While I really appreciate both opinions, and while Dave’s might have been a little self-serving (aren’t all of our statements online?), I find myself in a very “Zen” place – saying, yes – you are both right, and wrong at the same time.
Krypt3ia points out that dismissing the human factor is going to lead to failures beyond what we can imagine as an industry. The reason here lies back in the fact that when we approach “Information Security” we focus too much on the “Information” part, and less on the more holistic meaning of the “Security” part. Trying to solve infosec issues through technological means is a guaranteed recipe for failure. No one, no technology, or software can account for every threat scenario possible, and this is exactly why we layer our defenses. And layering shouldn’t just be done from a network or software perspective – security layers also include access control, monitoring, tracking, analysis, and yes – human awareness. Without the human factor you are doomed. And that’s a personal promise from someone who’s been abusing the lack of layering and dismissal of such human factor for quite some time now running red-team engagements with high-profile, high-security clients (see – I can be self-serving too!).
On the other hand, Dave is also right – you can’t just throw everything on the employee and expect them to magically turn into “APT detectors” just because they clicked through some CBT program for a few minutes (or hours for that matter). You have to get the basics first, and Dave’s list is just as good as anyone else’s:
Perimeter defense and monitoring
Isolate & protect critical data
Strong security leadership
In no particular order, one should establish a consistent and solid implementation of all of these aspects for their organization.
Having said that, saying that employee awareness should be out of this list is where Dave went a little too far. Strong security leadership, access creep, and data protection are not technical feats by themselves. These are exactly the areas where employee awareness turns what could be useless (but very expensive) pieces of software or appliances to something that would actually work under an attack on your information assets. The point is not to _divert_ the spending on awareness, but to _combine_ them into your security strategy.
Which brings me back to my first (and only) point – stop thinking of information security as an industry of blinkenlights and snazzy software solutions. It’s about hacking, and hacking as we all know never stops at gadgets and code. Think of information security like an ATTACKER. Think about _their_ scope, and realize how your organization looks from that perspective. Now, take your budget and spend it on the areas where attackers could have compromised your informational integrity (HEY! Don’t touch that Nessus scan result! I told you to THINK goddamnit!).
And with that, I’ll leave you to your wonderful weekend before Vegas (one last self-serving statement – go check out “Sexy Defense” if you are really interested in an effective defensive strategy that goes beyond blogging and writing articles 🙂 ).
It is truly one of the highest indicators for me that we are on the right track in making some change in the defensive paradigm, especially in light of the newly added defense track for BlackHat. An opportunity to capture the attention of a large and high-visibility audience while putting a harsh mirror in their faces is something that I have been looking forward to do for some time.
So there you go – Vegas this year is shaping up to be really interesting. With BSidesLV (in which I’m also involved as a volunteer and mentor) running along BlackHat, and the 20th DefCon, you really can’t miss it.
This is a translation of the original article published in Calcalist on May 20th 2012.
A group of professional hackers, employed by the most sensitive organizations to detect security breaches, are showing how to gain access to critical information, or take down the power for a whole city – and what is needed in order to protect from such attacks.
If you believe hollywood, breaking into computers or networks is the easiest thing in the world. The hacker just sits in front of the keyboard, types in a few commands, and immediately finds itself in a top-secret database. In reality, it is naturally a more complicated affair: the hacker can’t break into a secure network in a couple of minutes, and not always without leaving the keyboard. He needs to gather intelligence, plan, go out and talk to people. A real hacker is essentiality a detective, a spy, and a bit of an actor.
In this article, in cooperation with experts from Security Art, among which Yoram Golandsky the CEO, and Iftach Ian Amit the Vice President of Consulting, we present the true work of hackers, and detail how a real breach into a secure computer network is performed. Security Art’s employees are hackers for hire – computer security professionals, who get hired by companies in order to break into their own networks and expose their security flaws.
The scenarios that we built here are based on actual attacks performed by Security Art (all client names have been dropped for confidentiality reasons). Others are probability scenarios – such that are based on the knowledge of Security Art’s experts about computer networks, the protections used in them, and their proven ability to manipulate and circumvent them.
