THE IT SECURITY PROFESSIONAL |
Barlowtek
The It security Pro
Helping Organizations Understand IT Security
&
Best Practices
As the investigation continues into the breach of the computer system for the Bruce T. Haddock Water Treatment Plant in Oldsmar, Florida on February 5th. What is becoming clearer is that this hack was due to several different failures in security that led to the site to be compromised by attackers. While the damage was little, it could have been a lot worse. Security Failures While this investigation into the breach of security is still ongoing at the time of this blog post, the common theme is that the facility was using older equipment with lax security protocols. These issues were compounded by the other and helped to provide a path for an attacker to take advantage of these vulnerabilities. Additionally, remote management software could connect to these systems without being blocked. Here is the list on known security failures as of this post:
While each of these failures are not the only reason for the compromise, all of them in conjunction with one another led to what could have been a serious issue if it were not for someone watching the system and taking corrective action to return the systems to normal. Attacker Accomplished The FBI was called in to investigate the compromise and found that the levels of sodium hydroxide in the water treatment had been raised from 100 parts per million to 11,100 parts per million for only a few minutes. This chemical is used to clear clogged drains and could have caused potential deaths if ingested by members of the public. Corrective Action Addressing the failures that have been identified by this attach should be remediated so that a similar type of attack does not occur. But this threat has showed what IT Security Pros already know, our infrastructure is not keeping up to date with evolving technologies. This creates vulnerabilities where it should be more secure. Municipalities are notorious for not updating or upgrading systems or software due to not having the funds to replace or update them. While taking corrective measures now will address these issues, this is a systemic issue that will only be solved when municipalities, and jurisdictions start taking security seriously and not putting off the much-needed upgrades and enhancements that are required to stay up to date. Microsoft for one puts out notices to the public to let them know that there is going to be an end-of-life date for its systems and applications. Why didn’t the municipality head those warnings and transition to supported hardware and software applications? Remaining Threat Due to the attention that this event is getting, it seems that these corrective actions will be taken as the city tries to deal with the fall out of it. But the underlying fact remains that all public utilities face, a crumbling infrastructure and the management systems that are needed to keep them up and running. This is a high visibility event, and the attention will be on the city to see how they handle these issues in the future. These remaining threats are going to continue to plague our technologically evolving infrastructure as well. As mentioned in infrastructure-security-securing-the-grid-of-the-future.html there are growing threats to the use of new technologies as well as securing the already well established infrastructure by upgrading the network hardware, software, and IT Security posture. Security for Infrastructure
Here are some of my recommendations for dealing with these same issues, whether you are a small business, or a large municipality, here are some commonsense guidance that you can follow: 1.Only use supported hardware/software This means to use only those systems and applications that are fully supported by the manufacturer and that if they are not, you replace them ASAP. This is one of the most common mistakes organizations make, waiting to upgrade later. Do not put it off, when it’s the end of life for a system or application, replace it. 2.Have a patch management program With the hardware and the OS not receiving updates on a regular basis, these systems continue to increase in the amount of risk and potential vulnerabilities that they pose to the organization. Have an established patch management program and update software and hardware systems as soon as the patches come out. This helps to limit vulnerabilities while also ensuring that potential risks are mitigated in a timely manner. 3.Establish Strong Security Policies/ Standards The need to establish strong policies and standards can’t be understated here. The use of the following types of characters should be used:
With all of these measures, access account passwords would be more complex and more difficult to potential cracks by an attacker. While no password is 100% secure, there are steps that administrators can take to improve the security of these accounts. 4.Restrict VPN Access to Key Systems This can be accomplished by preventing incoming connection requests from being responded to, or by securing systems behind a firewall or in a DMZ with restricted IP access points. While there may be ways in which these steps can be overcome, those steps are made more difficult than by not having them in place. This should be especially true to those systems such as a water purification plant or even an electric distribution center. Summary While nobody was killed during this attack and someone was quickly able to respond to changes within the purification process, it could have been much worse. Like a lot of other assets that are government owned and operated, our infrastructure is prime for being targeted by those that want to do our country or our cities harm. No matter what is found when the actual source of the attack is eventually discovered, this should be a wake-up call for all governmental organizations and jurisdictions that they can be compromised and that they need to be up to date with their security posture, just like in the private sector. The worst thing about this attack on the purification plant is that all these security issues should have been addressed a long time ago. Even if just upgrading and patching their systems could have helped deter a potential attack. Some of the simplest things make the biggest difference when it comes to these sorts of events. We can only hope that they employ a well-respected IT Security Pro to help them address these issues in the most effective and expedient manner possible. Reference Site abcnews.go.com/US/outdated-computer-system-exploited-florida-water-treatment-plant/story?id=75805550 The use of Artificial Intelligence (AI) in IT Security is shaping up to be transformative in that it helps the IT Security Pro focus on the important aspects of the business, educating the end users. While AI allows for extra source of intelligence in the field, the biggest fear is that it will replace IT Security Professionals and the industry. This is not the case, but there will be synergy between the human in the loop, and the machine in the response to potential threats to the corporate business network. AI vs. Machine Learning AI implies that there is adaptive learning involved, and actions can change based on a given set of inputs. With Machine Learning (ML) there are a set of automated processes that are developed with a given scenario or set of inputs that match the specific criteria. Understanding these key differences allows for the IT Security Pro to use the best technology for any given situation that they may run into. The use of ML is common with most IDS and IPS applications as they provide quick action and prevent further issues for the network with a given a specific set of inputs. This can be everything from disconnecting servers or preventing certain IP packets from traversing the network or to being addressed to a specific targeted IP address. AI will take more time to determine if the behavior is malicious and may also take other inputs into account prior to acting. Data Overload As an IT Security Pro, your day is filled with reviewing logs and data that is collected from various sources around your computer network. Whether these are firewall logs, or network traffic IP packets, there is a lot of data to process. This is one of the reasons that security applications that can correlate these records are one of the key components of any well-established IT Security Program. The need we find is having to sift through these tens of thousands of entries to find the information that is meaningful to us. Even with this, sometimes the IT Security Pro may be overwhelmed with the amount of information they may be presented. This is where AI and ML come into their own. These technologies can help to sort out this data and provide the IT Security Pro actionable information and suggest a course of action depending on all the inputs that have been gathered. Work with AI in IT Security With the ever-complex state of IT Security these days, it is important that we use all the tools in the fight against any potential threats to our networks. This means leveraging the strengths of AI and ML to keep up with the changing attack vectors of the adversaries we must defend against. These are an ever-growing number of threats that the IT Security Pro must defend against and having a backup or additional support to help determine the course of action will be helpful. Especially when we must do more with less. Some of these areas may be any of the following:
These are just some of the issues that an IT Security Pro may have to deal with daily. This is not mentioning the biggest threat of all, the end user. No matter how well you have a network protected, this can always be bypassed by the employee who does not want to work within the security guidelines.
