Despite popular belief, hackers do not tend to don balaclavas or ensure their tie is straight before they begin their silent attacks on our infrastructures, however we do seem to associate this ‘bank robber-esque’ image with the activity of hacking and IT security.
In today’s world, security is a way of life for all of us, you only have to go to the airport and you will be reminded of how serious it can get. For technologists the securing of data is no doubt ‘business as usual’, but as we evolve more complex methods to present our services and allow users to interact with them, the greater the risk becomes.
How secure is secure?
Securing your infrastructure can take considerable effort, and getting the correct level of security in place, at the right level, is key. It is easy to over-engineer a solution that may impact the entire user experience. On the other hand, a poorly designed solution will require greater effort at the other end in maintaining and monitoring, and may even result in sleepless nights…
When designing an approach, infrastructure, application and the data layer must be viewed as a whole, or you may secure one layer but leave another open to attack. Some questions to consider, do you want to use a DMZ (“demilitarized zone”) and open ports on your internal Firewall for every service required? Or do you want to simply keep everything on the internal side so as not to turn your Firewall into ‘Swiss cheese?’. Then there is the CMZ (“Classified Militarized Zone”) which, by choice, contains your sensitive data and is monitored to an extreme degree to ensure it is protected at all costs. When presenting data do you use a staging database in a different subnet to limit the chance of a direct connection to your back-end data layer? Will you consider emerging proactive database monitoring tools such as Fortinet’s FortiDB?
Of course, your approach will depend on the services you are exposing and every vendor will have a different set of options for you to choose from.
The annual security review and PenTest, while still important, is now giving way to more ‘live’ security reporting and analysis to provide you with assurance that your data is safe. Many security vendors now offer proactive monitoring of your external services to ensure that known exploits have not accidentally been opened up by trigger happy Firewall administrators.
Some simple good practise can make a real difference, such as ensuring your have multi-vendor firewalls separating your networks. This may seem like an expensive luxury at first but It means that any would-be attacker has two highly complex firewall technologies to overcome instead of just one. It also means that in the rare case a vendor’s firewall has a known weakness it is unlikely that the second vendor will have the same exploit, reducing the chances of an attackers success.
Ensuring your systems are patched to current levels is also an essential activity in the battle against the hacker.
But let’s not just limit this to technology itself, ‘change control’, as a process, is an important defensive weapon against ‘human error’ that might otherwise cost you dearly. Knowing what needs to be changed, gaining approval, planning who will do the work and when, along with ensuring a full impact assessment is carried out, will save you a lot of pain later on.
Who are these bad guys?
So who are your would-be attackers? Well they can take many different forms from hobbyists or students experimenting with port scanners and looking to see if there are any ports open on your firewall to the more savvy hacker who knows how to handle SQL injection scripts. Some do it for fun, others do it for kudos but the serious hackers are often linked to organised crime and even cyber terrorism. Serious money can change hands for data that has been pillaged.
In most cases the attack vector will be your database. This is where an attacker can collect personal details about your customers, harvest passwords and login details, collect credit card data, or even worse, medical history and other ‘sensitive’ data. While these data assets may be hashed and salted using complex encryption techniques the reality faced is that many organisations suffer immense reputational damage having to admit publicly that the data was stolen in the first place even if there is no chance the data could be unencrypted.
Attacks from within, by members of staff, are also now common place. Take the recent account of Aviva where two members of staff acquired data on customers recent insurance claims and sold it to claims management companies.
It’s also wise to not assume that a hacker will always attack from the perimeter of your network from an obscure eastern country. Keeping the front door locked but leaving the back door open can be a perfect way for a determined hacker to gain access. Local attacks are as much a risk as remote attacks…
The Tiger hunts…
For example if a hacker know’s where your office is located (Let’s be honest, Google will show them the front door!) he may attempt to access your premises as the air-conditioning or printer repair man. Of course he’s not on the list of expected visitors, so off reception go to find out the score from facilities management leaving the reception desk unattended. Our hacker printer repair man pulls out a WiFi router and loops it to the back of the reception PC and hides it behind the desk. The receptionist returns and informs our hacker printer repair man, that no repairs are scheduled… “It must be a mix up at HQ” he says and politely leaves. He now heads for his car and connects over WiFi to the router he has just planted, he now has access to your LAN and the attack begins… This activity is often done by ‘Ethical Hackers’ who are paid by companies to find weaknesses in their security processes and is known as a ‘Tiger Attack’. It could however be a real event if your data is valuable enough to an organised crime syndicate or someone who wants to damage your companies reputation.
Sadly, the weakest link in data security is almost always the Human. Socially engineered attacks are the first weapon in the arsenal of the hacker. With it they can pose as your local Service Desk team and email unsuspecting staff of an ‘urgent security breech’ that requires them to change their password immediately. Your staff are super trained in security and data protection, the email has the company logo and looks genuine, so the security conscious staff member clicks on the link to change their password. Once complete the member of staff feels proud that they have dutifully followed the security advice and probably begins encouraging the rest of the team to do the same… Little do they know they have just typed their username and password into a fake (phishing) website page where our hacker will harvest and use the details entered to access services like Outlook Web Access in order to read sensitive emails, or a VPN service to gain remote access to the network.
However, since we always use different passwords for all our internet accounts there is absolutely no chance that our hacker might use the same harvested details to access our personal eBay, PayPal or other financially related site… right?
My account(s) is/are secure!
One of the best examples of how determined hackers can be using your login details is the account of Mat Honan who works as a writer for Wired.com, it’s a cautionary tale that all should read. In this example the hacker actually used multiple account/password recovery methods to ultimately gain access to Mat’s Twitter account, along the way they left a trail of digital devastation… One thing it highlights is the risk posed by login and recovery processes not following a standard.
So there you have it, how secure do you feel right now? I write this particular article not to fill you with dread or fear, but just to trigger some ‘common sense’ thinking around how you protect both your organisations and your personal on-line security and ultimately defend yourself from those pesky bad guys who all wear balaclavas and nice ties…