The information brought here is not considered secret or as a mean to provide hackers with tools. It has already been published publicly in conferences, and is considered domain knowledge among security experts and hackers, and in any case is not detailed enough to be used maliciously. One thing this guide does show: with enough knowledge, determination and sophistication, there is no computer network or database that is fully protected from computer attackers. Not even a biometric database in which millions of shekels have been invested.
The target: infiltrating into an internal communication network of a company.
Intelligence gathering: For weeks, the attacker gathers relevant information on the company and its employees. Identifying employees through social networks such as LinkedIn and Facebook, building detailed profiles on them (from email addresses to hobbies). From such information the attacker identifies that in the near future a trade conference will be attended by some of the company’s employees.
The bait: The attacker builds a site similar to the one used by the conference. The domain used for the fake site is very similar to the real one (for example – aclc.com instead of adc.com). An email from the fake domain is sent to the employees that have been identified as relevant to the conference, inviting them to visit the conference website for updates (while using the phishing domain).
The catch: A few minutes after the email is sent, one of the employees clicks on the link provided in it, and browses to the phishing site. In the fake site, embedded attack code runs, and scans the employees computer for vulnerabilities.
The infiltration: The attack code identified a vulnerability in the employee’s browser, exploits it, and run a trojan application on it. This provides the attacker full control over the PC, without the employee ever taking note.
Data exfiltration: The attacker can track every activity performed on the PC – from keystrokes, through full access to any resource the user has privilege to on the network. The information includes contracts, development plans, strategic documents, confidential business communications with customers, and even encryption keys that provide access to encrypted data.
Expanding the breach: The attacker enjoys the same privileges of the employee’s compromised PC – financial systems, internal operational systems, file servers. Even when the employee has limited access, the attacker can leverage the initial privileges in order to get to restricted resources – by compromising the company’s main server.
How to prevent the breach: The company must equip itself with more advanced (adequate) technical means to filter content and separate the internal resources; educating and training the employees about safe browsing and use of the Internet; self tracking of the organization’s intelligence profile on the Internet.
The target: Abusing the capabilities of smartphones, or when the company’s network is well protected.
Intelligence gathering: First, the brand and model of the smartphones used by the company is identified, as well as which employees use them with their business email. Then, a traveling employee is located and targeted using his business email – which will be opened on the smartphone.
The trap: A malicious email containing an infected PDF file is sent to the employee. The PDF will install a trojan on the smartphone once opened. The trojan runs persistently on the phone, while mapping all the networks the phone is connected to (WiFi, 3/4G, etc). Additionally, it provides full access to all the information stored on the smartphone, as well as to the interesting features of it such as location services, opening up the microphone and camera in order to stream audio and video back to the attacker.
The spying: The location services feature enables the attacker to pinpoint the user to a specific location, and turn on the microphone and camera when inside the company offices. The calendar is used to identify important meetings, in which the microphone and camera will be turned on again. The result: access to classified information, which includes personal and professional conversations, which may not even exist on the company network.
Everybody’s network: If the employee connects the smartphone to the company’s WiFi, such a connection can enable the attacker to infiltrate it, while easily bypassing most protections that exist towards the official Internet perimeter. Even if the internal network is separate from the WiFi network, such access is still valuable, as other company PCs are connected to it, and can be targeted and breached (for example – during meetings in which employees bring their laptops to and connect to the WiFi in the meeting room). Even more dangerous: when an employee visits other companies (clients) and connects to their wireless networks, while exposing them to further attacks.
How to prevent the breach: Employees can be supplied with company issues phones, which have been hardened and secured. Alternatively, advanced security modules can be installed on employee owned phones. Furthermore, a proactive approach is required in monitoring and mapping the internal network for anomalies.
Installing spy software using a flash drive
The target: A defense contractor’s internal network, which is physically separate from the external networks.
Intelligence gathering: Much like the first phase of the first scenario. In this case the target is to understand in which internal network the interesting information resides.
For establishing a baseline of how the organization works, full mapping of both personnel as well as physical locations of the organization is performed. Based on the professional background of specific employees published in sites such as LinkedIn, employees can be mapped to which products they work on, and in which divisions. Location services such as FourSquare enable associating physical locations to the employee’s profile – thus revealing the actual office in which the secure network operates in.
