Businesses need to consider the risks not only from technical vulnerabilities and concerns such as unpatched software, but also from attackers who understand the business processes of a particular target, says Rick Holland, CISO at Digital Shadows.
We have seen from indictments that attackers are using publicly available social networking profiles to build contextually relevant social engineering attacks and are explicitly targeting employees that they know will be handling sensitive or valuable information. One example would be employees who are handling company filings to a regulator.
We have also seen the technical exploitation of systems in order to facilitate fraudulent bank transfers such as the Bangladesh bank attacks that targeted the SWIFT access systems and the FASTCash attacks that targeted retail payment systems. In both cases, the attackers understood how the business processes of the targets functioned, in particular the approval process for transactions, and used technical means to subvert the business processes and thereby make fraudulent bank transfers.
More broadly, Digital Shadows recommends a defence in depth approach. By this we refer to multiple, partially overlapping security controls that mutually reinforce each other in order to provide increased resiliency to network intrusions. These are fundamental and widely used security principles, which are reusable across all different types of attackers and relevant to business process compromise attacks.
- Only provide access where it has been explicitly granted, otherwise deny. This is a useful principle to apply to firewalling and other techniques for managing traffic flow such as IP whitelisting.
- Principle of least privilege. Restrict workstation-to-workstation communication to only that which is necessary, and segment networks so that the compromise of one endpoint does not automatically give access to the entire network. The principle of least privilege should also be implemented for file, directory, and network share permissions.
- Attack surface reduction. Any feature of a piece of software or hardware that is enabled increases your attack surface. By going through the process of discovering which protocols or features are explicitly required for a system to function and disabling all other unnecessary features, a system is hardened against attack. Applying vendor patches in a timely fashion to reduce the number of exploitable vulnerabilities in installed software as part of a continuous vulnerability assessment program is also important here.
- Need to know compartmentalisation. Restrict access to important data to only those who are required to have it. Read/write access should only be granted where there is an explicit business requirement