The standard information security management doctrine is to
consider the internal IT infrastructure as a secure trusted zone, free from any
malicious third party compromise. But the reality is different, as network
intrusions, malware infections, data thefts and other malicious activities are
not being detected within most UK business networks. According to the Cisco
2014 Annual Security Report, 100% of business networks analyzed by Cisco,
have traffic going to websites that host malware.
Sophisticated and expensive security monitoring may well
be implemented to detect malicious activity, but in my experience, monitoring
and alerting systems are often poorly configured and not correctly base-lined.
This results in the security staff being bombarded with a steady stream of false
positive alerts, which completely hampers their ability to spot actual attacks.
Security monitoring can also lure the business into a false sense of security, take
File Integrity Monitoring (FIM), an excellent tool for detecting malware on IT
systems, that is unless the malware operates in RAM, and uses unmonitored
temporary files, in which case FIM is never going to detected it. Anti-virus
(AV) is a security staple for detecting and preventing malware within nearly
all businesses. But anti-virus protection has become an endless losing game of
cat and mouse, with AV companies analysing over 150,000 pieces of new malware
every day, they are struggling to keep pace. While expert hackers that specifically
target businesses, will take the time to customise and fully test their tools
and malware, to ensure AV and monitoring systems do not detect their malicious activities.
Security Monitoring Alerts - Can't see the wood for the trees
Many of the recent high profile data breaches, have involved
hackers going unnoticed and freely operating inside company networks for months
on end. Networks which were assumed to be secure.
For instance Target’s IT systems were first compromised
by hackers on 12th November 2013. The intruders were able to test their credit
card stealing malware on a selection of Target’s Point-of-Sale (POS) systems
for several days, before deploying their malware onto POS systems within all of
Target’s 1800 stores, just in time for the busy black Friday shopping weekend. Over
the next few weeks the hackers stole 40 million credit card details and 70
million records of customer information, a whole month passed before the breach
was eventually detected. The breach wasn’t spotted by Target either, they were
informed by the US Department of Justice, after several banks had noticed a
massive spike in fraud involving over a million credit cards. All the credit
cards used in these fraudulent transactions had one thing in common; they all had
been used for purchases at Target stores.
The subsequent forensic investigation of Target,
discovered the hacker’s intrusion was detected and logged from the 12th
November onwards, however Target’s staff failed to notice and react to their security
monitoring system’s alerts. This failure in detection and response is exactly
what any hacker stealing information desires. In the case of the Target data
theft, the hackers are racing against a ticking clock to monetize the stolen credit
card data as much as possible, before the banks learn of the compromise. As
soon as the banks establish credit cards have been compromised, they cancel and
re-issue the stolen credit cards, which significantly devalues the credit card
data stolen.
Target’s failure to spot the breach has cost them dear,
if the breach was detected earlier, the amount of data stolen would be far more
limited, meaning fines, which are based on the cost incurred to replace the
stolen cards, would have been much less. But as it stands, Target has already
spent $61 million in dealing with the breach, with another $100 million planned.
This has resulted in Target’s like-for-like fourth quarter profits for 2013, to
be massively down, along with their share-price. When data breaches of this
scale and calamity significantly hit the business bottom line, the buck stops
with those ultimately responsible in the boardroom. Inevitably in Target’s case
heads rolled, not only did this breach cost the CISO his job, but it led to the
CEO being fired as well.
The same story of failing to detect malicious activity rings
true with many of the other recent big data breaches. A massive 145 million eBay
customer account records were stolen by hackers in February 2014, it was almost
3 months before eBay discovered the breach. 158 million records was stolen from
Adobe in September 2013, a whole month had passed before Adobe discovered this huge
data loss, but only after hackers had posted all their stolen data online.
There are many UK businesses right now, regardless of their
size, industry and security posture, have compromised IT systems and data
losses going unnoticed. Right now there are dark websites, forums and chat
rooms where global cyber criminals are trading access to, and use of, UK
business IT systems.
The lesson is to never to assume the internal networks are
secure, in fact the real lesson is to always assume the opposite. Thinking in
this way takes you down the road of a more proactive form of information
security management. For instance adopting more proactive security techniques like
cyber intelligence, by finding out what hackers already know about your organisation,
what they might be planning, and then counteracting, can help nip potential
serious security incidents in the bud.
The cyber threat landscape is growing at an alarming rate,
fuelled by the continued business adoption of mobility and cloud services. These
increasing attack surfaces present the hackers with a new world of opportunities
to steal information for self-profit. Information technological change presents
new challenges for cyber security, a more proactive approach is required to keep
up with the highly agile cyber criminals.
The post is brought to you by Cisco
Interesting insights into the timelines of breaches, agree most companies don't know they have been hacked!
ReplyDeleteThanks for sharing this blog & don't know they have been hacked!
ReplyDeletehttp://www.sifsindia.com/cyber_forensic_investigation.html