Friday Sep 20, 2024
Friday Sep 20, 2024
Wednesday, 21 January 2015 00:00 - - {{hitsCtrl.values.hits}}
He was recently invited to participate in a security forum organised by Sri Lanka Cert, a subsidiary of the ICTA and shared a case study published in the ‘Futures’ magazine, on how hackers use unethical means to access computer systems and how they can be prevented.
Over the past few months there have been reports of large government bodies and multinationals being hacked and potentially sensitive information being accessed. Futures speaks to a hacker-for-hire and security experts to discover the methods hackers are using to gain access to computer systems, and how they can be thwarted.
The hacker, Oleg (not his real name) who is in his 30s, had emigrated from Eastern Europe to Asia over 10 years ago. He studied mathematics and physics, and currently located in Asia, is seasoned enough in the trade to also rent out his expertise.
Planning an attack
How do hackers choose who to attack? Often they are targeted attacks with a specific government or organisation in mind. The hacker will receive an order to obtain information from that organisation, destabilise their services or deface the organisation’s website. “In which case I will check Facebook, LinkedIn and chat groups to grab what people are saying about what’s happening within that organisation,” Oleg explains.
With the growth of social media platforms and online help forums, more and more information is out in the open, and it is increasingly difficult for organisations to monitor and control what their employees make available.
“This phase of hacking (commonly referred to as ‘passive information gathering’) is one of the easiest activities to undertake, but also one of the phases that can take the longest,” says Gunter Ollmann, Chief Technology Officer of IOActive, Inc a Seattle-based provider of computer security services. Cecil Su, Head, PSS at e-Cop calls this the “low-hanging fruit that a potential intruder may take advantage of to know about the behaviour and profile of a target.”
The first line of defence is to implement very simple measures that employees and individuals can use to protect their identities online. After all, if they cannot be associated with an organisation, what they post cannot be linked back to their organisation.
Gerry Chng, Partner, Advisory Services, Ernst & Young suggests that individuals “can restrict who can view information on their social media presence through the privacy settings found in most social media sites. That will prevent undesired access to their personal information.” He also recommends avoiding divulging too much specific information on forums and chat rooms and using an alias that cannot be tied back to a user’s real name or organisation.
BOX OUT:
Chng, Ollmann and Su suggest these action points when interacting in cyberspace:
nDevelop a strategy and moderate postings to blogs/forums/online sites
nTogether with education and awareness on phishing and social engineering, organisations should ensure that their employee agreements or HR policies clearly state what information can be published online, and reinforce the personal threat they face as hackers mine this personal data to target individuals and, through them, the organisation
nIsolate important email addresses (i.e., work and personal) and keep separate personal and business social media accounts – using different names or aliases for accounts – and not cross post information
nRestrict password-based access to accounts through social media managers
nMonitor accounts closely by updating permissions and regularly changing passwords
nRestrict who can view your online profiles
nConsider what information is shared online; such as check-ins, likes and photos with geo-location data
Attack!
After the planning and preparation phase, Oleg has a decent amount of information to draw upon. Oleg now enters the stage where he “probes the organisation’s environment: trying to figure out what systems they are using to protect their network; this will give me some good scenarios for attacking.”
“(During the attack) my aim is to bypass the security layers of the organisation so that I can penetrate one of their systems and start collecting further information. There, depending on my goal, I will plant a Trojan, or simply start bringing their systems down.”
It is here that technology, policy and planning comes into play. Sharing his experiences with us, Oleg commented on his amazement that little has changed in his 10 year hacking experience. “Most organisations still seem to rely almost exclusively on two or three security technologies to protect themselves, and once you break those, the kingdom is yours!”
Our three security experts opinions differ somewhat; Su affirms that this might be true ‘to a certain extent’, Chng states that organisations ‘do not simply rely on two or three security technologies’ but do have challenges, and Ollmann say he does not believe this to be true. “While the core technology labels such as ‘Anti-virus’, ‘Firewall’ and ‘Intrusion Prevention’ remain the same, the underlying technology and capabilities have completely changed and bear little resemblance to the technologies of 10 years ago,” Ollmann explains.
Chng identifies three main challenges he has experienced. Firstly, solutions do not always integrate with each other, resulting in administrators struggling to figure out if something is going wrong. “Nobody wants to look at three or four different management consoles and try reconciling what is happening on the network,” he remarks.