In a specific attack which Security Art’s employees performed, a call was made to the office that was targeted. In order to verify the targeted employee’s details, the attacker impersonated another company employee (“it’s easiest to claim you are from marketing, then you have a good enough excuse for your ignorance…”), talked to the development team lead, and corroborated the information gathered so far. Additionally, the attacker managed to identify that there was an internal voice over IP network in use – which could be leveraged later to exfiltrate the sensitive data.
The con: The attacker arrives at the targeted office, bearing a branded USB thumb drive. He hands it over to the receptionist, claiming: “I just found this outside, I think someone from this office dropped it, let’s plug it in and see who’s is it!”. The unsuspecting receptionist plugs the thumb drive into the PC and opens up the files on it. Another alternative for the drop is to leave the thumb drive at the cafeteria, or to hand it over to an employee that’s about to enter the building.
The infection: Once the drive is plugged in, a malicious code runs and installs a trojan. The trojan maps the internal network, locates the relevant data, and encodes it into audio signals.
The call: The trojan maps the voice over IP network and impersonates a handset to initiate a call to the attacker’s voicemail outside the organization. It then “plays” the encoded audio signals from the previous phase. Now the attacker can download the voicemail, decode the audio signals back into binary data, and access the sensitive information.
Command and control: The attacker can further furnish the trojan to call into a conference call number and stay connected to it. In such a scenario, the attacker can join into the conference call anytime, and send simple instructions to the trojans connected to it using the DTMF tones generated by the phone handset.
Hot to prevent the breach: The company should block the option to connect external devices to the organization PCs. Additionally, monitoring of the VoIP network is critical in order to find suspicious activities.
Powering off a city
The target: attacking the power supply infrastructure of vast regions by taking over smart meters that use cellular communications.
Intelligence gathering: Smart meters are in a pilot phase in Israel. Several suppliers participate in this pilot. The attacker gathers intelligence on the suppliers, and tries to identify vulnerabilities in the produce that are being tested.
Stealing the data: The attacker uses specialized equipment to set up a cell tower, which impersonates a legitimate cell provider’s tower. It then causes the smart meter to “trust” it, and communicate through it. Now the attacker has full access to the data gathered from the smart meters, and change it before passing it along to the electric company monitoring and operations center.
The hit: Using the information gathered, the attacker can damage the production systems: by falsely reporting a higher or lower utilization than the actual one, the production rate will be modified, causing rolling blackouts through extensive regions.
How to prevent the breach: monitoring critical points in the smart meter system, and having dual checks and controls over any information that is related to production and usage.
Today we have another guest post from our friends at GFI – this time on patch management (which unfortunately is one of the reasons that so many pentests are so easy to succeed in…)
Every organization uses several types of software such as operating systems, servers, clients and many other third party applications. Every software package is a complicated piece of engineering. Programs are created from hundreds of thousands to millions of lines of code and each line of code is further converted by the compiler into many low level instructions that a computer needs to execute. With all this complexity, it is not surprising that issues will arise affecting the smooth running of the system on which the software is installed.
Be it a coding mishap, a combination of inputs that the developer didn’t foresee, or even an unexpected interaction between the billions of low level instructions, an application can have a vulnerability that would allow someone to maliciously exploit in order to perform some undesired action.
Malicious hackers are constantly looking for these software deficiencies both for fame and profit. A zero-day vulnerability in a popular application may be sold for hundreds of thousands of dollars on the black market. Such vulnerabilities could be used to infect a large number of computers before vendors get a chance to detect and address the problem.
At the other end of the spectrum, security researchers are in a daily race with malicious hackers to find vulnerabilities themselves. When they do come across these vulnerabilities, vendors are notified and given time to fix the issue before making their findings public.
How does all this affect your need for patch management?
Malware like the Code Red worm and Sasser exploited software vulnerabilities to deliver their malicious payload, therefore failing to patch software would leave your systems open to such attacks. Payloads can be anything from BotNet software which will waste bandwidth and computer resources to send spam, to spyware software designed to steal credentials, financial details and intellectual property.
