Securing Software, Data and End Points
- Module 1: Securing Software
- Software presents the largest attack surface of nearly every organization’s information systems, and its creation is often poorly managed. The vast majority of software vulnerabilities are accidental but repeat offenses. Repeats and reprises of classic design and programming errors, being made over and over again by each new generation of programmers. And when they’re not exploiting those kinds of software vulnerabilities, attackers take advantage of poorly maintained, often under-protected software, and thus exploit other operational and procedural vulnerabilities as they travel along their attack vector to their desired targets.
We are not going to do a deep dive into the common weaknesses of software, nor how they get put in by designers and programmers. You won’t need to learn programming or how to read code to help your organization dramatically improve the security of its software or the supply chains that bring that software to the organization’s end users.
- Module 2: Securing Data
- Whether you are using the CIA triad, CIANA+PS or any other set of security characteristics as your analysis framework, you’ll find that they all meet their stress test case when considering databases and data warehouses. This is the “data at rest” part of the three-state model of data; applications and endpoints make up the environment in which we consider data in use, and networks and communications systems are where data is in motion, of course.
Business and organizational data, personal data such as personally identifiable information (PII) or protected health information (PHI), and metadata about all of that data are collected, collated, linked together and stored in databases and data warehouses, whether on-premises, in the cloud or in hybrid architectures. It’s the information in those architectures that requires the right set of protections and controls, if the organization is to meet or exceed its information security, data protection and systems safety needs.
Many different forms of attacks on data happen every day. Ransom attacks encrypt the target’s data while demanding payment to provide the decryption key and tool; this is extortion, a crime everywhere. Other attacks attempt to corrupt existing data or put false data into the system as an act of sabotage or fraud.
Copying of data without disturbing it is theft, and such data breaches, or data exfiltration attacks, can target data that is in simple files, such as poorly protected lists of usernames and related credentials, systems log files or applications data in documents, spreadsheets and other files. Attacks that net millions of stolen copies of customer records, however, have more than likely been targeted against databases and data warehouses. These attack vectors can be categorized in many ways, and the next section will look at the most common.
- Module 3: Identify and Analyze Malicious Code and Activity
- The term “malicious code” refers to the many types of malware in use today. In many cases, people use the term “virus” incorrectly to include all types of malware. In fact, a virus is only one form of malware.
Malware is the joining of the two terms “malicious” and “software.” It is often used to discuss the various forms of malicious software code that have been written to cause damage or perform unauthorized activity on a system. Malware is not used to describe a software bug or logic flaw in a system because those are not written to intentionally perform unauthorized actions. There are many forms of malware in use today, and over the years it has evolved as malware authors have had to discover new ways to compromise a system and to achieve its goals.
It’s important to differentiate between malware and potentially unwanted programs (PUPs). Many adware and spyware programs are viewed as having legitimate business and organizational uses; in fact, the trade groups that represent advertisers, workplace employee performance monitoring and vendors of these programs argue that when used legitimately, the organization clearly wants them installed and in use, even if some of their employees are hesitant. This is why many threat intelligence services, anti-malware and security systems vendors and others refer to programs with no demonstrably hostile or malicious intent as separate from programs that are clearly hostile by design and use.
Some malware (also called malcode) is overt and obvious, doing extensive damage to systems and data within a short time of its introduction, while other malware is hidden and can lie dormant on a system for months or years undetected, just waiting to respond to a call from the implementer of the malware.
Early versions of malware were either a virus or a worm and often spread by passing floppy disks from person to person (like the Brain computer virus) or exploiting a network connection (e.g., Morris worm). The infected floppy disk would contain a (boot sector) virus that overwrote the boot sector on the hard disk. When the disk was inserted into a system, the system would read the boot sector to determine what data was on the disk and load the virus sitting in the boot sector. With this means of transmission, it took years for such a virus to spread around the world. Other virus types included the macro virus that would exploit the macro language used in some office productivity products, or the various forms of malware that would spread as email attachments or through links in an email.
- Module 4: Implement and Operate Endpoint Security
- Systems’ security depends on the correct configuration and interaction of many different components. Security must be deployed in a consistent manner across the entire system. This requires careful management of equipment, personnel and communications interfaces. This module will examine how to design, build and manage secure systems and ensure that no gaps are left in the design or operations of a system.
- Module 5: Operate and Secure Virtual Environments
- Module 6: Chapter 4 Review
- This chapter has taken you on a wide-ranging journey across the threat surface of your organization’s software, its data, its endpoints and its virtual environments. Along the way you’ve seen some of the challenges that face you as you try to harden systems, procedures and the organization’s people as well as to resist the attacks of malware, social engineering, phishing and malformed data.
Cybercrime has become incredibly lucrative; it has also become a very big business ecosystem, in which many layers of toolkit developers, open source intelligence gatherers, exfiltrated data resellers and specialist attack teams support the efforts of advanced persistent threat (APT) teams in their attacks on businesses, schools, universities, hospitals and government services around the world.
Your organization’s information security team cannot outspend the cybercriminals; and while it’s true that you cannot outthink all of them all the time, you really don’t have to. You only have to outthink the ones you have to detect, right now, today, as they try to intrude into your systems or otherwise disrupt your IT and OT infrastructures and the business processes that depend upon them.
The bottom line is keeping the data safe, secure, reliable; and that means keeping the software safe and reliable to use, whether it’s running on servers or endpoints, on real iron or in virtualized environments on top of hypervisors. One day at a time.