Sunday, 8 June 2014
You’re so hacked, you don’t even know it!
The standard information security management doctrine is to consider the internal IT infrastructure as a secure trusted zone, free from any malicious third party compromise. But the reality is different, as network intrusions, malware infections, data thefts and other malicious activities are not being detected within most UK business networks. According to the Cisco 2014 Annual Security Report, 100% of business networks analyzed by Cisco, have traffic going to websites that host malware.
Sophisticated and expensive security monitoring may well be implemented to detect malicious activity, but in my experience, monitoring and alerting systems are often poorly configured and not correctly base-lined. This results in the security staff being bombarded with a steady stream of false positive alerts, which completely hampers their ability to spot actual attacks. Security monitoring can also lure the business into a false sense of security, take File Integrity Monitoring (FIM), an excellent tool for detecting malware on IT systems, that is unless the malware operates in RAM, and uses unmonitored temporary files, in which case FIM is never going to detected it. Anti-virus (AV) is a security staple for detecting and preventing malware within nearly all businesses. But anti-virus protection has become an endless losing game of cat and mouse, with AV companies analysing over 150,000 pieces of new malware every day, they are struggling to keep pace. While expert hackers that specifically target businesses, will take the time to customise and fully test their tools and malware, to ensure AV and monitoring systems do not detect their malicious activities.
Security Monitoring Alerts - Can't see the wood for the trees
Many of the recent high profile data breaches, have involved hackers going unnoticed and freely operating inside company networks for months on end. Networks which were assumed to be secure.
For instance Target’s IT systems were first compromised by hackers on 12th November 2013. The intruders were able to test their credit card stealing malware on a selection of Target’s Point-of-Sale (POS) systems for several days, before deploying their malware onto POS systems within all of Target’s 1800 stores, just in time for the busy black Friday shopping weekend. Over the next few weeks the hackers stole 40 million credit card details and 70 million records of customer information, a whole month passed before the breach was eventually detected. The breach wasn’t spotted by Target either, they were informed by the US Department of Justice, after several banks had noticed a massive spike in fraud involving over a million credit cards. All the credit cards used in these fraudulent transactions had one thing in common; they all had been used for purchases at Target stores.
The subsequent forensic investigation of Target, discovered the hacker’s intrusion was detected and logged from the 12th November onwards, however Target’s staff failed to notice and react to their security monitoring system’s alerts. This failure in detection and response is exactly what any hacker stealing information desires. In the case of the Target data theft, the hackers are racing against a ticking clock to monetize the stolen credit card data as much as possible, before the banks learn of the compromise. As soon as the banks establish credit cards have been compromised, they cancel and re-issue the stolen credit cards, which significantly devalues the credit card data stolen.
Target’s failure to spot the breach has cost them dear, if the breach was detected earlier, the amount of data stolen would be far more limited, meaning fines, which are based on the cost incurred to replace the stolen cards, would have been much less. But as it stands, Target has already spent $61 million in dealing with the breach, with another $100 million planned. This has resulted in Target’s like-for-like fourth quarter profits for 2013, to be massively down, along with their share-price. When data breaches of this scale and calamity significantly hit the business bottom line, the buck stops with those ultimately responsible in the boardroom. Inevitably in Target’s case heads rolled, not only did this breach cost the CISO his job, but it led to the CEO being fired as well.
The same story of failing to detect malicious activity rings true with many of the other recent big data breaches. A massive 145 million eBay customer account records were stolen by hackers in February 2014, it was almost 3 months before eBay discovered the breach. 158 million records was stolen from Adobe in September 2013, a whole month had passed before Adobe discovered this huge data loss, but only after hackers had posted all their stolen data online.
There are many UK businesses right now, regardless of their size, industry and security posture, have compromised IT systems and data losses going unnoticed. Right now there are dark websites, forums and chat rooms where global cyber criminals are trading access to, and use of, UK business IT systems.
The lesson is to never to assume the internal networks are secure, in fact the real lesson is to always assume the opposite. Thinking in this way takes you down the road of a more proactive form of information security management. For instance adopting more proactive security techniques like cyber intelligence, by finding out what hackers already know about your organisation, what they might be planning, and then counteracting, can help nip potential serious security incidents in the bud.
The cyber threat landscape is growing at an alarming rate, fuelled by the continued business adoption of mobility and cloud services. These increasing attack surfaces present the hackers with a new world of opportunities to steal information for self-profit. Information technological change presents new challenges for cyber security, a more proactive approach is required to keep up with the highly agile cyber criminals.
The post is brought to you by Cisco