Despite popular belief, hackers don’t tend to put on ski masks or make sure their tie is straight before beginning their silent attacks on our infrastructure; however, we seem to associate this “bank robber” image with hacking and computer security activity.
In today’s world, security is a way of life for all of us, all you have to do is go to the airport and you will be reminded how serious it can be. For technologists, data security is certainly ‘business as usual’, but as we develop more complex methods of delivering our services and allowing users to interact with them, the greater the risk.
How safe is safe?
Securing your infrastructure can require considerable effort, and getting the right level of security, at the right level, is key. It’s easy to overdesign a solution that can affect the entire user experience. On the other hand, a poorly designed solution will require more effort at the other end in maintenance and monitoring, and may even result in sleepless nights…
When designing an approach, the infrastructure, application, and data layer must be viewed as a whole, or you can protect one layer but leave another open for attack. Some questions to consider, do you want to use a DMZ (“demilitarized zone”) and open ports on your internal firewall for each required service? Or do you just want to keep everything on the inside so you don’t turn your firewall into ‘Swiss cheese’? Then there is the CMZ (“Classified Militarized Zone”) which, by choice, contains your sensitive data and is monitored to an extreme degree to ensure it is protected at all costs. When presenting data, do you use a staging database on a different subnet to limit the possibility of a direct connection to your back-end data layer? Will you consider emerging proactive database monitoring tools like Fortinet’s FortiDB?
Of course, your approach will depend on the services you’re exposing, and each provider will have a different set of options for you to choose from.
Good practice
The annual security review and PenTest, while still important, is now giving way to more “live” security reporting and analysis to give you reassurance that your data is safe. Many security vendors now offer proactive monitoring of their external services to ensure that firewall administrators have not accidentally opened known vulnerabilities.
Some simple best practices can make a real difference, like making sure you have multi-vendor firewalls separating your networks. This may seem like an expensive luxury at first, but it means that any would-be attacker has to overcome two highly complex firewall technologies instead of just one. It also means that in the rare case that one vendor’s firewall has a known weakness, the second vendor is unlikely to have the same vulnerability, reducing attackers’ chances of success.
Making sure your systems are patched to current levels is also an essential activity in the battle against hackers.
But let’s not limit this to just the technology itself, ‘change control’, as a process, is an important defensive weapon against ‘human error’ that could otherwise cost you dearly. Knowing what needs to be changed, getting approval, planning who will do the work and when, as well as ensuring a full impact assessment is carried out will save you a lot of headaches down the road.
Who are these bad guys?
So who are your potential attackers? Well, they can take many different forms, from hobbyists or students experimenting with port scanners looking to see if there are any ports open on your firewall to the savviest hacker who knows how to handle SQL injection scripts. Some do it for fun, others do it for prestige, but serious hackers are often linked to organized crime and even cyberterrorism. Serious money can change hands for data that has been looted.
In most cases, the attack vector will be your database. This is where an attacker can collect personal information about your customers, harvest passwords and login details, collect credit card data, or worse, medical history and other “sensitive” data. While these data assets can be processed and bypassed using complex encryption techniques, the reality they face is that many organizations suffer enormous reputational damage by having to publicly admit that the data was stolen in the first place. , even if there is no chance that the data is not encrypted.
Attacks from within, by staff members, are also now commonplace. Take Aviva’s recent account where two staff members acquired data on recent customer insurance claims and sold it to claims management companies.
It’s also wise not to assume that a hacker will always attack from the perimeter of your network from some dark eastern country. Keeping the front door closed but leaving the back door open can be a perfect way for a determined hacker to gain access. Local attacks are just as risky as remote attacks…
The tiger hunts…
For example, if a hacker knows where your office is located (let’s be honest, Google will show them the front door!) they may try to break into your premises as a printer or air conditioning repairman. Of course, you are not on the list of expected visitors, so outside the reception, go find out the score from the facility management, and leave the reception desk unattended. Our hacker printer fixer takes out a WiFi router and plugs it into the back of the reception PC and hides it behind the desk. The receptionist returns and informs our printer repair hacker that there are no scheduled repairs… “Must be a mix up at headquarters,” she says and politely leaves. Now you go to your car and connect via WiFi to the router you just put in, you now have access to your LAN and the attack begins… This activity is often done by ‘Ethical Hackers’ who are paid by companies to find weaknesses. in their security processes and is known as ‘Tiger Attack’. However, it could be a real event if your data is valuable enough to an organized crime syndicate or someone who wants to damage your company’s reputation.
Unfortunately, the weakest link in data security is almost always the human being. Social engineering attacks are the first weapon in the hacker’s arsenal. With it, they can impersonate their local Service Desk team and email unsuspecting staff about an “urgent security breach” requiring them to change their password immediately. His staff are super knowledgeable in security and data protection, the email has the company logo on it and looks genuine, so the security conscious staff member clicks the link to change his password. Once completed, the staff member feels proud that they diligently followed the security tips and probably begins to encourage the rest of the team to do the same… Little do they know that they have just typed their username and password into a fake (phishing) website page where our hacker will collect and use the entered details to access services like Outlook Web Access to read sensitive emails or a VPN service to gain remote network access.
However, since we always use different passwords for all our internet accounts, there is absolutely no chance that our hacker could use the same collected data to access our personal eBay, PayPal or other finance related site. .. TRUE?
My account(s) is(are) secure!
One of the best examples of how hackers can use your login details, the account of Mat Honan, who works as a writer for Wired.com, is a cautionary tale everyone should read. In this example, the hacker used various account/password recovery methods to finally gain access to Mat’s Twitter account, leaving a trail of digital devastation along the way… One thing that stands out is the risk they pose logon and recovery processes that do not follow have standard.
So there you have it, how confident do you feel right now? I write this particular article not to fill you with dread or fear, but just to trigger some ‘common sense’ thinking about how to protect both your organizations and your personal security online and ultimately defend yourself against those pesky bad guys who they wear balaclavas and nice ties…
ITwaffle.com Copyright © 2014 Gareth Baxendale
