November 16, 2022 by Gabriel Bassett
Three Security Baselines
I wanted to build on my mastodon post about the security baselines.
The TL:DR is …
Any minimum baseline should address the four ways threats get in (creds, phishing, vulns, and bots) from the 2022 Verizon Data Breach Investigations Report while respecting that orgs need to do it even if they’re below the securit poverty line.
Past that, organizations should be expected to invest in the four areas, as well as error prevention.
But none of that will address advanced threats which require security operations to mitigate.
Of Baselines and Best Practices
On twitter, Eric Geller mentioned the White House noting the need for mandatory security baselines.
The problem brings me back about 15 years in my security career. At the time we were assessing the compliance of a rather important system. It had it’s problems and the external testing company would strongly suggest we use “industry best practices”. To which Patti, the executive responsible for accepting the risk (and a leader I truly admire), asked: “What ‘best practices?’ Who’s?” A question which we didn’t have an answer.
And we still don’t. All controls lay on a continuum representing the amount of acceptance. A continuum that is also dependent on the what the system is. And because a mandatory minimum baseline would be effectively a minimal set of best practices, there is not going to be a minimum baseline we can all agree on.
Data Driven Baselines
My suggestion would be to use data to decide. One of the key findings from the 2022 DBIR is that there are four main ways attackers enter organizations: Credentials, Phishing, Vulnerabilities, and Bots, (to which Errors can be added). Wendy Nather coined the idea of a security poverty line.
The Minimum Baseline
The combination of the two creates the minimum security baseline. Controls that address the ways in at little to no cost of time or money.
- For credentials, there’s built-in password managers and two factor authentication.
- For phishing there’s using cloud email services that automatically do a good job of detecting phishing.
- For vulnerabilities, there’s turning on automatic patching and default firewalls. And for bots there’s enabling built-in malware detection.
- These days, most operating systems have such tools built in and even turned on by default.
A More Practical Baseline
However if things that were built-in and on by default solved security, the security community be leading much less stressful lives. In most cases there’s a need to invest in security. Still, the four ways in offer guidance.
- U2F security keys, second factor apps, and vouchers to purchase password managers all help address password reuse and malicious passwords as well as behavioral analysis of login attempts. Assessing employees’ susceptibility to phishing can also help determine where to apply targeted mitigations.
- Additional email filtering tools, phishing reporting tools, and user phishing training as well as web filtering for spoofed websites all help minimize the threat of phishing.
- Investing in external and internal asset discovery can help address vulnerabilities due to unmanaged assets as it’s old and easy vulnerabilities that drive compromise.
- Anti-virus helps spot latent bots.
- Scans of cloud infrastructure for exposed assets as well as monitoring of web servers and DLP in email help prevent accidental exposure of data
Organizations that can create externalities for people should probably be expected to invest in each of these areas.
An Aside about the Threat
One big reason to invest in the ‘ways in’, is that this is an organization’s main way to influence the threat. To refresh, Risk is Likelihood and Impact. Likelihood is Threat and Vulnerability. Threat (whether a threat actor engages with the target) tends to determine if they’re breached. Now threat and vulnerability are related. Threat actors want to pick vulnerable targets. They come together most often on criminal forums where attackers purchase lists of emails, credentials, knowledge of vulnerabilities, or access to bots. This is the one place organizations can most affect the threat’s choices. The more they do to make credentials not work when tested before sale, bounce bad email sent en mass, prevent detection of vulnerabilities, usually on the external surface, and get rid of bots, prevents threats from ever engaging with the organization.
Advanced Threats
That said, because the above baselines are targeted primarily at keeping threats from engaging with the organization, they won’t do much once a threat decides it wants to target an organization and that they’re willing to pay for the access. At that point, it’s a race between the threat actor finding what they want and security operations finding the threat actor.
Measurement
For each baseline, it should not be enough to ‘say’ it’s covered. We need effective ways of measuring in a statistical manner. How often do folks respond to phishing? What percentage of credentials are leaked? What percentage of leaked credentials still work? Are all externally facing assets are managed? What is the median time to remove bots within the organization? How often are exposed cloud storage created and how long on average until they are removed? We need to stop assessing with the data that is easily available and instead seek out the data that is tied to the threat.
It also brings up a stark blind spot in the security community: the ability to assess security operations performance. We rely on security operations to stop advanced or determined threats, but we lack the ability to measure how effective our ops team is likely to be. Are they the 90’s Bulls or the high school JV team?
The Future
As I said above, these primarily address the threat. The reason is the security industry simply lacks the ability to assess an organization’s attack surface holistically. We can look at vulnerabilities or assets, but we can’t assess it as a complex system. Until we can model the combination of IT systems, people, policies, and processes in such a single model, we’ll never reach defense in depth.
Update 1: Culture
I wanted to revisit this blog and add one last thing: culture. While it doesn’t directly affect the threat engaging with your organization, it does underpin everything security. The role security plays in the corporate culture will determine the success at all the other mitigations. With that you can organize a matrix of the bbasics of security, (and, frankly, probably enough action to keep most orgs safe from most threats):