Secondly, the solutions are often deployed without considering how they fit into the bigger scheme of things. Without a proper risk assessment being done first, the solutions are either non-effective in addressing the real risks, or worse, they might be impeding on the productivity of employees.
Finally, there is still a belief that a ‘perimeter security’ model still works. With the proliferation of mobility technologies, the focus should be on protecting information throughout its lifecycle rather than building a digital fortress.
Plan B
If a head on assault does not get him results, Oleg looks for an alternative route into the network. “Users usually have more permission to access machines and files than they really need to. So I can try to trace and penetrate the laptop of one of the employees, and from there bypass the perimeter security,” Claims Oleg.
With the growth of mobile devices, remotes workers and bring your own device programmes, what Ollmann calls the ‘hard shell’ protection approach becomes eroded. “Recent persistent attacks have been focusing on endpoints as these routes provide a ‘path of least resistance’ into an organisation, particularly if the focus is still around perimeter security,” Chng continues.
Su elaborates, “An intruder that used to have only a few entry points ten years ago will now have a myriad hub of opportunities to attack a target by way of these mobility devices.”
Employees, and by extension organisations, are under a constant state of attack from persistent threats. There are also many instances where the source of a breach originated from a “security device.” Su recommends that organisation should have an upkeep strategy for each and every one of their security devices; otherwise it could be susceptible to intrusions.
There are plenty of instances when a security device that an organisation counted on, and which should have prevented the attack, was not updated and was the attacker’s entry point.
“My advice to CSOs and CISOs at Global-1000 companies is to take a strategic look at the businesses information assets to identify the ‘crown jewels’ and focus protection technologies there – work outwards in layers as and when budget and resources become available,” Ollmann recommends.
“In addition, if network monitoring technologies are already deployed, to use them as alerting systems capable of detecting a successful breach – rather than alerting on every possible attack. This approach helps limit the ‘noise’ and allows incident response teams and security teams to focus on the core threats and provide more timely responses.”
The aftermath
Once he has successfully penetrated the organisation, the first thing Oleg does is gain access to the administrator’s emails and messaging systems, so that he can see what’s happening. “They are often in denial as to what is happening; it is like they can’t believe that someone would be clever enough to bypass their perimeter protection; and they often don’t know what to do except disconnect some of the machines they think I infected and wait for experts to come onsite and carry out some forensics. They are so unprepared!”
“To some degree, that comment is true,” Chng affirms. “While incident plans do exist within most mature organisations, it is often not exercised enough. As a result, there may be uncertainty and/or confusion on what should be done in those situations,” he continues.
Ollmann suggests that the process should also include protocols on the pros and cons of various reactionary actions. For example, unplugging a system could draw attention to the fact that a compromise has been discovered, thus trigger an exit plan by the hacker.
As most administrators are not trained in digital forensics methods, and unsure of what needs to be done to preserve the evidence, it is imperative that organisations have a battle-tested Incident Management Plan and a response team that can exercise the proper chain-of-custody. Organisations can choose to work out a plan with a third party qualified vendor to provide such services. Working out such plans in advance with the third party will help iron out any red tape that may be an obstacle when the crunch time comes.
This reduces the need for highly trained incident response teams within an organisation, allowing organisations to focus on trying to optimise and tune recovery processes, and keep running with minimal interruption.
Ollmann believes that many larger and more sophisticated organisations have adopted a ‘breach detection’ strategy. They assume that they will be breached and it will happen repeatedly – therefore the focus is upon early detection of a successful breach and rapid remediation. Automated breach detection alerts are sent to the helpdesk rather than an incident response team. The helpdesk team contact the system owner or user, within 15 minutes, the system has been reimaged or rebuilt from trusted media. If a particular system gets breached more frequently or is more critical, only then would it be escalated for more detailed monitoring.
In conclusion
“Some organisations are more sophisticated, of course, but not that many; and I can often find alternative ways to penetrate their environment,” explains Oleg.
Provided organisations are online, there is no true perfect security state. Su explains that the idea is to get organisations to a resilient state where the organisation is able to manage the crisis at hand and mitigate damage to a lesser extent. This is also the stage where the organisation is able to contain the threats and have better control of the resources to deploy and remediate the risks.
“Part of the IT Security strategy framework that organisations can adopt should ideally be figuring ways to bounce back, and to recover as soon as an incident occurs,” Su concludes.
(Courtesy Microsoft Futures Magazine)
