25.09.2015 | Adrian Bachmann
Prevention, Detection and Response: Why Pure Prevention Is Not (or No Longer) Enough
Viruses, worms, Trojans, phishing, drive-by attacks and social engineering are just a small selection of the possible means of attack used by criminals to carry out profitable attacks on information systems. The professionalization of the criminal side has taken on frightening proportions. It is no longer (just) bored computer nerds in dark basements who hack systems, but rather a flourishing (black) market with sophisticated standard tools for the construction of customized malware [1] through to denial of service attacks as a service. Customer support, service level agreements, performance guarantees and performance-based remuneration models have long been a reality. If the competitor’s web server cannot be taken offline for long enough, the job is repeated - free of charge. Trojans attack computer systems with a success rate guaranteed by the vendor, encrypt all data and demand a ransom from the user to get the data back. If payment is not made, the key material is irrevocably destroyed and access to the data is no longer possible. Sometimes such Trojans lie dormant unnoticed on systems for weeks, so that the last data backup also only contains encrypted data. In many cases, the only options left to victims are to hope that the attacker is honest or to accept the loss of data.
These business models are not entirely new. If we look at the physical world, we discover various parallels and centuries of experience. The same applies when it comes to protecting yourself from such attacks. In both the physical and virtual world, the disciplines of prevention, detection and response are often referred to. These can be well illustrated using the example of a jeweler: Hardened shop window glass and a sophisticated locking system are designed to prevent break-ins (prevention). Should a gang of thieves nevertheless manage to break in, this is detected thanks to sensors and an alarm system (detection) and the police are alerted immediately, who move out and try to catch the gang of thieves before they escape (response). Back in the virtual world, I would like to invite you to think briefly about what measures you have implemented to protect yourself against attacks. You might think of virus scanners, firewalls, strong passwords, up-to-date software and possibly even encryption. However, these are almost exclusively prevention measures - strategic measures designed to prevent an attack. Especially in times of zero-day exploits and tailor-made and sophisticated phishing attacks, however, pure prevention is definitely no longer enough, because there is a possibility that someone has found a master key to our jewelry store without our knowledge and can use it at any time.
In the physical world, we have long since become accustomed to the fact that there are no insurmountable prevention measures and that in many cases only the combination of detection and reaction leads to the desired level of protection. Interestingly, however, this realization has not yet arrived everywhere in the virtual world and we continue to focus mainly on preventive measures. Wikipedia lists in its article “Information security” [2] currently 1 operational security measures. Only two of these measures have a detective character in the overall context. The remaining measures are purely preventative. Admittedly, detection and response measures are usually at a different level of complexity than pure prevention measures. In addition, the identification of suitable detection and response measures requires a more intensive examination of the risk exposure. Nevertheless, in order to achieve an appropriate level of protection, we should also address these issues and ask how successful attacks can be detected and responded to. The focus should be on a suitable combination of measures that can be used to successfully deal not only with classic attacks on the infrastructure from outside, but also with attacks from within or via employees. You will quickly realize that this requires more than just technical measures.
In specialist circles, the discussions and questions go a little further: How should we deal with the fact that an attack may not even be recognized and therefore no response is initiated? Or how can a recovery be carried out as quickly as possible after a missed or failed response - in other words, how can the normal state be restored?
It is time to look at suitable and appropriate measures to protect against attacks on information security.
[1] See e.g. “Einbruch mit Komfort”, c’t issue 18/2015 [2] See https://de.wikipedia.org/wiki/Informationssicherheit
Note: This article was also published in the magazine Alumni Readme.
Cybersecurity Information Security Management System (ISMS)
Adrian Bachmann is an experienced security expert and risk manager. He advises his clients primarily in the key areas of identity and access management (IAM), authentication, federation, risk management and internal control systems (ICS). He is also a recognised security architect.
Adrian Bachmann, Partner, Managing Director