BreachExchange mailing list archives
Cyber attack: preparing for the inevitable
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Mon, 23 Nov 2015 17:50:07 -0700
http://www.theinformationdaily.com/2015/11/23/cyber-attack-preparing-for-the-inevitable In 2014, 81 percent of organisations in the UK reported a cyber-security breach. So far this year, 40 percent of public sector organisations alone have been hit by a cyber-attack. On average, these attacks and breaches cost between £600,000 and £1.15 million for larger organisations and £65,000 to £115,000 for smaller ones. That’s a hefty price to pay for not being vigilant. It’s important to understand that everyone is at risk. It’s not a matter of if, it’s a matter of when. If you openly demonstrate weaknesses in your approach to cyber security by failing to do the basics, you will experience some form of cyber-attack. So, here’s the lowdown on cyber-crime and some of the measures you can put in place to make sure you’re not part of the statistic: Cyber-crime – the basics The internet has given us many wonderful things, not least of which is the ability to easily, openly and anonymously share information with each other. What this means for cyber-crime is two part. It provides a mechanism for people to discuss, document and share the approaches, tools, and techniques needed to perpetrate it as well as the open and anonymous market needed to monetise the returns from it. Why are you at risk? It’s all down to the barrier to entry being so low. 20 years ago, if you wanted to hack a bank to make millions it took some serious effort and a whole lot of technical skill. Now it just takes an email, and you don’t even have to target the bank. All you need to do is send an email to a few million people asking them to change their password, or to look at an invoice attached to the email or any number of other easy to achieve ruses. More importantly, not only is the approach quite simple but the tools, techniques and approaches are very well documented and you can even purchase “Hacking-as-a-Service” to get someone else to do it for you for a fee. How do cyber-criminals get in? Most attacks against organisations follow a simple flow of activities, although the specific attacks used can be anything. It all starts with some basic reconnaissance and probing. They start by scanning all of your systems and services on the perimeter of your organisation, looking for weaknesses they can exploit. They also start to leverage public sources of data to learn all they can about your organisation such as staff names, sector issues and anything else that might be useful. If they find an obvious vulnerability in something like your website or a mail server then this will be exploited to get a foothold in the organisation. From there, they can use the device or service to “pivot” through your perimeter into the organisation’s internal networks and systems. If that doesn’t get them in then its over to trusty social engineering. Typically this starts with an email, just because it’s easy and effective. The ‘bad guy’ constructs a suitable scenario that will leverage social and psychological techniques to encourage you to open it and either hand over your sensitive details or run a program they want you to run for them. If the email doesn’t work, then it’s over to the phones where they’ll leverage what they’ve learnt so far to start having conversations with people inside the organisation, each time learning more sensitive information. Once they have the trust of someone they are talking to, its time to get them to open the doors, either by opening an email sent to them or by going to a website that can then compromise the user’s computer. If social engineering fails then the next step is to go after the wireless, as it can be accessed from outside of the organisation but is typically providing an internal network connection. Numerous tools and approaches exist to do this, so let’s just say it has a high success rate. Assuming none of the above approaches work its time for the cyber-attackers to get their coats, quite literally. The last stage of social engineering is the physical approach. Walking through the front door and getting physically inside the organisation through some plausible context of which there are many. Once inside, all the attacker has to do is find a network port, plug in and they are inside and able to start quickly compromising systems to create a back door. More often than not these days the easy way to do this is to just deploy a device into the network. Once the attackers are in, its typically open season on any vulnerable systems on the network. Every network is the same: unpatched servers, discontinued operating systems, badly configured equipment with default usernames and passwords; the list goes on. This is how you take down any organisation of any size. What guidance is available for you? The government has introduced a number of pieces of guidance to ensure safe protection against cyber-crime, including The 10 Cyber Security Steps available here ( https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/395716/10_steps_ten_critical_areas.pdf) and Common Cyber Attacks: Reducing the Impact here ( https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/400106/Common_Cyber_Attacks-Reducing_The_Impact.pdf ). What can you do to prevent attacks from happening? Think like the attackers do, or get help from someone that can. Secure your systems against the basic threats and make yourself just that little bit harder to attack than everyone else. Work out what types of attackers might come after you and how, and gear your defenses up to these threats first. Basic housekeeping activities in IT are not there to annoy – they’re there to help, so do them. Patch and configure – it’s not optional. What plans and procedures should be in place? Plan to be hacked. It’s inevitable, so work out what happens when it does. Who says what to who, what do you say, who’s going to help you figure out what happened, who’s going to stop it happening again? All of these questions need answers. More importantly, how do you know you haven’t been hacked already? Data isn’t deleted, it’s copied. So what monitoring is in place around access to data? Are all the systems monitored for malicious activity? Could you tell if your internal servers were being probed for known vulnerabilities? Do you know if a new device is plugged into your network? More and more attention is being paid to cyber-crime by those perpetrating it and those looking to prevent it. As such, doing nothing is no longer an option. Any specific legislation or guidance relevant to your industry or sector is going to need to be considered, as it might mandate specific approaches or have requirements that need to be covered. For example, Daniel Jones, Kable’s senior analyst for defence and security says: “In the public sector a new Government Security Classification Policy is in place, which requires organisations to enter data into three bands, instead of the previous five. These are OFFICIAL, SECRET AND TOP SECRET. Data is categorised and controlled accordingly.” It’s simply not possible to do it all yourself either. Professional support will be needed in certain areas and a little advice can go a long way towards what the best route for investment in defenses might be. Final thoughts There’s no such thing as 100 percent security. Your organisation will probably experience some form of cyber-attack at some time. What’s important is having effective policies and plans in place that can help to reduce the impact of the attack, clean up the affected systems and get your business back up and running within a short time.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Cyber attack: preparing for the inevitable Audrey McNeil (Nov 24)