A New Years greeting where people get their refreshment from in the New Year. For me, I live in the fishermen`s village of Scheveningen , where on enjoys the change of scenery. One of the traditions is the polar bear dive that takes place every year on the first of January when the temperature of the seawater is below 7 ° C ( 44,6 ° F ) in hopes of obtaining fresh new insights like the new year`s event that takes place prompt on 12 0`clock.
It can’t be a coincidence that the hats on the photo are orange…and that’s its daring and refreshing –like the heart of our Triple A strategy –
Against Attacks on Assets
Back in time…
Several years ago (in 2003, to be exact) I created server beheer (manager )support (SBS). I envisioned it to be an elegant solution, whereby the management was configured in such a way that one could operate everything on a single server (yes even active directory), and where wizards made it easy to configure and operate. The idea of a ‘SYSTEM’ that removed everything complex and costly, and resulted in a solution businesses wanted to pay for that functionality.
Fog of More
At that time, there were other companies with “next generation” security since the old firewalls and antivirus were failing , AOL , T-Mobile, US dept Vet Affairs . The call for next generation security was again a box where the innovativeness depends on yet another heuristic database, just turn the scanner on the device itself, a typical reactive action that also does not work at the moment that tunnel through the device is set up.
There were ids, ips and everything you can find above where we mainly to the reactive side, which is the figure on the right after the assets are infected. The idea that protection occurs on the right side is thus shown that this is nonsense. Antivirus protection is actually Anti-Virus analysis .After all, the file is already on the device where you don’t want it!
‘test the waters’
Also the people that give you the advice never heard of designing a defense differently and think that old-school, perimeter-focused, malware-prevention won’t work. And the fact is that intrusion prevention solutions cannot provide 100% protection. Because of this reactive consulting the company’s current focus on recovery and reaction by monitoring only.
Over time we see an interesting pattern-
No poor security or inside jobs like in beginning of 2004 , yet still hacked…
Due to the reactive mindset many of the certified security professionals seem to have, since they believe that a persistent, highly determined, and highly skilled attacker will always find a way in. And once the attacker is past your perimeter, traditional Cyber Kill Chain-style prevention solutions like firewalls, sandboxes, and antivirus can’t help. Once they’ve bypassed these solutions, attackers are free to operate in your network unobstructed. And the fact is that intrusion prevention solutions cannot provide 100% protection. Because of this reactive consulting the company’s current focus on enterprise cyber risk management lies on recovery and reaction by monitoring only.
A situation your current security providers and consultants like to sustain since it opens up huge profits for them and high costs for you without guarantees . The cyber security market is estimated to grow from USD 122.45 Billion in 2016 to USD 202.36 Billion by 2021, at a Compound Annual Growth Rate (CAGR) of 10.6%.
Over the past few years, cyber insurance markets have been growing at between 25-50 percent CAGR each year. According to The Betterley Report 2015, annual policy premiums are approaching $2.75 billion.
The final resort is then insurance since you cant stop it or…can you?
And that it won’t give until now won’t protect which you can see in the graphs of information is beautiful since what makes them different from your company? P@ssportphilosophy-People, Processes, Organization, Similar events and then ONLY then technology.
Perfect storm -Stuxnet
A good example of what a well-designed system could defeat started over in 2010 when the first computer virus was discovered what also what Programmable Logical Controllers could infect. This was a destructive virus aimed to sabotage the nuclear centrifuges of Iran and succeeded setting them back at least two years in their capability to produce.
1.PREPARE– Using four zeroday attacks and two stolen driver certificates from JMircon and Realtek Semiconductor
2.ARM– finding weak spot- Stuxnet was able to by-pass Windows and anti-virus security software (Note the firewall didn’t do anything here)
3.DELIVERANCE-to the vulnerable device
4.TOP EVENT– Loosing control- escalate it’s permissions from local to administrative
5.WILDFIRE-, it then spread from host to host via inflected USB flash drives, administrative network shares, or shared network drives. It also injected itself into Siemens WinCC project files and even well-known antivirus executable files such as Symantec’s ccSvcHst.exe and rtvscan.exe, Kaspersky KAV’s avp.exe, and Mcafee’s Mcshield.exe.
6.ET PHONE HOME– Stuxnet was able to update itself through a Command and Control (C&C) mechanism
7.P@WNED AND OWNED– Once Stuxnet invaded a host it would seek Internet connectivity, if found, it would contact one of two command and control servers www.mypremierfutbol.com or www.todaysfutbol.com located in Malaysia and Denmark and exchange pertinent information such as OS version, machine and workgroup name. The C&C servers would respond with one of two controls back to the infected host
8.Total control – execute a remote procedure call (RPC) or execute encrypted binary code, either code provided Stuxnet with backdoor functionality
This is what you call a perfect example of a cyber kill chain aka a Perfect Storm –from Lockheed Martin which is now is questioned by current security professionals because they believe that a persistent, highly determined, and highly skilled attacker will always find a way in. And once the attacker is past your perimeter, traditional Cyber Kill Chain-style prevention solutions like firewalls, sandboxes, and antivirus can’t help. Once they’ve bypassed these solutions, attackers are free to operate in your network unobstructed.
Cyber Security =90% IT security and 10 % Innovation
Warnings from specialist were largely ignored since there was no email and the systems were air gapped. A nice parallel how we designed it security in the 1980 `s and that are still resembling our current security stance in 2017.
Enterprise Cyber Risk Management strategy according to P@ssport
At that time was the only antivirus protection for SCADA systems, something that is now outdated and not protective. A useless checkbox exercise, according to a Google security official –http://bit.ly/2fzE5iP. Under the push of a firewall again this time industrial firewalls were highlighted by industrial control suppliers, the assumption was that would keep and stop these attacks.
P@ssport architects saw this from an IT thought with Operational technology in mind that in addition to the fact that IT firewalls itself are sensitive to security vulnerabilitiesand this can be used to all companies to access to and from the cloud to a huge challenge to critical infrastructure systems that use even hardcoded passwords.
Yet if you are determined to stop attackers and get into the cyber kill chain you need to change your view .So if you are from the ground would have to build an identity and access system how do you deal with authentication, remote access, and protect against vulnerabilities in a rapidly changing environment with Big Data, IOT and compliance requirements as GDPR?
Protection-If you now allow access to only authorized users and unauthorized users from love? Then you can be flexible without worrying of the threats that are coming in daily.
Access and Compliant What if you can see who has business with you and those who do may “guide” to the asset itself, but only those asset / data repository and nowhere else?
Legacy support – that if you have systems who are still working fine not have to replace because there are no security updates available anymore?
In control– What if you assign yourself passwords but do not need to share them with people inside or outside the organization?
P@ssport Enterprise Architects went to work and used the ADM circle from Togaf also to ensure that this reasoning Triple A -Against Attacks on Assets found a connection to management, system owners and network administrators.
Then, in P@ssport and the stakeholders sought within E-circle solution components that had to meet four business requirements:
Simple, Compatible, Preventive, Affordable.
And two operational requirement:
Stop Cyber incidents as early as possible and avoid Business Disruptions
The outcome was the need to overcome threat , risk and liability challenges in strategical (board ) tactical ( enterprise architects ) and operational (support for business processes , compliancy bound ) areas
We will this year get a lot of disclaimers, succesfull breaches , go back to premium prices, complexity, and again hope that the components work well together (encryption, two factor authentication, directory services, tokens) believe that the partners have well established their components (for monitoring the data center, shared virtual environments, applications with personal data) and “we are the experts” attitude with the Not Invented Here Syndrome (NIHS) syndrome (you know who you are)
So you have all the security and you are armed to the rim.
You do it like this since we always have done it like this, the round tower syndrome and no room for innovation based upon old standards ISO 27 xxx for information security leaving open all the threats(blue) left to abuse the enterprise and place them at risk( right) where only reactive technology can stop the attack and most of the time fail -229 days to detect malware and 3.5 million to clean up the mess.
But we are ISO certified..
Securing companies is a game, the greatest game in the world if you know how to play it.
P@ssport – the new cyber risk management philosophy since 2012
Innovative Capabilities are needed
It takes 229 days to detect malware and an average of $ 3.5m for reactive repair the damage and innovative companies get started with sandboxes, we went six years ago to work with new technologies which enables real time insight, to intervene preventively.
Triple A has the complete elimination of the complex security legacy stack made possible and has 4 columns
P@ssport Triple A – preventive enterprise cyber risk management approach and looks at how you can prevent an undesirable situation ( top event ) from happening . An ounce of prevention is better than a pound of monitoring , and we do what others try to achieve –prevention .
For this you need 4 ingredients according to the P@ssport philosophy –
What if this is done according to the four business requirements:
And the two operational requirement:
Then you have the P@ssport Enterprise risk management philosophy integrated with ease in your current network with the right preventive security mechanisms provided through our innovative Triple a switchboard to stop cyber incidents early and for a fraction of the current investments on reactive technology and SOC monitoring.
So you have the additional reporting , tuning and finding out how the threat was build up, what open holes your pen testers did not see or what zero day exploit was this time used, which patch was not applied in time or which device was this time vulnerable ..another app in the wall–
Similar anti-virus and anti-malware intervenes 5, and if you just failed your SOC yet to stop the rampant virus, reactive and probably too late firefighting since being in the reactive field putting out fires increases maintenance costs . This forces a company to do unplanned work , hire experts , causes unscheduled downtime and higher costs to clean up and remediate the attack costs
2.ARM– finding weak spot- P@ssport engages early on in the cyber kill chain, namely at level 2 since we designed our Triple A switchboard not to show any weak spots , but still let operations do their maintenance and at the same time protect them transparently.
proud defender of critical infrastructure since 2012
Simular events– We nowadays all get stuxnet like attack patterns presented and we are just at the beginning.Since https tunnels will deliver the payload at your frontdoor and fileless infections will not trigger anti malware/ anti virus.
Follow the redline : Something the current security solutions cannot match because of the vpn and ssl tunnels and the latest emerging threat “file less infection”
After all, there is no file is downloaded, so there is no file to scan , since it doesn’t shows the anti-malware and antivirus a file. No file no infection. But we know differently..this can cost you dearly.
P@ssport ultimate goal is to be as far on top of the curve and as always in the preventive area that it is off the cyber kill chain at the pint where all opportunities ( Big Data, mobility , IOT ) can safely be executed.
As always in a 24/7 data exchange economy runs on accessibility and safe and secure work, something we have been promoting and doing since 2012. So you want to be doing to optimize your business processes, which saves money and self are in control?
Where you can omit reactive work such as the making of reports that are required from compliance, the “discovery” of malware on average 229 days and 3.5 million $ to repair the damage are all the result of risks overshooting too far with an additional compliancy requirements where a little more than half of the current companies is ready for , you might but your business partner? www.linkedin.com/hp/update/6221630312636645376
A Triple A system will beat a bad person every time