By Jeremiah Grossman Citigroup, Sony, PBS, Sega, Nintendo, Gawker, AT&T, the Central Intelligence Agency, the United States Senate, NASA, Nasdaq, the NYSE, Zynga, BBC Music, the Royal Navy, and thousands of others have one thing in common – they have all fallen victim to hack attacks in the last year.
Jeremiah Grossman Millions of credit-card numbers, customers’ personal information and records, not to mention gigabytes worth of intellectual property, have been compromised. And the onslaught shows no signs of stopping. The net result has been stark – hundreds of millions of dollars in corporate losses, sharp stock price declines, lawsuits, fines and costly downtime. Most alarmingly, it no longer matters whether a company is in financial services, retail, education, gaming, social networking, government, telecom, media or travel – no industry is immune to these breaches.
The recent attacks provide every company good reason to review their own data security policies. Here are 7 insights to help address the challenge of the Wild Wild Web:
> Every recent, high-profile breach in the news could easily happen to any online business.
This goes for both small-to-medium enterprises and Fortune 500 mega corporations. Data shows that most Web sites were exposed to at least one serious vulnerability every day of 2010.
>Today’s hacker is relentless in victimizing a ‘target.’
Recently there have been a large number of breaches solely in the gaming industry. Sony, Nintendo, Sega and the online account of Microsoft XBox Live’s security chief have all been targeted. This highlights one of the most significant challenges for large corporations especially –they have vast online footprints to protect. Proper defense requires a consistent, concerted effort and resource allocation commensurate with the level of risk.
>Becoming a ‘target of choice’ rather than a ‘target of opportunity’ can happen at any time.
Unfortunately, companies do not get to decide what type of target they are in this game; the attacker does.
>Firewalls and SSL cannot stop today’s attack techniques of choice.
Recent attacks include SQL Injection, PHP Local File Include, password reuse, denial of service and malware. Attackers compromise Web sites directly by exploiting application vulnerability. Later they use stolen account credentials from one system to compromise others or knock them offline with a mountain of network traffic. Attackers will also target corporate employees directly, primarily via email or social networks, by sending them a piece of malicious software and convincing them to install it. The common denominator is that legacy network security and “best-practice” defenses are powerless here.
>None of the attack techniques should be considered ‘sophisticated’ by modern standards
We’ve known about SQL Injection, PHP Local File Include, and Denial of Service attacks for years and there is nothing technical about these we haven’t seen a thousand times before – with the exception of Stuxnet. Also, the techniques used by malicious hackers whose behavior is primarily for personal entertainment, which are best viewed as canaries in the coal mine, are the very same techniques used by profit motivated cyber criminals and of those that are nation-state sponsored. It is the latter of the two groups that we should be most concerned about, because when they succeed, they don’t advertise their successes. We have no idea how many similar breaches are currently going unnoticed.
>Like it or not, everyone gets a free penetration-test by the bad guys, so hack yourself first.
This is especially important for those who are a ‘target of choice’ with large Internet-accessible attack surfaces and plenty of them. Find your websites, identify what you are vulnerable to, prioritize fixes and then strategize an effective software security program.
>If you want to improve something, measure it.
Almost anything that can be measured tends to improve over time. This could include the number of vulnerabilities development groups are introducing into your websites every month, the speed at which issues that do slip through QA are fixed or how many days of the year a particular system is exposed to something serious. Having access to timely, accurate, informative and trend-driven data allows for more intelligent decision making, which can make the difference in being a headline or not.
2011 appears to be a turning point in IT security, where yesterday’s best-practices, products and services that dominate the budget line-items are being publicly humiliated by today’s attackers as ineffective and a mis-allocation of resources. Throwing more firewalls and SSL won’t help; this is a software issue, not a network security problem. While these products were effective in the past, they have effectively pushed the attackers to focus on an area outside their coverage zone: Web sites. And the resulting resistance to new security measure allocation shows just how woefully inadequate these systems are in securing a company against the continuous threat of website attacks.
Defense against the latest attack trends requires a new way of thinking that allows IT security to be treated as a strategic business initiative. The castle and moat model is broken. Our experience tells us that security is by no means mandatory, but then again survival is also optional.
Jeremiah Grossman is CTO of WhiteHat Security.
No comments:
Post a Comment