1

We are evaluating the security of the PCs used by people with access to high-value company documents. At the moment they are kept patched and run a virus checker, but we are concerned about zero-day exploits and APTs.

We've already detected spear-fish emails sent to people high in the organisation.

Is there a way to defend against these attacks short of creating an air gap between the network these documents are on and the internet?

Phil
  • 196
  • 1
  • 4
  • 2
    As it stands, the answer to this would fill several books. Is there something in particular you're concerned about? – Michael Hampton Jan 28 '14 at 22:40
  • Serious, deliberate attacks are our biggest worry. I've focused the question on that. – Phil Jan 28 '14 at 23:06
  • 1
    Well, you're down to one or two books now... :) I suggest you search our sister site, [security.se] where various aspects of IT security, including advanced persistent threats, are discussed in detail. – Michael Hampton Jan 28 '14 at 23:10
  • 3
    "At best, an air gap is a high-latency connection." - Ed Skoudis at DerbyCon 3.0 (2013) – Evan Anderson Jan 28 '14 at 23:58
  • This question appears to be off-topic because it is about security issues which belong in http://security.stackexchange.com/ – Jenny D Jan 29 '14 at 09:06

1 Answers1

7

We've already detected spear-fish emails sent to people high in the organisation.

Is there a way to defend against these attacks short of creating an air gap between the network these documents are on and the internet?

Spear-phishing suggests to me that you need to focus on defending your PCs from their users, which unfortunately is not a technical problem, it's a people problem. You can harden your technology all you want, but if your high-access users hand over sensitive information (or their credentials) to your attackers, then that's the real issue, and all the technological hardening in the world can't stop that. To that point, the recent leaking of classified materials from the NSA (Snowden) and the Army (Manning) should prove that to anyone paying even the slightest bit of attention.

Even worse, there's no particularly effective defense against having your users hand over those precious pieces of information. "Security education" is completely worthless for the vast majority of users, and only somewhat useful for the other fraction. The only remaining mitigation available is strict compartmentalization of your information so that everyone only knows what they absolutely need to, but this is extremely difficult and expensive to implement and maintain... and isn't always effective either - it just limits the damage.

As the saying goes, security is a process, which is where you need to focus your efforts. Without trying to write a book:

  1. Identify what information deserves special protection.
    • The usual list: passwords, financial account information, trade secrets, etc.
  2. Focus on restricting access to people who need it.
    • By department is the easiest way to go about this.
      • The CFO doesn't need domain admin rights, and the system administrators don't need access to the company's bank accounts.
      • Likewise, neither the CFO nor the system admins need access to the company's trade secrets.
    • By position is a natural extension.
      • This can (and should) be combined with departmental compartmentalization for most effect.
  3. Use processes and procedures to re-enforce restricted access and protection
    • Can be as simple as a written policy against disclosing protected/restricted information.
    • Enforce personal accountability for disclosure
      • Reminding people that they can be fired for screwing this up can be effective.
    • A two-man rule for especially valuable information
      • One person might get fooled, a second person being fooled as well is much less likely.
        • Best example of this is having a second person verify high-value transactions or payments to ensure they're going to the right place.
    • Review your processes and procedures
      • Make sure they make sense, and don't encourage, or mandate insecure behavior.
        • For example, requiring CFO approval for purchases over a certain dollar value, and then having an entry level employee make the purchase with the no-limit AMEX card is a great example of a stupid, insecure process. That may or may not have happened to someone who may or may not be me. Today. sigh
  4. Auditing, and lots of it.
    • Check early, and check often.
    • Basically making sure that your process are being followed, and trying to catch mistakes before it's too late.
HopelessN00b
  • 53,795
  • 33
  • 135
  • 209