Thinking like a cyber criminal to enhance protection of IT systems and infrastructure is a growing trend within the IT security market says Clint Carrick, CEO of Carrick Holdings, a local provider of comprehensive IT security solutions and services.
“Decision makers within companies are placing themselves in the shoes of the cyber criminal, and have found success in this approach in terms of reassessing their IT security policies and procedures,” explains Carrick.
Carrick Holdings was recently contracted by a local banking institution to perform a comprehensive security assessment.
The service involved a discovery or external approach (black box) and an internal (white box) approach.
Carrick agents were instructed not to exploit any vulnerabilities, but determine external visibility and report on it.
“The principle is not one of ‘if you can’t gain access, then the environment is secure,’ but rather security through obfuscation,” explains Carrick. “This principle addresses the risks associated with the commencement of the hacking life cycle.”
Hugo van Niekerk, a technician at Carrick Holdings, explains the company’s phased approach to the evaluation.
“The first phase of the project involved reconnaissance. As the term implies, the process involves soliciting any information that is publicly available about the Target of Evaluation (TOE) – which is the collective term used to describe the system that requires assessment.
“DNS servers represent such a source of information. The DNS information directed the security agents to the firewall IP address and the pool of public IP addresses assigned to the specific bank. DNS further identified where the bank’s Web sites were hosted and other static IP information, for example, E-mail and VPN services,” says Van Niekerk.
The second phase involves analysis by scanning for vulnerabilities, says Van Niekerk.
While several shortcomings in the system were revealed, the analysis also showed that the institution had taken significant steps to protect its infrastructure – from regular modification of processes and procedures, through to patch and vulnerability management and effective E-mail filtering.
“On the bank’s internal network, the junction devices were expertly configured and provided a balanced measure of security. The servers were patched and controls like antivirus, intrusion prevention systems (IPS), encryption and filtering at various levels, were installed,” says Van Niekerk.
The institution has dedicated support staff available for all systems.
However, the scans highlighted a number of vulnerabilities at the workstations within the network legs, adds Van Niekerk.
“This implied that an internal attacker could escalate himself through the organisation until he/she could gain access to a specific system,” Van Niekerk adds.
“There were no vulnerability management systems installed and also no procedures for hardening systems. No provision was made for the training of personnel to stay abreast of the latest security practices and techniques.
“In the final analysis, external security was excellent from a prevention point of view, but denial of service (DOS) attacks were to be addressed.
“Internal security was acceptable, but could definitely improve. A gruntling program for employees was required. Improved communication between top management and the information security department was a necessity.
“A vulnerability management system such as Qaulys or Foundstone was lacking. Accountability, at all levels, has to be reinforced.”
According to Carrick, this is a strong example of how a business or organisation adopts a proactive approach to security, one that takes into consideration the motivation and modus operandi of cyber attackers.
“Most attacks against the environment are complex and are executed by highly motivated perpetrators. Banking institutions and financial houses face this challenge on a daily basis and there is certainly merit in approaching security from both sides of the parameter, so to speak,” Carrick concludes.