Welcome to the after-hack party

Hinne Hettema is the team leader of the operational security team at the University of Auckland. He believes there are six critical security services every organisations should have. These are security architecture and security consulting, security and penetration testing of the deployed environment, monitoring and alerting, incident response, security strategy, and policies.

We spoke to Hettema at AusCERT 2016 to find out a bit more about him and what he sees in the actions of hackers and what we can do about them.

“I trained as a philosopher and theoretical chemist, and one of the things that strikes me as strange about cyber security is that it is unclear what ‘security’ is,” says Hettema. “Do we have a definition of security? It turns out we don’t really, we have an idea what it feels like without being able to pinpoint it as something that we can systematically think about”.

It’s clear from talking with Hettema that he has thought not only differently to many other practitioners about security but that sees there is something wrong with how many people approach cybersecurity. He says they tend to address the challenges through the lens of ethics.

“As a result the academic papers developed in this area focus on an ethics of information security and despite some work now being done I don’t think this has so far been very fruitful. It has not helped getting a new handle on the problem, and from my perspective that is because the scope of the initial question has been too limited. Criminals are not particularly ethical and we already knew that”.

Hettema’s view is that something is wrong with the system and that we should develop a view on its security from the perspective of social philosophy, in particular social contract theory, where a “persons' moral and/or political obligations are dependent upon a contract or agreement among them to form the society in which they live” (ref: Internet Encyclopedia of Philosophy).

“I am working on some papers in this area but hackers are leaving me little time to also play academic philosopher,” says Hettema.

In Hettema’s observation, once a company is hacked once, they become a more likely target for future attacks. He says “An initial compromise may be picked up because something unusual happens – a strange email, an AV alert, and IDS alert. Then, once an attacker gains a foothold, they change their tooling, and start working with the sort of things most organisations don’t monitor for very well”.

These new tools include privilege escalation, misuse of administrative tools, unauthorised access, or using the excess access loaded onto most accounts.

Hettema calls this change in tools and techniques by hackers “pivoting”.

Looking at the security posture of many organisations, Hettema says that we have built, over the years, a model for securing our borders.

“The backend – where our business really happens – is a different matter, and is I think where the next security differentiation will come from,” he says.

One of the problems, he says, is that the management of privileged accounts is still poor. Also, he believes we need to do a better job of segmenting networks and take a long-term view of managing permissions as, over time, privileged accounts seem to gather what he calls a “crust” of excess access.

So, what can we do about this? Hettema believes there are several things companies can do to manage internal security better so hackers that bypass the border can’t pivot. Some of the key things are:

Admin access models: There’s an interesting revival of the old Bell-LaPadula and Biba approaches, focused on control rather than reading or writing.

PowerShell configuration: Who can send your servers PowerShell? Through which networks? Signed or unsigned?

Active Directory: Do you reset your krbtgt password?

IDS and detection at the backend: How do you configure an IDS? What should it alert on?

Logs and logging: Do you have a log management server or a data lake solution to know what’s going on?

Join the CSO newsletter!

Error: Please check your email address.

Tags hackersIDSinformation securityAusCERT2016attacksoperational securitycyber securitysecurity architecture

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts