At most information security conferences, security researchers will present findings where they bypass critical...
security controls used in your enterprise. The researchers will demonstrate how they can use vulnerabilities or proof-of-concept attacks to take over your entire organization. At Black Hat Europe 2015, there was a presentation on beating full-disk encryption from security researcher Ian Haken that examined how Microsoft Bitlocker could potentially be bypassed. At the same conference, there was a presentation from security expert Haroon Meer about how the information security industry is failing to protect our enterprises. Both show why enterprises need to adapt their infosec programs rapidly to respond to new and emerging threats.
This tip takes a look at the evolution of enterprise infosec programs and how to adapt them in the face of emerging threats.
Evolution of information security programs
Information security started out as just passwords, firewalls and antivirus software, but it has rapidly advanced to stronger passwords, next-generation firewalls, antimalware tools and more. There have been significantly more improvements made, but many infosec programs haven't evolved from the core security controls, or learned how to incorporate the changing risk environment into their programs.
For example, full-disk encryption (FDE) has become a core security control in many enterprises, but Haken's research shows earlier assumptions around FDE need to be updated to reflect his new research. Many enterprises decided to deploy transparent FDE because it minimized the impact on end users and required them to the change their behavior the least. While it was more secure than not deploying transparent FDE, it was also a less secure option than other options available, because the process is invisible to users and requires no additional passwords or authentication.
Haken's attack is an authentication bypass for domain accounts that allows an attacker to also bypass Bitlocker, Microsoft's FDE feature for Windows, but the attack requires logging into an administrator account and physical access to the client device. Potential mitigations are using BIO passwords, pre-boot authentication or installing the patch from Microsoft. He closes with the statement that when threat models change, "you need to re-evaluate previous security choices."
Enterprises that have deployed transparent FDE should evaluate how the authentication and FDE bypass could impact their enterprise and the potential for future bypasses to determine if using transparent FDE is an acceptable risk or if other security controls need to be implemented. This new attack may push some enterprises from using transparent FDE to requiring pre-boot authentication in their FDE deployments. This is an example of how an enterprise infosec program must evolve based on new information regarding threats and vulnerabilities.
How to adapt an information security program
The general challenge around how to adapt an enterprise infosec program is not new, but it has come under intense scrutiny as more resources are devoted to information security and enterprise boards have gotten involved. As Meer pointed out in his presentation, boards are now asking -- or will soon be -- why their investments in information security are not adequately protecting their enterprises.
It is not possible for enterprises themselves to keep up with every information security conference or new research paper, but enterprises can incorporate this data into their information security program by keeping up on new vulnerabilities and emerging threats being detected via a threat intelligence service or other mechanism. Enterprises can use sector-specific information sharing on malware, vulnerabilities or attack techniques actively being used in attacks to identify the highest priority items to address. Enterprises can adapt their information security programs by using this data in their information security risk management programs to evaluate the risks, determine the level of risk and appropriate mitigation steps.
All these different steps can be included in an enterprise's risk management program and used to update an information security program based on those assessed risks. Significant risks identified should have a more in-depth risk assessment performed to determine the appropriate response. This will prevent rash changes from being made that could ultimately have negative effects on the enterprise instead of positive ones.
Being prepared to make these changes will require more than just the enterprise infosec program and staff; potentially everyone in IT and many end users in the organization will need to be involved. Stakeholders should also be engaged in determining the appropriate steps to take to protect the enterprise. By engaging with stakeholders early and being transparent about the potential necessary changes, the stakeholders can help drive those necessary changes if the enterprise determines that, for example, pre-boot authentication is now needed to adequately protect endpoints with FDE. These changes might be unconventional, but may offer the best option for protecting the enterprise.
Enterprise information security has come a long way in about 40 years in defending enterprises from script kiddies in their basements to protecting the rapidly changing IT environment from modern advanced persistent threats. Enterprises can take a few additional steps in their information security risk management program to handle emerging threats and new risks. Some information security teams might be hesitant to making changes like this, but given the rapidly changing IT environment with BYOD, Internet of Things and cloud, enterprises need to be prepared to make rapid changes to protect the enterprise.
Discover why application security programs need improvements