Not Another Top X List
The ol’ interweb is permanently awash these days with “Top X This” and “Y Most Something Else” lists, so why should this blog be any different? Well partly because we’re professionals and not clickbait, but, as anyone who has read a few of my blogs for 2-sec will likely know by now, where possible I try to put my own, perhaps tongue in cheek (perhaps grumpy verging on offensive depending on what time of night I’m writing), spin on many of the topics that I cover.
So here goes, with my take on:
Top X Ways You’re Probably Going to get Hacked This Year
Distraction! Smokescreen! Surprise!
DDoS (Distributed Denial of Service) attacks have something of a reputation for being the domain of two main groups – angry script kiddies who want to ruin Christmas by taking down Xbox Live or PlayStation Network services just as new games have been unwrapped, and Hacktivists who try to make a fierce political point by knocking Evil Corporation PLC’s website offline for a few, precious, hours. But with the rise of easily accessed DDoS-on-demand tools, such as the one that that attack on Christmas gamers may have been intended to publicise, they became something altogether more ‘useful’.
Imagine your business comes under attack. Maybe you successfully quarantined the Malware that found its way onto your network. You proudly restored your well maintained and secured backup, foiling a Ransomware infection. Your website goes down due to a massive automated DDoS attack, but you have a procedure in place, followed to the letter, and your site is back up in no time. Wow what a week! But wait – what’s that on the news? Uh oh, turns out your entire database containing sensitive customer details just got dumped in the public domain, and you didn’t even realise it had been accessed!
What happened? You were the victim of a huge, multi-vector attack, and it was nothing but a smokescreen, a distraction to keep you busy, while the real attackers quietly slipped in and out with your precious data (probably using account details gained through a whole separate Phishing campaign undertaken earlier). Don’t get me wrong, this isn’t new, but as is the case with many of these more sophisticated, more successful, forms of attack, it’s certainly on the rise.
An example that stands out, in case you didn’t read about it at the time, of exactly this sort of attack occurred last August on Mumsnet. And the “Surprise!” element? Armed police were sent to the home of both the co-founder and another team member after hoax calls were made, one claiming a murder and hostage situation was underway. Obviously this was abnormally personal, but regardless – not the sort of attack that you can afford to be complacent about.
Spear-Whale-Phishing, whaaaaat?
Honestly, I’m waiting for the next new form of attack to be named something to do with Narwhals. But really I’m just sore that, when I wrote about CEO Fraud back in February, I didn’t think of the name Whaling. It was so obvious! I’ll get my chance…
But in the meantime, silly naming conventions or not, these attacks are no laughing matter. Your People™ still are, and will very likely always be, your single weakest link. Period. There are just too many ways for me to write about here that any individual within your organisation can be tricked, subverted, socially engineered, into becoming an unwitting point of entry for an attacker. And the trouble with people is you can’t roll out a network update to fix them – you have to communicate with them.
If you don’t have a cyber-security training program in place, then there is simply no question. You need one.
SSL. Malware in Disguise
Back in 2015 it was estimated that, by the end of that year, over half of all internet traffic would be encrypted. I can’t find an up to date figure, but based on my experience I’d be willing to bet that ‘we’ smashed that figure. Certainly Google have stated in February that 77% of all requests sent from computers around the world to Google’s servers are now protected by encryption, with a goal of 100%.
This is all a Good Thing. Actually it’s a very good thing. For lots of reasons, which I might even list someday soon. BUT there’s a flipside to almost all Good Things. You see, assuming you have a (formerly) reasonable security posture, every data packet that enters your network is subject to examination – to check it’s not full of EVIL. But when those packets arrive encrypted, you might be forgiven (no, actually you won’t) for thinking, “Well, it’s encrypted so we can’t look in there, but that means it’s been sent over a secure client-server channel. Nobody else can access or interfere with it, so it’s safe, right?”
