Nettitude Blog

The Logan's Run Effect

Posted by Media marketing on Feb 4, 2016 1:00:41 PM

What is "The Logan's Run Effect"?

It has recently been reported that the Information Commissioner’s Office (ICO) carried out 585 investigations into data breaches within the financial services industry between January to April 2015 – a rise of 187%, with the following being the most dangerous insider threats:

  • Actions by priviledged users – 55%
  • Contractors/Service Providers – 46%
  • Partners with internal access – 43%

    Figure 1: Dispatch Figure 1: Dispatch wireframe plan of the city, including architectural detail

The need for effective information security measures must not be under-estimated. Log Management is one of the countermeasures that can be employed to reduce the risk and increase the opportunity to increase detection of malicious activities.

Back in 1976, the big screen movie ‘Logan’s Run’ introduced the audience to a fictional future world set in the year 2274 AD.

"Logan’s Run is set in a future post-apocalyptic, technologically advanced, world where the population is strictly controlled, living within a domed environment and where life is restricted to a mere 30 years. In order to ensure a continually peaceful and harmonic lifestyle, all inhabitants are chipped and their activities robustly monitored."

Today’s World

As we start 2016 AD, 40 years on from the first airing of Logan’s Run and 258 years before the fictional period in which it’s set begins, we can already see some of the fictional predictions becoming part of life.

Effective Monitoring

Just about every industry information security standard you can think of includes the requirements for physical monitoring (Closed Circuit Television (CCTV) & Electronic Automated Access Control Systems (EAACS)) and technical monitoring for example log management, but how do we make sure that the technologies we buy are employed effectively?

Much like in Logan’s Run, an effective monitoring system needs to be able to provide both ‘reactive’ and ‘proactive’ results.

Achieving Effective Monitoring

Whether it is in the physical or technical space, achieving effective monitoring is reliant on ensuring that the systems are ‘fit for purpose’ to ensure that they are producing targeted and actionable intelligence, which can be effectively employed to rapidly detect and identify potential malicious or suspicious activity.

NOC - www.threat2alert.com Figure 2: Threat2Alert monitoring centre click here to read more.

The biggest failing with most systems is that they ‘tick a box’ for compliance but are largely ineffective as they are creating too much noise.


How to improve our monitoring capability?

Physical 

Both CCTV and EAACS have the capability for delivering effective monitoring against ‘tangible’ activities, however, this is wholly dependent on ensuring the efficiency of their operations. For example:

  • CCTV
    • Reactive - Ensuring that the cameras are adequately protected, are correctly sited and are securely storing suitable imagery, over a sufficient period of time.
      Note: Consider the use of an operational requirement assessment.
    • Proactive – Active or periodic monitoring and analysis of the imagery.
  •  EAACS
    • Reactive - Ensuring that all employees are using their issued proximity cards so that they are all logged into and out of each of the areas, protected by the system, and ensuring that the entry & egress records are securely stored, over a sufficient period of time.
    • Proactive - Where single factor proximity cards are in use, it is important to consider the periodic auditing of the entry/egress records, in an attempt to identify the misuse of the system (card sharing, tailgating, etc.)
      Note: A suitable EAACS can also be effectively employed in support of fire musters.

Technical

Log management can provide excellent monitoring capabilities, against ‘intangible’ activities. The potential benefits from such monitoring is dependent on how refined the alerting is configured. OWASP’s Logging Cheat Sheet identifies the following key areas: event data sources; types of events; and data inclusions.

>>When:
Log date and time
Interaction identifier

>>Where:
Application identifier
Application address
Address and port number, workstation identity, local device identifier
Service
Geolocation
Window/form/page
Code location

>>Who (human or machine user):
Source address e.g. user's device/machine identifier, user's IP address, cell/RF tower ID, mobile telephone number.
User identity (if authenticated or otherwise known) e.g. user database table primary key value, user name, license number.

>>What:
Type of event
Severity of event
Security relevant event flag
Description

Data Exclusions

  • Application source codes
  • Session identification values (consider replacing with a hashed value if needed to track session specific events)
  • Access tokens
  • Sensitive personal data and some forms of personally identifiable information (PII)
  • Authentication passwords
  • Database connection strings
  • Encryption keys and other master secrets
  • Bank account or cardholder data
  • Data of a higher security classification than the logging system is allowed to store
  • Commercially-sensitive information
  • Information it is illegal to collect in the relevant jurisdictions
  • Information a user has opted out of collection, or not consented to

Figure 3: Effective Monitoring

Functionality of a Monitoring System

Although within a physical environment, the Hatton Garden jewellery heist , Apr 2015, clearly demonstrated how a poorly managed monitoring operation can be provide ineffective countermeasures for asset loss.

Was this an effective monitoring system?

  • Reactively – Yes the (follow up investigation lead to the arrest and prosecution of the perpetrators)
  • Proactively – Definitely not!

“Prevention is ideal, but detection is a MUST!”

Summary

Although Logan’s Run is a fictional event, written over 40 years ago, it clearly demonstrates the importance of effective monitoring, today. Effective monitoring provides an organisation with timely and accurate data analytics, enabling establishments to identify and react to potential breaches of policy or malicious or hostile actions, from both the kinetic (external) and non-kinetic (internal) perspectives.

The effectiveness of an organisation’s monitoring operations should be measured through observations on how helpful the process is during physical or system based security incident response testing.

It is far better to know that a monitoring solution is working effectively, during a test, than discovering that it is not, during a real situation, or after a hostile or malicious act that leads to a data breach!

 

To contact Nettitude’s editor, please email media@nettitude.com

 

Topics: Security Blog, Uncategorized

About Nettitude

Nettitude is the trusted cyber security provider to thousands of businesses around the world. We stop at nothing to keep your data and business secure in an age of ever-evolving cyber threats.

Our experts use an award winning Threat Intelligence led approach that incorporates real-time data, ensuring that your company is protected at every stage of its journey.

Receive an update when we post!

Recent Posts