Security Friction: The Distance Between Concept and Reality

At our 2019 Siouxland Cybersecurity Forum, Xigent hosted James Cabe, Fortinet’s senior security strategist as a speaker and panelist. Cabe suggested a new, thoughtful approach to threat response systems during his presentation.


For years, security experts generally had the advantage of superior resources, and they experienced relatively minor cyber threats. However, the advantages of computational resources have shifted the balance of power to a degree. For as little as $200, a bad actor can deploy a very sophisticated global cyber-attack platform using only a Chromebook and USB stick.


While the low cost of entry lowered barriers for cyber attackers, the dramatic increase in digital assets in all types of organizations, including banks, has driven an exponential rise in vulnerabilities. Just as we have used technological advancement to take new markets and business opportunities, hackers are now using those advancements to create and exploit fraudulent business opportunities.


A Global Economy of Cybercrime

Subpage 1

As with a computer game or war simulation, the party with greater scale and resilience wins. Hackers and other cybercriminals have developed their own economy, and with it, a dramatic increase in their ability to compromise IT systems.


The volume of attacks is continually increasing globally, as are the types of attacks and attack source. As threats do not originate from a single country, cybercrime has formed its own economy that operates without regard to geography.


What’s more, the cybercrime resources are readily available to anyone. Cabe used one such tool to generate completely new malware in only minutes during his presentation. He then submitted his cloaked file to VirusTotal, a global anti-virus engine. The website analyzed his file and issued a passing grade while the audience watched.


Infrastructure Security

Subpage 2

There is no doubt that threats against infrastructure have also escalated in recent years. Infrastructure such as power grid management consoles, physical security systems and even HVAC systems are vulnerable because they are usually separated from sensitive IP traffic.


While physical assets are often overlooked when assessing cybersecurity, their failure can lead to collateral damage to critical network assets. For example, attacks that weaken or compromise the serial interface to load management systems at power stations can cause nearby data centers to fail. Fortinet has been tracking rising numbers of attacks to such infrastructure components.


Whether they have a network interface in them or not, computers rely on data, and data that feeds a system can also be used to corrupt it. For this reason, even air gaps are proving less and less effective deterrents.


Some external threats are cleverly operating internally, and thus almost impossible to detect. “Living off the land” attacks, for example, deliver their harmful payload via harmless-looking local applications and scripts. Most IT admins routinely use Windows PowerShell or Python to perform important work; those same applications can be used by attackers and raise little to no alarm by internal security analysts.


There are problems even with the latest threat intelligence solutions, because while staying up-to-date with the cybersecurity news and events is important, few intelligence reports are actionable. Many are missing the information needed to stop or recover from an attack. They may provide IP verification and URL/URI details but conspicuously lack file attributes, for instance.


Think Differently about Advancing Cybersecurity Threats

Subpage 3

The solution, says Fortinet, is to think about threat mitigation more strategically. Defense in depth was formulated to raise multiple barriers that would exhaust or expose malicious hackers. Such techniques have succumbed to masses of cybercriminals who no longer need to invest much money or even time to exhaust organizational IT defenses.


Rather than organize IT security around stacking vendors, consider organizing resources into three discrete areas:

  • Enforcement: The layer at which the organization enforces its policies and builds its defenses.
  • Adaptation: This area contains resources designed to address new threats and moving targets. It would have sandboxes configured for various systemic or manual inspections and assets like security automation servers.
  • Behavior: These organizational resources should be designed to observe overall patterns and define those observations at the enforcement layer. The system should observe data and application use as well as the activity patterns of users and the network.

This strategic three-layer deployment of IT security assets merits greater consideration than typical methods, particularly for financial institutions.