Slashdot Mirror
EndGame CEO: Root Out Hackers Before They Strike (qz.com)
The CEO of Endgame, Inc. is calling for an "offensive mindset" to defend enterprises from hackers. An anonymous reader quotes Nate Fick's article on Quartz:
Rather than relying on imperfect prevention techniques, or waiting for a breach to happen and then reacting to it, defenders need to 'turn the map around' and hunt proactively for the attackers in order to root out adversaries before they have a chance to do real damage. This is the next frontier of cybersecurity... the vast majority of cybersecurity spending is still going to prevention and perimeter security. Prevention is necessary, but it's not sufficient and it certainly doesn't justify 90 cents of every security dollar...
The government has already figured this out. Across the Department of Defense, the intelligence community, and other forward-leaning agencies, this proactive hunting is already happening, and it's becoming more widespread. Enterprises need to embrace the same mindset.
Fick points out that despite $75 billion on enterprise-level security spending, more than three-quarters of Fortune 500 companies have been breached within the last year.
The government has already figured this out. Across the Department of Defense, the intelligence community, and other forward-leaning agencies, this proactive hunting is already happening, and it's becoming more widespread. Enterprises need to embrace the same mindset.
Fick points out that despite $75 billion on enterprise-level security spending, more than three-quarters of Fortune 500 companies have been breached within the last year.
and... we take another step towards Stallman's predictions of you needing a license to own a compiler or a debugger..
All well and good for nation states, but typically pro-active "defense" is known as 'attacking', which is almost always against the law when not done by a nation state...
You forgot about the added bonus that you receive in the US for being pro-active.
The government response is also to be "pro-active". By labeling you a "terrorist". Welcome to the No Fly club.
End-users, the "layer 8" of the OSI model. One way to stop a good chunk of intrusions: force everyone in your organization to go back to plain-text email. No more HTML emails, no more files attached to emails, no embedded links or graphics. Almost every time I read about some new ransomware hit, or most break-ins, it's always some phishing attack via email. Obviously these end-users aren't capable of being educated how to recognize them, so to me the only way to "fix" the problem is to BOFH the situation and remove the most commonly used paths of attack. Anyone who demands these "enhanced capabilities" should also be made to sign an addendum to their employment contract that they are financially responsible for any attacks that they allowed because they just "had to have the ability for people to send them files in their Outlook".
Plus, at least some of the targets of your 'proactive defense' are nation states; and they will be even less happy about being attacked than they will about you attacking 3rd parties.
There are about 2 million sixteen year old boys in the USA (alone). Of these a bunch are interested in computers. Just because "that's a large enough group", I'm ignoring the 15 year olds, 17 year olds and the girls.
And one day, one of them will spot a uid=1234 in the URL and try what happens if you change that into uid=1235. According to current laws that is considered hacking, and the culprit needs to go to jail. And you're going to predict which one of the two hundred thousand computer-interested sixteen year olds is going to do that? Good luck!
Here in Holland a some students noted that if they ordered pizza from a certain shop, they got sent to a page: "You owe us $15.60, how are you going to pay?". And the URL clearly had that 15.60 visible. So they decided to change that to "0.10". So then the page said: "You owe us $0.10, how are you going to pay?". So they chose a payment method, paid $0.10 and.... they got redirected to the pizza-site where it said: Thank you for your payment, your pizza is on its way!
In the case of the free pizzas, the company who created that stupid "don't check the amount" code should be liable. Checking that the right amount was paid is elementary to a payment system. Similarly not only checking that a user is logged in, but also checking that he/she is logged in as the RIGHT user is elementary.
You cannot blame the guy who stumbled upon this issue for "hacking". Sure, getting almost-free pizzas for a year is a bit unethical. It would be nice to inform the maintainers of the issue, but since when is being "not nice" going to land you in jail? Well, I'll tell you: since they adopted those anti-hacking laws. And for those, it doesn't matter if you're nice. If you ARE nice and report it, they can (and often do) throw you in jail anyway.
Honeypots are a bit like undercover policemen. You can use them to catch the dumb ones and give the smart ones more leg- and elbowroom.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
> End-users, the "layer 8" of the OSI model.
They are definitely the most vulnerable part. But don't get me wrong, it's not about blaming the users. They just want to get stuff done, it's their job. And they are put under considerable pressure at that.
It's the job of the organizations to strengthen the users and to raise their level of proficiency in understanding the issues involved. Heck, they are not stupid, in real life they wouldn't hand over their flat keys to a random stranger on the street (with a small note containing their address).
The security department's job is technical, but at the same time educational. It must encompass all the "stack", starting with the users.
As long as there is a "security department" making some magic stuff nobody else understands, and which is only perceived as an impediment to the daily chore, we've lost.
Buying security from security firms gives very little bang for the buck. Security isn't a commodity any more than love is. You can only buy fake versions of either.
Spend the same on security minded employees and individualized training. Spearfish your employees and require mandatory training of anyone caught. Hold security training without powerpoint, and keep your employees informed with facts. Pay out small bonuses to people who display awareness. Post the name of departments where anyone has attempted to run malware or otherwise shown gross negligence. Make it a people thing, not a box in the server room and some licenses.
When TFA says "Prevention is necessary, but it's not sufficient and it certainly doesn't justify 90 cents of every security dollar...", they were dead wrong. It should be closer to 100%, with almost all going to internal resources.