This legacy model assumes that attacks will be front facing and will originate on the Internet toward the most public facing servers. The primary protection is provided by Firewalls restrictions and User Authentication to external services.
Security incidents throughout the industry have demonstrated the effectiveness of attacks aimed at the users.
As a company grows, so does the attack surface for internal threats. Risk = Number of External Facing Services + (Number of Users * Workstation Vulnerabilities + Internet usage) - Internal Mitigation
Organizations who continue to rely on the security models of the past face serious business risks from modern threats:
The myth of the Internal Network; In short, what is considered internal trusted space / data can quickly become external Internet accessible assets if controls are not in place to protect internal facing business critical systems.
-by Richard Bejtlich - Chief Security Officer: Mandiant
Monitored:
The easiest and cheapest way to begin developing DNA on an existing enterprise is to deploy Network Security Monitoring sensors capturing session data (at an absolute minimum), full content data (if you can get it), and statistical data. If you can access other data sources, like firewall/router/IPS/DNS/proxy/whatever logs, begin working that angle too. Save the tougher data types (those that require reconfiguring assets and buying mammoth databases) until much later. This needs to be a quick win with the data in the hands of a small, centralized group. You should always start by monitoring first, as Bruce Schneier proclaimed so well in 2001.
Inventoried:
This means knowing what you host on your network. If you've started monitoring you can acquire a lot of this information passively.
Controlled:
Now that you know how your network is operating and what is on it, you can start implementing network-based controls. Take this anyway you wish -- ingress filtering, egress filtering, network admission control, network access control, proxy connections, and so on. The idea is you transition from an "anything goes" network to one where the activity is authorized in advance, if possible. This step marks the first time where stakeholders might start complaining.
Claimed:
Now you are really going to reach out and touch a stakeholder. Claimed means identifying asset owners and developing policies, procedures, and plans for the operation of that asset. Feel free to swap this item with the previous. In my experience it is usually easier to start introducing control before making people take ownership of systems. This step is a prerequisite for performing incident response. We can detect intrusions in the first step. We can only work with an asset owner to respond when we know who owns the asset and how we can contain and recover it.
Minimized:
This step is the first to directly impact the configuration and posture of assets. Here we work with stakeholders to reduce the attack surface of their network devices. You can apply this idea to clients, servers, applications, network links, and so on. By reducing attack surface area you improve your ability to perform all of the other steps, but you can't really implement minimization until you know who owns what.
Assessed:
This is a vulnerability assessment process to identify weaknesses in assets. You could easily place this step before minimization. Some might argue that it pays to begin with an assessment, but the first question is going to be: "What do we assess?" I think it might be easier to start disabling unnecessary services first, but you may not know what's running on the machines without assessing them. Also consider performing an adversary simulation to test your overall security operations. Assessment is the step where you decide if what you've done so far is making any difference.
Current:
Current means keeping your assets configured and patched such that they can resist known attacks by addressing known vulnerabilities. It's easy to disable functionality no one needs. However, upgrades can sometimes break applications. That's why this step is the last step.
Sells: Security Consulting, Security Software, Purchasable Malware
Compromise:
* Secondary Site + SQL Injection = Password Database
* CEO Aaron Barr and COO Ted Vera used weak passwords for
multiple services: SSH, Email, Twitter, Linked-in
* Account usage provided access to systems vulnerable to
local side attacks and privilege escalation
* Aaron Barr's email account contained clear text root
passwords to rootkit.com
* Using Aaron's account, email was use to trick an
Administrator into confirming the root password, opening
firewall rules, and changing the account password used to
ssh in remotely.
* Most if not ALL internal / sensitive data is then
leaked onto the internet. Including Intellectual Property
and Employee Emails.
Impact:
* Financial losses from the list above
* Loss of reputation as a competent security company
* All personal emails aired publicly, including emails
between Arron and his Wife threatening Divorce.
* Aaron Barr resigns from the company
Sells: Cryptographic Authentication Technology and Cryptographic libraries
Compromise:
* Spear Phishing emails were sent to select groups of
employees
* A curious employee opened the attached Excel document
which exploited a vulnerability in Adobe Flash
* A trojan (Poison Ivy) providing remote control was
installed and created a network connection originating
from the internal network out to an internet based system.
* The trojan was used to steal employee credentials and
gain further trusted access to internal systems exploiting
privilege escalation where needed.
* Once access had been gained to Stage servers, Source
code / Intellectual Property was collected, compressed,
encrypted, and sent over FTP to an external internet system.
Impact:
* Loss of reputation as a major security vendor
* Unknown financial loss from stolen intellectual property
* Unknown impact to customers of the stolen code
Sells: Advertisement based revenue - News/Blog site
Compromise:
* Undisclosed vulnerability in Dynamic Web code permits
attackers access to the internal systems
* Weak password practices allowed for additional
unauthorized access using the CEO and other employees
credentials.
(The same password was also used for: Gmail, Twitter, Campfire)
* Access to the internally used chat/discussion system
provided conversations / logs which included additional
usernames and passwords to external companies ftp servers.
* Hacking group release a torrent on Pirate Bay:
The file contains Source Code, Internal Company
conversations, and over 1.3 million users email addresses and
accounts with weakly hashed passwords.
Impact:
* Financial loss from list above
* Lost trust from its User Base for not providing adequate
protection of user information
* Loss of source code / Intellectual Property
-Enigma