If you’re going to take cybersecurity tips from someone, it should probably be from this guy: Tim Hamon, the FBI’s senior forensic examiner at San Diego’s Regional Computer Forensics Laboratory.
With around 70 criminal cyber cases under his belt since 2009, he knows a thing or two about protecting less-tangible assets. And he says it’s neither a technical nor time challenge to do so -- it’s simply a cultural one.
“The takeaway here is that this isn’t really magic, it’s not sorcery,” Hamon said at the IT Summit on Thursday. “This is something that can be done for a fairly minimal amount of work, money and effort to create something like this that really slims your attack profile.”
What are these supposedly simple solutions? Well, to understand the paradigm shift it’s important to understand how many companies and organizations currently deal with cyber threats and what those threats tend to be.
Hamon said the three most common means of infiltration are email attachments and links; bad Internet habits leading to people clicking on said links; and unpatched, vulnerable Web browsers.
He said he’s seen the occasional targeted inclusion hack and insider hostility, but those are far less common than garden-variety threats. To prevent these attacks, most organizations tackle the perimeter.
“See, the conventional model is that we’re going to isolate the perimeter and we’re going to lock down this; we’re going to have firewalls with antivirus and spam filters and all these things at the perimeter — protect the edge,” Hamon said.
Which doesn’t work. The three specific measures he suggests taking instead aren’t commonly used, though that could be a correlation between security implementation and who he deals with.
“Categorically, I don’t see it very often,” Hamon said. “But then again, there’s a strong correlation to the victims that I deal with and the fact that they all have the same conventional network scheme.”
So here’s what the expert says to do if you don’t want to run into him under less-than-ideal circumstances: Create a standalone Internet environment, create zero node-to-node connectivity and use a non-persistent operating system.
A node is a place where lines in a network cross or meet.
A standalone Internet environment essentially means providing all employees with two computers: one for internal work, and one for the public-facing Internet.
This way, if one machine is compromised, the attack most likely ends there, instead of being able to hop from one computer to all computers on the network under traditional security schemes.
“If I’m infected on this bad boy, I’m not jumping this air gap most likely, some Stuxnet-type things notwithstanding,” Hamon said.
“You’re going to find that if you have an air gap it’s going to be much harder to traverse from an infected client to the other clients.”
Again, this does require at least one additional computer per employee and perhaps additional cable put down to reroute the system, but Hamon said this is a small price to pay compared to having critical information or data compromised.
The second solution, eliminating node-to-node connectivity, also serves to isolate users from each other to prevent a system-wide vulnerability.
“This is a really easy one to do as far as configurations go -- you have the switch, I’ve got two spots here, if we have a switch right here we can actually configure [the computer] to ignore traffic between nodes,” Hamon said. “It’s really easy, because now let’s say somehow this guy does get infected, he’s still going to be able to talk to the server because he has to to do his work stuff, but if you block this bad boy he cannot infect the other nodes in the network because all the traffic is rejected to stop the switch level.”
The benefit of the third solution -- a non-persistent operating system -- is that any breach would be eliminated after one day through some type of system reinstallation, whether it be a reset, Deep Freeze (software to protect the integrity of computer workstations by locking the computer configuration), or reboot from a CD on a continual basis.
“A non-persistent operating system, across the outward facing nodes and across the inward facing nodes, means that you have persistence no longer than one day or one reboot,” Hamon said.
He said from his forensics perspective he’s not a big fan of Deep Freeze software, but there’s no denying its security benefits.
The programmer can select which updates and patches to allow so the systems can still receive Windows updates and normal upgrades, but any attempted changes to the original system not written into this code will be denied.
In essence, the benefit of taking these steps is that should a node in the system be compromised, it would affect one person for one day maximum, as opposed to easily spreading from one node to all other connected ones if a perimeter-focused strategy is used.
So if the cost of these measures isn’t exorbitant and Hamon estimated it would only take a month of work to complete all three, why don’t more companies follow this blueprint?
While there are valid economic reasons — not every organization can afford a second computer for all employees, and workflow concerns — yes, having to burn work from the internal computer onto a CD is a pain, he said it really comes down to a cultural shift.
“The battle’s not won or lost in the server room," but in the board room, he said, adding, “A lot of times the problems I’ve seen are either that the whole mahogany row, the C-level people, don’t see the value in this, or that conversely somebody in the position sees value but is overruled by the rest.”
Then if or when the C-suite can be convinced of the importance of these measures, it can then be a challenge to ensure everyone up and down the chain follows protocol.
The CEO choosing to use a personal laptop for business purposes or an entry-level employee using a thumb drive to transfer information to avoid the time wasted by burning a CD defeats the whole purpose.
“You’ve got to get everybody on board,” Hamon said. “It’s a cultural shift, not a technical one, not a logistical one.”