Security Dinosaur
Thu 13 Sep 2012Don't become a Security T-Rex or you'll find yourself a Dinosaur
"...maybe his visual acuity is based on movement like T-Rex - he'll lose you if you don't move."
-Dr. Allen Grant: Jurassic Park
Zoinks! Are you seeing what I'm seeing?
A lot of good Security Engineers are great at spotting anomalies on the network and in the logs. There are also a lot of different tools out there that help monitor an infrastructures logs and network traffic. The battle for the network is quickily changing. The popularity and ease of backdoor installation calls for a higher level of precedence for relying on additional methods of detection. If you are primarily using monitoring and are not seeing positive confirmation of malicious activity internally, then you need to start auditing your infrastructure.
The rise of APT (Advanced Persistence Threats) and Client side attacks give adversaries internal footholds that can provide access to credentials and other trust based tokens. Without sufficient mitigating controls, it is possible for an adversary to traverse the network disguised as an employee. In these cases monitoring will likely fail to highlight seemingly legitimate usage by legitimate users.
Audit your Infrastructure
Take a moment to consider the critical systems in your buisness, systems that the company simply could not function without. How many of these do you have access to from your desk (or Portable, or iPad, or Smart Phone). How many of those devices allow you access without a password? How many of them only require one password without two-factor authentication? Most importantly, how many of them do you have access to that you have no need to access?
Think about which systems are really important, segregate them from devices that don't need to access and put accounting, monitoring, and more advanced forms of authentication on them.
Don't just rely on what you see, you might not be getting the full picture.
-Enigma