While security researchers play an important role in discovering vulnerabilities, disclosing them to the public indirectly increases the risk for organizations because even though a patch will be available, not all organizations are organized and address the problem immediately.
Hackers are aware that many IT admins take their time to patch their systems, sometimes waiting months to deploy a released patch. Code Red is a perfect example. While Code Red exploited a vulnerability for which a patch had been available for over a month, countless systems were compromised by the malware because many had not yet deployed the critical patch.
One also needs to take a holistic approach to patch management. As in all security cases, it is the weakest link in the system that is exploited. An attacker does not need to compromise all your systems’ vulnerabilities, they only need to compromise one vulnerability to get access to your systems. That is why selective patch management is not recommended. While operating system patch management is essential and easiest to perform, that alone will not protect you against vulnerabilities in third-party products such as a PDF file exploiting a vulnerability in a PDF reader.
It is obviously preferable to do operating system patch management exclusively rather than having no patch management at all, but the more applications you keep up to date the more effective your security will be.
This guest post was provided by Emmanuel Carabott on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs.
Today I’m proud to give this stage to some friends from GFI (have some good friends from the former Sunbelt guys that were acquired by GFI last year). Vanessa is our guest blogger, and she’s got a great post on how to run a more effective Vulnerability Assessment process in your organization.
Do you know how your server measures up to potential threats? If you haven’t performed a vulnerability assessment on your servers yet, you may not be aware of issues that may leave you exposed to hackers and web-based attacks. A vulnerability assessment is the process of inventorying systems to check for possible security problems, and is an important part of system management and administration.
Vulnerabilities are weaknesses within a server or network that can be exploited in order to gain unauthorized access to a system, usually with the intention of performing malicious activities. The most common way to address many software-related vulnerabilities is through patches, which will usually be provided by the software manufacturer to correct security weaknesses or other bugs within an program. However, there may be times when a patch is not available to address a possible security hole, and not all vulnerabilities are software-related for which a patch would be offered. This is where the concept of vulnerability assessment comes into play. Minimizing the attack surface and the effect that a potential hacking attempt could have on your system is a proactive way of effectively managing a server network.
While there is no 100% way to protect your servers against vulnerabilities, in performing a vulnerability assessment there are some steps you can take to minimize your risk:
Close unused ports
Ideally, your server network setup should include at least a network firewall and a server-level firewall to block undesired traffic. Undesired traffic would include traffic to ports that are unused or that correspond with services that shouldn’t be publicly-available. These ports should be blocked in your firewall(s).
If servers on your network are set up to share files with others, or to access network shares (such as file servers and other resources), make sure that those shares are configured to only allow access as appropriate. Hosts that don’t participate in sharing resources should have that capability turned off completely.
Stop unnecessary service
The more services you have on your server, especially those that listen on network ports, the more avenues a hacker has to get into your system. This is especially true if you have services running that aren’t being monitored or used, and therefore are unmaintained. Stop services that are not in use or necessary, and restrict access to others that are not intended for public access.
Remove unnecessary applications
Many operating systems come with a wide set of programs that may not be necessary for normal server operations. Find out what software is installed on your system, and then determine which of those applications are not necessary and remove them.
Change your passwords
Using default vendor passwords is more common than you may think – but since those passwords are usually publicly-known, they are often the first ones used during hacking attempts. Secure passwords should always be used in favor of the vendor defaults, and industry experts recommend changing them every 30-60 days.
Do some research
When software or new applications are installed, users often neglect to take the time required to review their settings to ensure that everything is up to par with modern security standards. Take some time to research what you are installing and any security implications that it may have, including what features may be enabled that could introduce security problems, and what settings need to be adjusted.
Encrypt when possible
Many services and network hardware have the capability of encrypting traffic, which decreases the likelihood of information being “sniffed” out of your network. When transmitting sensitive data, such as passwords, always use an encrypted connection.
Regular vulnerability assessment is a vital part of maintaining system security. Not only will it help diminish the success or possible effects of malicious activity against your servers, but it’s also a requirement for many compliance standards such as PCI DSS, HIPAA, SOX, GLB/GLBA, among others.
This guest post was provided by Vanessa Vasile on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. More information on vulnerability assessment
All product and company names herein may be trademarks of their respective owners.