Automated Processes for AI & ML While there are number of areas that AI and ML can help, these technologies can also help streamline or automate repetitive processes that require attention from the IT Security Pro. These automated processes can be worked into an application or as part of a solution:
Summary While AI and ML are advancing in their skills and capabilities, it is important to remember that these two supporting technologies will help ease the load from overworked and few IT Security Pros. Having an electronic eye on all the various operations that go on a computer network day in and day out will allow staff to address issues that they should really pay attention to, and not all of the static or background noise. Technology should help to enable the IT Security Pro to better secure the networks that we are responsible for, and not take the jobs away from human beings. When developing policies and standards for any company, the question always comes up with Senior Management, “how will we manage all of these policies?” This is a question that should be answered prior to starting any compliance project. As various standards will have different requirements and the company may have to change its process to be compliant with those new processes. Whether the company wants to streamline the process, or if they want to do their own thing, its important for the IT Security Pro to strike a balance. Compliance Requirements Compliance has many facets that the IT Security Pro will have to navigate through the course of their career. Companies of all sizes may decide to pursue a compliance standard, or they may be required to do so by the nature of the business that they are in. Whatever the reason, compliance standards will suggest or recommend certain features. This requirement should be clearly communicated to all of the stakeholders in advance. Having an IT Security Program is more than having a few policies that address security related issues, its also adhering to the standard and having the specific required documentation in the manner prescribed by that standard. Whether it is having the Information Security Management System (ISMS) as prescribed by ISO 27001:2013, SOC2 Compliance Checklist, or even NIST’s Cyber Security Framework, each on will have specific requirements for the business to follow to be “compliant with the standard”. Designated Compliance Structures An area of focus that all the above compliance standards have in common is that there will be a structure as to how the new policies or standards are to be managed. While how the company goes about this is left to be determined by the standard, the business may have several courses of action in this area. Whether it is designating or using a central document repository or some other mechanism, the business should determine this prior to moving forward with any compliance standard. Policy Development IT Security standards are notorious for having multiple areas of focus or requirement what seems to be multiple documents for the same thing. While this may seem to be the case on the outset, this granularity provides a robust in complex set of requirements for IT staff and security staff to follow. Additionally, these requirements help to outline how the policy will be affected when it is implemented by the business With a list of controls outlined in the standard, these can be correlated into a checklist that allows for the quick determination of whether the control is in place, or if it may be missing. Auditors can quickly and accurately determine if this is a major finding, or if it is something that will allow the business to continue with the audit in order to determine its compliance with the designated standard. These policies or documents may have multiples that address various aspects of the same policy. Common Hurdles
Some common hurdles at the IT Security Pro will face when implementing new policies and standards for the business are the following: • There are too many policies to keep track of. • Do we really need all these policies? • Are all these policies and documents required by the standard? • How detailed do we have to get for an auditor? • This is too complicated to keep track of. All these areas are common misconceptions about how to manage IT Security policies. Whether the refrain is given by a stakeholder or an employee, its important for the IT Security Pro to understand that these are roadblocks that will need to be overcome if there are going to be an adherence to the defined standard. Centralized Management Providing a central location for the management of IT security policies allows for these policy's to be reviewed and approved on an annual basis per (this is the current best practice by most IT security standards) and allows for the centralized management of these policies. IT security continues to evolve, and change based on the number of threats, changes in technology, or governmental regulatory requirements. Summary There are many benefits for managing IT security policies from one location, whether it is the management of those policies, or keeping these readily accessible to review. In most cases IT Security policies are living documents (and will need to change and be updated in accordance with current best practices or changes within the business itself). Additionally, having a designated individual role that reviews and updates these policies on a regular basis is a requirement of most of the current list of IT Security related standards. While having over a hundred designated controls may seem like a daunting task for a business to comply with but having those policies that address these specific controls in multiple areas of the organization is an even more daunting task. Let alone keeping track of them in a coherent manner. Developing and implementing IT Security policies is an area that an IT Security Pro may spend a lot of their time during the course of a year, but it is also one of the most rewarding as well. |
IT Security ProSecuring the future one byte at a time! Mr. Barlow is here, staying ahead of the curve in Information Security Leadership. Ready to help your company stay safe and secure. Categories
All
Archives
January 2023
|