Cyber attack: preparing for the inevitable

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.theinformationdaily.com/2015/11/23/cyber-attack-preparing-for-the-inevitable

In 2014, 81 percent of organisations in the UK reported a cyber-security
breach. So far this year, 40 percent of public sector organisations alone
have been hit by a cyber-attack.

On average, these attacks and breaches cost between £600,000 and £1.15
million for larger organisations and £65,000 to £115,000 for smaller ones.
That’s a hefty price to pay for not being vigilant.

It’s important to understand that everyone is at risk. It’s not a matter of
if, it’s a matter of when. If you openly demonstrate weaknesses in your
approach to cyber security by failing to do the basics, you will experience
some form of cyber-attack. So, here’s the lowdown on cyber-crime and some
of the measures you can put in place to make sure you’re not part of the
statistic:

Cyber-crime – the basics

The internet has given us many wonderful things, not least of which is the
ability to easily, openly and anonymously share information with each
other. What this means for cyber-crime is two part. It provides a mechanism
for people to discuss, document and share the approaches, tools, and
techniques needed to perpetrate it as well as the open and anonymous market
needed to monetise the returns from it.

Why are you at risk?

It’s all down to the barrier to entry being so low. 20 years ago, if you
wanted to hack a bank to make millions it took some serious effort and a
whole lot of technical skill. Now it just takes an email, and you don’t
even have to target the bank. All you need to do is send an email to a few
million people asking them to change their password, or to look at an
invoice attached to the email or any number of other easy to achieve ruses.

More importantly, not only is the approach quite simple but the tools,
techniques and approaches are very well documented and you can even
purchase “Hacking-as-a-Service” to get someone else to do it for you for a
fee.

How do cyber-criminals get in?

Most attacks against organisations follow a simple flow of activities,
although the specific attacks used can be anything. It all starts with some
basic reconnaissance and probing. They start by scanning all of your
systems and services on the perimeter of your organisation, looking for
weaknesses they can exploit. They also start to leverage public sources of
data to learn all they can about your organisation such as staff names,
sector issues and anything else that might be useful.

If they find an obvious vulnerability in something like your website or a
mail server then this will be exploited to get a foothold in the
organisation. From there, they can use the device or service to “pivot”
through your perimeter into the organisation’s internal networks and
systems.

If that doesn’t get them in then its over to trusty social engineering.
Typically this starts with an email, just because it’s easy and effective.
The ‘bad guy’ constructs a suitable scenario that will leverage social and
psychological techniques to encourage you to open it and either hand over
your sensitive details or run a program they want you to run for them.

If the email doesn’t work, then it’s over to the phones where they’ll
leverage what they’ve learnt so far to start having conversations with
people inside the organisation, each time learning more sensitive
information. Once they have the trust of someone they are talking to, its
time to get them to open the doors, either by opening an email sent to them
or by going to a website that can then compromise the user’s computer.

If social engineering fails then the next step is to go after the wireless,
as it can be accessed from outside of the organisation but is typically
providing an internal network connection. Numerous tools and approaches
exist to do this, so let’s just say it has a high success rate.

Assuming none of the above approaches work its time for the cyber-attackers
to get their coats, quite literally. The last stage of social engineering
is the physical approach. Walking through the front door and getting
physically inside the organisation through some plausible context of which
there are many.

Once inside, all the attacker has to do is find a network port, plug in and
they are inside and able to start quickly compromising systems to create a
back door. More often than not these days the easy way to do this is to
just deploy a device into the network.

Once the attackers are in, its typically open season on any vulnerable
systems on the network. Every network is the same: unpatched servers,
discontinued operating systems, badly configured equipment with default
usernames and passwords; the list goes on. This is how you take down any
organisation of any size.

What guidance is available for you?

The government has introduced a number of pieces of guidance to ensure safe
protection against cyber-crime, including The 10 Cyber Security Steps
available here (
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/395716/10_steps_ten_critical_areas.pdf)
and Common Cyber Attacks: Reducing the Impact here (
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/400106/Common_Cyber_Attacks-Reducing_The_Impact.pdf
).

What can you do to prevent attacks from happening?

Think like the attackers do, or get help from someone that can. Secure your
systems against the basic threats and make yourself just that little bit
harder to attack than everyone else. Work out what types of attackers might
come after you and how, and gear your defenses up to these threats first.
Basic housekeeping activities in IT are not there to annoy – they’re there
to help, so do them. Patch and configure – it’s not optional.

What plans and procedures should be in place?

Plan to be hacked. It’s inevitable, so work out what happens when it does.
Who says what to who, what do you say, who’s going to help you figure out
what happened, who’s going to stop it happening again? All of these
questions need answers.

More importantly, how do you know you haven’t been hacked already? Data
isn’t deleted, it’s copied. So what monitoring is in place around access to
data? Are all the systems monitored for malicious activity? Could you tell
if your internal servers were being probed for known vulnerabilities? Do
you know if a new device is plugged into your network?

More and more attention is being paid to cyber-crime by those perpetrating
it and those looking to prevent it. As such, doing nothing is no longer an
option. Any specific legislation or guidance relevant to your industry or
sector is going to need to be considered, as it might mandate specific
approaches or have requirements that need to be covered.

For example, Daniel Jones, Kable’s senior analyst for defence and security
says: “In the public sector a new Government Security Classification Policy
is in place, which requires organisations to enter data into three bands,
instead of the previous five. These are OFFICIAL, SECRET AND TOP SECRET.
Data is categorised and controlled accordingly.”

It’s simply not possible to do it all yourself either. Professional support
will be needed in certain areas and a little advice can go a long way
towards what the best route for investment in defenses might be.

Final thoughts

There’s no such thing as 100 percent security. Your organisation will
probably experience some form of cyber-attack at some time. What’s
important is having effective policies and plans in place that can help to
reduce the impact of the attack, clean up the affected systems and get your
business back up and running within a short time.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!