Published: 13 July 2015
By Andy Harris
The RANT conference is like no other, the majority of the presentations are from in-post CISOs and senior Information Security staff. One gets a view of what is actually happening on the ground rather than whoever can pay the most for advertising or press coverage.
We heard consistently that all organisations exist in some degree of compromise. It was said that '90% of large organisations and 74% of small organisations were breached in 2014'. There was some discussion of this figure, has it always been the same or do we report more diligently these days? Information Security staff are working 50-60 hours per week trying to stem the tide. I was struck by how many people were resigned to the inevitability of a breach whilst hearing that fines were increasing and the reporting of breaches is highly likely to become mandatory
It would seem that we have lost the battle of complete protection and have moved on to the language of acceptable risk. We heard from CISOs who now call themselves 'Business Enablers' because they had developed the reputation of being 'Business Prevention Officers'. The key take-away from the presentations was "The business comes up with great commercial ideas; we support and enable these by evaluating the risk factors".
A few years back the infosec focus was on the perimeter and, outsourcing was in its infancy. It's not news to say the perimeter is blurred, but we've realised that it's not just third parties, those third parties are outsourcing themselves to such an extent that the highest IT privileges are in the hands of the least paid who may have little loyalty to a company several steps removed. Put these factors together and you can see why the infosec community may feel like they are facing an impossible task.
A presentation from a penetration tester brought the current situation into sharp focus. He described how he set about testing a company who have recovered from a breach and had recently educated their staff. He set up a web-site called The Company Benefits Club and roughly branded it to match the target. He then sent a few emails to discovered addresses that asked the recipients to socialise the existence of the 'benefits club'. We employees browsed to the site they were asked to login with their normal active directory credentials.
Within minutes he had harvested 4 credential sets and over the next two hours his haul was around 30 (out of 1000 possible credentials). He was able to access the company VPN and from there scan the network for vulnerabilities. Since company were pretty much up to date he switched to looking for LM Hashes left over from RDP sessions. He struck lucky and found a hash that unlocked an account with Domain Admin privileges. Now he was able dig much deeper into the network to discover un-patched systems. The punchline was that the weakest systems he discovered were from the parent company.
To me, the key message was: "Millions spent on information security kit defeated by human nature".
I went as a delegate and therefore it didn't seem appropriate to rant on about how we could help! Essentially all the Infosec resources of the company have been beaten by a simple phishing exercise. However if you look further it was the LM hash that really let the penetration tester in. If you separate the people from the passwords the best an attacker can get is access to a low privilege account. It seems to me that this is a much easier approach than using all the extra overhead of running every application in a micro VM and then monitoring all the results. If you can monitor what every privileged account rather than monitoring every non privileged account does then you are much closer to where the action is.
Our view at Osirium is that we have just the rights tool to prevent breaches in the first place, separate the people from the passwords of privileged accounts, wrap the most common privileged operations into tasks - Job Done Tick!