Tag Archives: Prevention

Prevention before Detection in Industrial IT

1 May 2017

Currently, I’m working on a paper for safety engineers about cyber security requirements for Safety Instrumented Systems (SIS). For preparation I examined some of the existing publications from other European countries, e.g. the paper ‘Cyber Security for Industrial Automation and Control Systems (IACS)‘ from the British Health and Safety Executive (HSE).

In the chapter ‘Note 5 – Define and Implement Countermeasures’ one reads:

A hierarchical approach should be adopted, for example prioritising implementation of measures such as inherent resilience, and prevention (e.g. physical security controls, authorisation and authentication) over other measures for detection.

That is diametrically opposed the Gartner’s advice ‘Shift Cybersecurity Investment to Detection and Response’. Gartner’s Sid Deshpande said in an interview:

Gartner is now recommending to companies that they shift their security spending to have at least 60 percent of their security budget to be spent on detection and response, up from 10- to-15 percent today.

I think Gartner’s advice needs to be seen in the context of the industry where one works. IT security deals with Confidentiality, Integrity, and Availability (the CIA) issues. Every industry has specific requirements regarding CIA issues. For example, integrity of product and production plays a higher role in pharmaceutical production than in the process industry. This is be shown very well with a spider diagram:


CIA-Diamond. Click to enlarge.

In general, Gartner’s advice is useful where we have a high demand for addressing confidentiality issues. In industries, where integrity plays a major role, the Gartner advice is less useful because you cannot wait until a customer or the FDA detects that a drug has a wrong composition.


CIAS-Diamond. Click to enlarge.

Safety is a game changer. As soon as we face medium or high safety requirements, Gartner’s advice is counterproductive.

Have a great week.

Some thoughts about ‘Mitigation strategies for data-wiping malware’

21 May 2015

In article ‘Mitigation strategies for data-wiping malware’ published on Security Think Tank in January 2015, Peter Wenham talks about mitigation strategies for data-wiping malware.

Peter’s proposals for creating a prevention strategy, training and strict refusal of local administrator access for employees, can be implemented quickly and at a fair price.

To complement this, companies should add a trusted zone concept for administrative tasks. A server administrator should never sign in to a server from a system at a lower trust level, e.g. from the laptop he uses to connect from outside the company network to a server. A trusted admin zone concept will prevent the lateral drift of attackers within the company network once they got access through e.g. a phishing attack and a RAT (Remote Access Trojan).

Have a good day!

A mere detection strategy will fail in the defense of cyber-attacks. Just like a mere prevention strategy.

10 May 2015

Article ‘Falling Off the End of the Cyber Kill Chain’, published by Anup Ghosh, Founder and CEO at Invincea, in the May edition of The Cyber Intelligencer is worth to read and comment.

For years now detection is praised from all cyber defense experts and system vendors as the spearhead in the defense of cyber-attacks. Gartner Security Analyst Neil MacDonald’s puts it succinctly in his tweet: ‘Prevent you may, Detect you must!’

Just set up a SIEM system and record any events from any server, database, firewall, application server, network, etc. With big data methods your data scientist will find every small hint to a cyber-attack from this universe of data, in the best case only some minutes after the attack happened, in the worst case some month later or never. In the meantime the cyber attackers will quietly copy your intellectual property.

A mere detection strategy in the defense of cyber-attacks is doomed to failure, just like a mere prevention strategy.

Just a short example. Let us assume that your Windows 2012 member servers are well protected, with the latest security features configured and the latest patches installed. One of your administrators becomes a victim of a phishing attack. An attacker steals the password for the administrator account of one of your member servers and signs in to the system. He debugs the LSASS process to get access to the password hashes or the plain text password or runs a DLL injection attack against the LSASS process.

Both events are recorded in the event log of the member server. Both events are hints to cyber-attacks and must be directly investigated. But it is very likely that these events are never investigated because no one checks the logs in time.

But if your SIEM system regularly collects the critical events from your member servers the attacks are detected within minutes and proper measures can be taken.

In my opinion a successful defense strategy requires a finely balanced mixture of both detection and prevention. SIEM comes into play when all other protection measures have failed. It should be neither the first nor the sole line of defense.

Take care!