. So, for some of our customers, we're rotating their passwords every eight hours. Another example is Microsoft Lync. I looked at the certificate used for my secure communications channel. I was wondering how long Microsoft sets up the PKI for it. And I was shocked – it was one day. I was shocked. Certificates you think of being good for up to five years, they've reduced the life cycle to less than a day".

Rather than operating in a mode that says passwords and certificates will be enough to maintain border security, the modern posture is that these things are going to be stolen and the focus is now on risk management and damage containment.

Anthony Caruana travelled to RSA Conference as a guest of RSA.

Join the CSO newsletter!

Error: Please check your email address.

Tags #rsa2014rsa conference 2014hackingvulnerability protectionRSACnsapassword managementcloud service providersPhil LiebermanDDoS attacks

More about Lieberman SoftwareMicrosoftNSARSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place