I was at a recent cybersecurity presentation and I was very impressed by a short video that was shown. The recent South Carolina cyber theft of 330,000 credit card records and 3.6 million social security numbers from a government department has highlighted how easy it is to be compromised.
Most businesses and Organisations spend most of their security ICT spend on OUT facing systems. That is firewalls, application firewalls, intrusion detection, VPN and wireless implementations. This is always a good place to start but it is not the be all and end all of your security requirements. These are only technological components. There are other, more important areas where the money needs to be spent.
Going back to the Carolina theft. This is how they believe that it was done.
A cleverly engineered social attack is one of the easiest ways of getting a user to lower their defenses. I did an advanced search on LinkedIn for say – DBA and bank, I got 404 people. Those people range from banking to government from high end corporate business environments to one man bands on lucrative contracts. Depending on their security settings I can now drill down into their lives.
I have now developed my targets. To take it to the next step, I now do some in depth research on who or what I am targeting and this is where I can define a role right down to a person sitting at a single desk. That’s as far as I go because I am not a hacker, but some of the next steps will be done in real time.
The next problem is “how do we get this person to infect his computer?” They now craft a clever email that is directed at that individual, we are now talking laser sighting. The subject could be – update your DBA credentials, or new course for DBA’s, or even new DBA security certification. Any one of these has a higher than normal probability of getting noticed, read and clicked on. We are no longer talking about badly worded and poor grammar emails, like the Nigerian scams. This is slick, to the point and psychologically designed for that targeted person to take action.
That click, the one that the email was crafted to achieve is to a cross script exploit on either a legitimate website already infected by the hacker, an infected replica of the normal website scraped (copied and implemented as a replica) from the original or a page designed to download the exploit directly.
We are not infected yet, we still need some level of user intervention. Remember I said in a recent post, that humans and most people can be stupid, especially when it comes to computers, and computer people are more stupid in this respect than normal.
No matter what attack vector they are using, the computer will throw up a java install window (as the robot from “lost in space” – ‘DANGER, DANGER, WARNING, WARNING Will Robinson‘) but most of us will still happily click install.
At this point, your computer is no longer yours. Whatever credentials you have used to access the corporate network the bad guys now have. If you are an administrator then you have totally lost control of the business infrastructure.
The moment you agree to click the install button they quickly download the rest of the payload and more importantly the command and control components. Most of the time this is about 200k and takes fractions of seconds. From there it is only a matter of time before you have lost everything.
I can hear you saying that “I am not that stupid” and “why didn’t the AV pick it up?” One, yes most people are that stupid, everyone including security experts have been caught by this scam.
The second point is a little harder. Depending on the exploit, if it is a Zero day then you have no chance, if it is a known one then your AV may pick it up. Let me try to explain the anti virus business for you. There are an average of 60,000 pieces of NEW malware, spyware, spam, viruses and worms detected every day. Once discovered the AV companies change their definitions to detect them. At the moment they are loosing, in fact loosing substantially. They have even admitted that they are always playing catchup.
So how do you stop an attack like this. There are three areas where an organisation can ensure that they have a fighting chance.
1. Invest in training your staff – everyone likes a game. To train your staff in good security practices, create a game with rewards and make sure that everyone gets to play.
How about a daily security email at 0930, first correct answer gets a prize. Extend this over a months and the person with the most correct answers gets a bigger prize. Make it fun, but make it helpful. You are looking for ways to inform your staff in securing your business, teaching your staff security and increasing their awareness.
2. Know what data is critical to your business and your clients – this is huge. The idea of security is to protect your data assets.
To protect your “cheese” means you have to know what it is, where it is stored, who needs access to it, who has access to it and most importantly what it is. Once you know that you can start to build your security around that information.
3. Implement an auditing component in protecting that data. All businesses need to know when and who is accessing their data in addition to this, there should also be alerts that email to management when thresholds are crossed.
In most mid level and large organisations the administration of the systems is done by a number of people. If all administrators are using the same username and password then you have no way of differentiating each admin. in addition to this normal work and administration should be as separated as possible.
Each admin should have an everyday account that they use in their normal business role. This role will have shared files and email as every other user. If admin work is to be done then they use a specially associated account that has the required access. This differentiation makes it possible to apply auditing to the system that will show who has changed what. A normal compromised user through a hack or a cracked password will not have the elevated privileges to damage your data.
In addition to this your auditing should show and track exports of data and who did it. For instance, Although a DBA has the ability to look at and download the user list in a database they should have no reason to do it. If it is done then we need to know about it.
So there you have it, just remember that “PARANOID” is one of the best forms of defence. Use it to your advantage and if you think that everyone is after your business data then you are probably correct.