But of course it’s not, else I wouldn’t be writing about it here, would I? I’ve written previously, in a blog about Ransomware, about the fact that many of the world’s most trusted, legitimate websites have, in the past, been compromised, e.g. through ‘Malvertising’, to enable delivery of a Malware payload by ‘drive-by download’. So if your connection to that website is secure, all that really means is that Malware is being sent to you securely. Perfect.
What’s so serious is that situation is far worse for it, because you think you have security – you have a padlock symbol in your browser, and whatever other measure you have in place along the way. But you don’t realise that having downloaded Malware in Disguise (MalFormers, anyone? No?), at your end your sensitive data is being hoovered up and sent down your encrypted pipe to the guy sat in the shadows with his hood up somewhere at the other end.
Bleak picture I know. Shadows and a hood. But what can you do about it? Well I’ll make it sound simple at least – all that protection you’ve already got (right?), it ‘just’ needs to be on the right side of your encryption/decryption. Of course there’s more to it than that, but that’s for vendors to discuss with you, my job here is to tell you that you need to have that conversation.
Patch. Patch. Patch more. Patch!
Speaking of rolling out network updates, among other forms of updates, DO THEM. It really is that simple. As I mentioned a couple of weeks ago, 2015 saw a new Zero-Day Vulnerability every week. Every time a vulnerability is found in a piece of software, its somebody’s (or lots of somebodies) job to fix the software and release the fix as a patch update for anybody with that software to apply. Problem is, until you apply that patch, you’re as vulnerable as you were on day zero.
There is an endless list of high profile breaches that can be traced to a vulnerability for which a fix already existed. The most recent biggun’ being the huge Panama Papers hack of law firm Mossaack Fonseca. The most likely theory? An out of date Revolution Slider plugin for WordPress, or Drupal portal with a very well documented security flaw “so bad that security experts warned that if people had not patched their sites the same day the patch was released, they should assume they had been hacked and consider a fresh install.”
Let that sink in for a moment, it is entirely possible that a law firm not updating a WordPress plugin brought about the downfall of the leader of a country. So update already, you don’t need that on your conscience.
Even if he did have it coming (The opinions expressed in this article are the author's own and do not reflect the views of 2-sec).
Oops. Ran Out of Patches.
Yeah, I know, the get-rid-of-WinXP bandwagon has been and gone. I’m flogging a dead horse here. If you’re still running an OS that has been unsupported for over 2 years, nothing I say here is going to change that. But so many people, and, far more worrying, businesses, still are!
The message on the Microsoft website about end of support for XP has been there for so long that it, itself, is no longer supported – it still encourages you to upgrade to “a modern operating system such as Windows 8.1.”
So why am I going on about this now? Well, because Windows XP is not the only piece of software that has ever reached end of support lifecycle while still in massive mainstream use. It was certainly the one that gained the most publicity, yet it seems that warning that YOU ARE NOT SAFE, even combined with a way to become safe(r) for free, really didn’t kick-start enough people into action.
Still, according to netmarketshare.com, 10.9% of all computers are running XP (which is still more than Windows 8.1). And according to internetlivestats.com there are currently nearly 3.4 billion internet users in the world. So I guess 340 million of them are incredibly, incredibly, vulnerable to cyber-attack?
Microsoft SQL Server support ended this month, and Microsoft Windows Server 2003 support ended nearly a year. Again, both remain very much in circulation globally. One survey claimed that 30% of all enterprises actively planned to continue to run Server 2003 after End of Life. The thing is it’s not just themselves they are putting at risk – these are web-facing servers (1 in 10 of all web-facing servers in August 2015, one month after end of life), many of which hold our data. That kind of negligence in frankly unforgivable, and in the event of a major breach you can bet that reputations will be destroyed if that kind of information got out.
Bottom Line
It has become a fact of life, that cyber-attacks on businesses, small and large, are somewhat inevitable. You’ve probably been attacked, maybe even several times, in the last year. But for every attack vector, there is always something you could do better, if not to prevent it, then at the very least to mitigate the damage. The kind of damage that has been known to put people out of business.
2-sec is a leading provider of security consulting services. These include penetration testing, PCI DSS, Cyber Essentials, PA DSS, virtual CISO and training & awareness.