- Published: 08 July 2012
- Written by NStinchcombe
London, UK (04 July 2012) - A security expert and member of professional association ISACA, Professor John Walker, says that the multi-vectored nature of an advanced evasion technique (AET) attack means that organisation’s need to improve their conventional IT security.
AETs are used to attack networks by combining several known evasion methodologies to create a new technique that is delivered over several layers of a network simultaneously. This allows the attacker to successfully deliver known malicious code without detection.
According to Professor Walker, of the Nottingham-Trent School of Computing, who is also a member of ISACA’s International Guidance and Practices Committee, while some hackers have figured out shell (command line) attack methodologies as part of their AET strategies, the implications are not always bad.
“On some recent security panels discussing and dissecting the AET, the conversations were at a very high level and did not consider the technological implications or the in-depth implications of what an AET can mean in real time,” he says in his latest blog, adding that this particular issue would seem to have been lost.
Professor Walker, who is chief technology officer of Secure Bastion, says the actual attack methodology underlying an AET vector does not matter, once the hacker has gained access to a command line shell prompt.
“Again, I can attest from research, security testing and evaluations, that this is where the real issues can start to appear,” he says, adding that it is not a question of the hackers being smart with their attacks, but more that the targets they choose are particularly vulnerable due to insufficient security.
“In many cases, the first issue that is encountered is excessive privilege associated to systems that have not been locked down. Even today, I am amazed at how many organisations allow their user base, or a large proportion of their user base, to have administrative access,” he says. Once systems have been penetrated, he adds, the attackers may start to poke around, seeking what may be achieved and/or invoked from the command line. PowerShell and Windows Management Instrumentation Command Line (WMIC, wmic:root\cli).
The recommendation here, he says, is not to debate the topic of AETs as if it they are final conversation point, but rather to consider the implications of an AET attack and protections that should be put in place.
Professor Walker also recommends that that the first step in combating AET attacks is to assume they will succeed and develop a security strategy to defend the IT resource from the inside—in the same way that oil super tankers are designed to continue operating, even when one or two of their sealed hull compartments are breached.
Guidance on how enterprises can address these issues is available. ISACA’s recently released COBIT 5 helps business and IT leaders maximize trust in, and value from, their enterprise’s information and technology assets. Building on this, COBIT 5 for Information Security was designed in response to heavy demand for security guidance that integrates other major frameworks and standards. COBIT 5 for Information Security is divided into three major sections: Information Security, Using COBIT 5 Enablers for Implementing Information Security in Practice, and Adapting COBIT 5 for Information Security to the Enterprise Environment. COBIT 5 and COBIT 5 for Information Security is available at www.isaca.org/cobit.
For more information on ISACA, visit http://www.isaca.org.
For Professor Walker’s blog: http://bit.ly/MuCAge
About ISACA
With more than 100,000 constituents in 180 countries, ISACA® (www.isaca.org) is a leading global provider of knowledge, certifications, community, advocacy and education on information systems (IS) assurance and security, enterprise governance and management of IT, and IT-related risk and compliance. Founded in 1969, the nonprofit, independent ISACA hosts international conferences, publishes the ISACA® Journal, and develops international IS auditing and control standards, which help its constituents ensure trust in, and value from, information systems. It also advances and attests IT skills and knowledge through the globally respected Certified Information Systems Auditor® (CISA®), Certified Information Security Manager® (CISM®), Certified in the Governance of Enterprise IT® (CGEIT®) and Certified in Risk and Information Systems Control™ (CRISC™) designations.
ISACA continually updates and expands the practical guidance and product family based on the COBIT framework. This helps IT professionals and enterprise leaders fulfill their IT governance and management responsibilities, particularly in the areas of assurance, security, risk and control, and deliver value to the business.
Participate in the ISACA Knowledge Center: www.isaca.org/knowledge-center
Follow ISACA on Twitter: https://twitter.com/ISACANews
Join ISACA on LinkedIn: ISACA (Official), http://linkd.in/ISACAOfficial
Like ISACA on Facebook: www.facebook.com/ISACAHQ
Contacts:
Kristen Kessinger, +1.847.660.5512, This email address is being protected from spambots. You need JavaScript enabled to view it.
Hannah Rafferty, +44 (0) 207 183 2836, This email address is being protected from spambots. You need JavaScript enabled to view it.