Posted by Kevin on May 29, 2014.
In November 2013 a national bank was notified by a third party that some of its customer data was being circulated on the internet. The bank had strong perimeter defenses, had no knowledge of a breach nor could find any indication that a breach had happened. It called in a forensics team to investigate.
After two days of investigation the investigators found a single SQL field that was not properly sanitized and concluded that this had been the initial point of intrusion and was actually still being used by the hackers. Prior to that discovery, over a period of 10 weeks, the hackers had entered, reconnoitered, and exfiltrated data completely undetected. This is not unusual.
In this instance the attackers used an automated tool – Havij, just one of many such tools – to facilitate the breach. Automated attack tools, many as sophisticated as mainstream legitimate desktop software, are an increasing trend. They give average hackers the skills of an expert.
Also in November 2013, Target was breached and some 40 million credit card credentials were stolen. In the Target instance the breach probably happened via use of legitimate but stolen logon credentials. However, Target had only just been security audited (two months earlier) to PCI DSS standards – but was still breached. It is likely that having passed a security standard the company believed it was secure.
What we can learn from these two cases is that neither check-box security audits nor traditional security defences are good enough, on their own, to protect you.
Target and the bank are both big companies, and the majority of published breaches relate to other big companies. That, however, is because there are so many breaches that only the major ones get reported. Small companies are even more frequently breached, but with less publicity. Because of the lower publicity, SMBs often believe they are not and will not be attacked.
This is completely wrong. SMBs are a prime target for hackers, and many who read this will unknowingly already have been breached. SMBs are attacked to provide a launchpad into other larger companies (as in the Target case); to include in a botnet to provide additional firepower for DDoS attacks or spam runs; to hide child pornography in orphaned web pages that can only be accessed directly by the paedophiles who know the specific URL; to steal IP for competitive advantage; and for political activism purposes.
But if national banks and major retailers, who expect to be attacked, cannot defend themselves; and if major international security standard audits cannot detect security weaknesses, what hope has the SMB who doesn’t even realise he is a target?
Frankly, none. According to Frost & Sullivan, 4 out of 5 websites are vulnerable to attack; while Whitehat Security puts it slightly higher: “86% of all websites have at least one serious vulnerability.” So SMBs that are targeted will be breached, regardless of their security defences, unless they can find the vulnerabilities that the hackers seek, and close them before they get used.
This requires a change of approach to security – instead of passive defending, SMBs need to think like an active attacker. This is best done by an actual hacker – an ethical hacker – who will probe your network looking for the vulnerabilities that black hat hackers use to get into your network. The problem for SMBs is that the services of a good ethical hacker are expensive, and the temptation is to do nothing.Submitted in: Expert Views, Kevin Townsend's opinions |