Security 101 – Presume breach

Nothing bad will ever happen to you…until it does.

There are two kinds of organizations in today’s world – those who have been hacked, and those who know they have been hacked. OK I don’t want to sound so bleak but with so many high profile attack happening on a near daily average – just look at our monthly Hack Hall of Shame series – It’s not a matter of if; it’s only a matter of when. Insert your favorite aphorism here.

No matter how you want to say it, you need to believe it, and that is what “presume breach” is all about. It’s a mindset that goes at security from an entirely different angle, which is what today’s Security 101 post is all about.

Defenders should of course continue to look at how they can harden systems, mitigate risks, and take other actions to help prevent a breach. But if the major hacks of the past two years have taught us anything, it’s that hacks can go for months (or even years) before they are detected. Consider that for a moment. Attackers successfully penetrated major networks like those of Sony, Target, and US Federal Government agencies, and operated with access for periods of time ranging from days to months before they were detected.

What would you do differently if you knew that attackers were on the network already, and could potentially access anything? That is the main question drummed in within the presume breach state of mind.

Would you use the same password everywhere? Would you store your key usernames and passwords in a text file and save it to a directory on a server? Would you log onto any and every system you need, using credentials that could be used to access any other system, without concern? Would you operate on the assumption that any system’s security is “good enough?”

Odds are good you would do none of that, opting instead to exercise extreme paranoia as a self-defense mechanism. You would investigate every running process on every machine, and distrust any and every network connection until you vetted it completely. You would want to have physical verification that every single system is patched; every application is updated; antimalware is not only running on every single host but that full system scans are performed regularly; and you would want to personally approve every single firewall rule in or out, and inspect every single download yourself.

In case you missed it, have a look at our recent post on Pass-the-Hash attacks which comes complete with a list of methods to help you mitigate such attacks. That will likely be the last time you ever log onto a user’s machine with your Domain Admin account!

Most of that simply won’t scale well if you are a one-person team, but you should get the idea. If you don’t trust your own network, you are starting from the right perspective. Validating the status of each and every system, limiting what accounts you use to access less secured systems (like workstations) and using separate accounts to access servers, and not trusting anything may seem like a lot of work (which it is) but it will be far less work than cleaning up after a breach.

Presume breach-it may sound like the mantra of the tin-foil hat brigade, but what it really is, is the new reality for our connected world, and the family motto for anyone who wants to work in information security. Sleep well tonight!