Thursday, October 09, 2008

7 Information Security Lessons You Can Learn By Watching The Movie JAWS

If your are an information security officer managing risk and incident response processes, I strongly recommend watching the movie Jaws as a case study for learning how human and business factors play in dealing with bad, non expected and non foreseeable negative events, such as in this case, shark attacks, and how risk mitigation decisions are affected by human psychology. The move is a en example on how the human psyche responds to  negative events through stages such as: (1) denial, (2) awareness, (3) responsibility, (4) action. I am not a psychologist but this is my interpretation by just applying common sense: Denial comes from the fact that till we (as people or as business) are not impacted directly by the consequences of a negative event, we most likely minimize risks. Awareness, is driven by the fact that we had experienced a negative impact such as a damage or a financial/asset loss before and so we raised our level of attention as a response to feelings (fear). Responsibility, comes from a feeling of duty or role to deal with the risk and the negative consequences of it, for example, as humans, we might feel responsible to react to protect business, family, friends that depend upon us, our actions and our role in society. The last stage of incident/risk response process is the call for Action.  This it is either triggered by need to prevent further sure loss and damage or because someone else told us to do so. If you watch the movie from this perspective, as a case study for managing the risk of security incidents such as data losses and fraud, you can see clearly all these elements and learn some lessons for dealing with security incidents:
Lesson #1: The first approach toward risk, when not impacting directly a business or an individual, is to either ignore it or minimize it. For example, the movie is about the risk of being killed by a shark attack. In the opening scene of the movie, a shark is seen wandering in the ocean and killing a girl during a skin-dipping swim after a college party. The police, that responded to the incident, finds the remains of the body and needs to file a report. The human remains are a clear indication of a shark attack but the policeman filing the report of the incident is advised to minimize the incident for fear that reporting the incident would have scared off the tourists to come to the town beaches on vacation. How this lesson applies to IS risk? A company had a security incident and customer data was compromised as a result. The attack indicates that an attacker got customer data by breaking into the database through one of the company web sites. The business together with security and fraud decides to file a security incident report that the web site application database that stores customer information has been compromised but minimizes the potential impact since no customer PII (Personal Identifiable Information) has been compromised. The decision is to investigate this further till more information is gathered.

Lesson #2: When the causes of the incident are not found and the fix does not address the root cause, more incidents most likely will occur and get noticed. Since the shark is still alive, it attacks again and makes another victim. At this point, the incident cannot be ignored since it happens in complete daylight with a lot of witnesses. In the mean time, another shark (but not the killer one) is being caught and shown to the public as proof that now the shark responsible for the attacks has been caught and beaches are no-longer at risk. How this applies to IS risk? The company did not found the cause of the exploit/data breach so they had another cyber-attack that exposed customers data to public. Since now the information about the data loss and the vulnerability is public, the company needs to do something to deal with the damaged reputation. The company then decides to release information to the public that no compromise of personal identifiable information was result of the incident and  publicly disclosed that the vulnerability has now been fixed and there is no risk for the customers.

Lesson #3: When new, internally adopted measures do not mitigate the risk of further incidents, you most likely ask for help from the outside, such as by a security matter expert/consulting company. The policeman of the city where the shark attack takes place asks a researcher of the US Oceanic Institute for help on dealing with the shark killing threats. The researcher comes to the town and starts his investigation, he soon realizes that this is a case of a giant tiger type of a shark attack and that the shark that was believed to be the killing one (the shown to public as trophy) is not possible to be the one that made such killings since the teeth of the jaw of the shark and the teeth marks in the scares of the victims did not match. The researcher explains the results of his analysis to the police and the town officials and recommends a call for action for killing the tiger shark. After meeting with the policemen and the major it still decided not to. How applies to IS risk? The company internal security team has identified some security vulnerabilities like SQL injection that possibly were the cause of the breach, these were fixed but the attacks continued to occur so a security consulting company is asked to analyze this further. Security researchers did some security tests (e.g pen tests, vulnerability scans) and concluded that even if some of the identified vulnerabilities can be exploited for the type of the attacks seen like SQL injection, other potential critical security flaws (e.g. weak authorization controls, weak input validation) can be exploitable too but these security flaws might actually require to do a design review to be identified and eventually require to re-engineer the application security controls. The business is still undecided to whether pursuit these recommendations since require more explanation of risk and impact to justify very expensive design changes to the application.

Lesson #4: When the impacts of incidents gets bigger and get notified to senior officials, can be ignored no more and it is decided to act. The shark attacks again and this time even more deadly, the people are now scared and demand prompt action to the major of the city and the policeman to kill the shark. After the major of the city and the police hears the people complains at a public hearing, they decide to finance a mission to kill the tiger shark. How applies to IS risk? Fraudsters break again to the site and this time the financial and reputation losses can no longer be ignored including senior management at the company that now decides to prioritize the effort to mitigate this risk and put resources and spend money to identify the root causes of these attacks and provide risk mitigation solutions.

Lesson #5: The first approach to deal with attacks takes the defensive perspective to detect the negative events and pinpoint the threat sources. The policemen, the shark hunters/fisherman and the Oceanic Society Shark researcher devise different techniques to locate the shark attacks such as by hooking floating detection devices to the fisherman boat, these "sensors" seem to work, for a moment, the killing shark is located and traced and seems to be within reach for a shot. How applies to IS risk? The company installs new Security Incident Event Monitoring (SIEM) and starts to closely monitor the attacks looking at logs and incident events. Once an alert from the SIEM is triggered, it is decided to block the IP address of the most likely source.

Lesson #6: If your deal only with the symptoms instead of the root causes of an incident, the countermeasures can be bypassed by the attacker and the risk is still not mitigated. Despite all the effort put forth to detect the killing shark attacks, the shark outsmarts the fishermen, the oceanographer and the policeman by breaking the hooks where the floating devices where attached and attacks the boat unnoticed. The shark now attacks the boat directly, breaks it and causing it to sink. How this applies to IS incidents? The fraudster learned that incident-event evasion techniques can be used against the application, a SIEM event that pinpoints the source of the IP address to block the traffic, it does not stop the attack since the attacker uses proxies and fast-flux botnet techniques where the source IP is dynamically changed in real time.

Lesson #7: By tackling the causes of the incidents and the sources of the attacks finally the risk of further attacks is mitigated.  The fishermen are now actively engaged in fighting back the shark attacks, during a dramatic wrestling with the shark, the policemen throws the boat gas tank on the shark jaw and then aim to it with a rifle causing the gas tank to explode. How applies to IS risk? After an analysis of the attack scenarios several most probable attack patterns are simulated, the attack surface of the application is identified as well as the possible data entry points for intrusion. The data entry point that is most likely used by the attacker is a web form to initiate a database query transactions to gather customer's demographic information, access to this data entry form and the transaction are temporarily disabled by configuration changes and this prevents the attack to occur. The application logs collected during the attacks are provided to law enforcement. These along with other information collected by the law enforcement, such as the attacker's toolkit/scripts used in the attack, provide enough information to pin point the attacker, take down the IP address and eventually catch the fraudster with a sting operation. Further  security design review of the application identified flaws in the implementation of the transaction for query demographic customer data such as elevation of user privilege through changes of query parameters that were unvalidated by the server. Application design changes are implemented to prevent further attacks such as to strictly enforce role base access controls on the server side with new policy rules, changes to the web form not pass role/permissions parameters in the query. These fixes were implemented with a new patch and access to these transactions was re-enabled for the customers. Finally a disclaimer, the examples mentioned herein are not factual..

No comments: