We’re all looking for the next great threat to infrastructure, but there is still a host of simple attacks we should be guarding against, says Rene Millman
The security industry likes to think it is in an arms race with cyber-criminals. These hackers are busy dreaming up the next new way of breaking into infrastructure and, as an industry, we try to find ways to defend ourselves from ever more esoteric dangers.
To a large extent this is true, but this does sometimes mean we overlook many of the threats we think we have already overcome. In the same way we have come to think of diseases such as tuberculosis as being defeated (it hasn’t and it’s still a major problem in some parts of the world), basic hacking practices can still yield results for criminals intent on stealing from organizations.
It makes sense for hackers to try something easy first when looking to gain access to infrastructure. The quick wins for these criminals can sometimes be overlooked by firms when it comes to deploying an IT security strategy.
Finding the Easy Way In
The path of least resistance is attractive to criminals. “Hackers are beginning to realize that security measures are becoming increasingly sophisticated,” says Boudewijn Kiljan, EMEA chief technology officer at Wave Systems. “This is why we are seeing fewer ‘full frontal’ attacks, and more that seek to go in through a credible sidedoor, such as an enterprise employee.”
Kiljan adds that this type of attack is becoming more prevalent, as this ‘middle man’ provides the gateway to a world of useful and lucrative information.
Richard Braganza, senior consultant at security consultancy firm Context Information Security, says that, in his experience, the path of least resistance usually involves going for the low-hanging fruit – in other words, the easy pickings that effortlessly bypass defenses and go unnoticed.
He gives the example of WiFi. When organizations set up corporate wireless networks they will tend to use the strongest security provided by Microsoft, as the security fits nicely with Windows domains. “This may sometimes be a mistake,” says Braganza. “That is unless special measures are taken.”
On the face of it, this looks secure as you have to enter the same credentials to get onto the wireless network as you would use normally to access the rest of the corporate network.
“It ticks all the boxes for users and IT to think the WiFi is secure. And therein lies the problem. This default use of Windows’ strong enterprise security for WiFi actually leaves the company completely wide open to anyone outside the building,” Braganza says. He adds that a user does not check who the WiFi network belongs to: “Anybody could set up a fake WiFi network with the same name and ask for user credentials. Once the attacker has the user credentials they can use them on the real WiFi network and, hey presto, they now have a foothold on the corporate network.”
Getting Social and Getting In
But it is not just the simple attacks on computers and networks we are still worried about; no amount of technology can adequately defend against social engineering attacks. Defcon ran a ‘social engineering’ capture the flag contest last year and the majority of ten major US companies targeted were happy to hand out information which would be useful reconnaissance for future attacks.
“A worst-case scenario to illustrate this would be the Target compromise where the refrigeration company they used was identified and targeted as a way into Target’s network, ultimately allowing hackers to breach point-of-sale terminals and steal details of millions of credit cards,” says Paul McEvatt, senior security architect at Fujitsu’s Security Operations Centre.
Social engineering has become the mainstay of modern cyber-attacks, whether directed en masse in phishing campaigns or specifically targeted in so-called ‘spear phishing’ attacks, according to Kevin O’Reilly, senior consultant at Context Information Security.
“The reason is that, as technology evolves and security holes in systems are closed, the weakest link in the chain remains the same: the human at the keyboard,” he says. “Piquing the curiosity or engendering trust with a carefully worded email is the most universally reliable way of eliciting the clicking of a link or the opening of a weaponized document leading to the installation of a malicious backdoor on a system.”
Malware writers may look to use web browser or email attack vectors – those that the enterprise has the least control over, says Kiljan. One of the most high profile cases of this type of attack was in relation to the RSA breach, which broke through the RSA’s SecureID token technology.
“The breach was caused by an email attachment, which was likely opened by an employee due to the promise of interesting information,” says Kiljan. Once the attachment was opened, it acted like a stepping-stone for malware to begin to infect the device and retrieve sensitive information. Upon creation of the connection, the hacker can gain remote access to all information stored or connected to the device and, at the end, to the IT infrastructure.
“This type of attack can occur in a distinct window, from when the vulnerable connection is first made to when developers can counter the attack with a counter-threat or patch,” adds Kiljan.
"We are seeing fewer 'full frontal' attacks and more that seek a credible sidedoor"Boudewijn Kiljan, Wave Systems
Something Old, Something New
Perhaps the main issue here is that while technology progresses in order to combat the latest threats, why can’t these protect against the more basic threats? Are the tighter defense mechanisms of more modern operating systems doing enough to deter cyber-criminals?
Modern operating systems have two problems they must deal with when trying to build a secure operating platform. Jeremy Demar, director of threat research at Damballa, says the first problem is that these operating systems are not completely new creations: “Even when a new version of your favorite one comes out it likely has a lot of code written decades ago,” he says.
The second issue is that users demand new features, functionality and backwards compatibility. “A good example of legacy code in modern systems is the Shellshock vulnerability,” says Demar. “This vulnerability first existed in code written in 1989.”
He adds that CVE-2014-6332 is a perfect example of what happens when you try to remain backwards compatible. “This exploit works on Internet Explorer from version 3 to 11; the code is only still around for backwards compatibility. Many times when an operating system tries to create proper defenses, users get upset and quickly find ways to turn it off. A good example of this one is the introduction of User Account Control (UAC) in Windows.”
Tackling the Problem
There is very much a need for security professionals to do more to tackle basic threats. Paul Glass, senior associate at international law firm Taylor Wessing says that, “To a degree, more can be done by security professionals, and the more sophisticated tools now available can prevent many low-level hacking approaches.” He adds that, “Risk assessment as to what data actually needs to be protected, and putting in place controls to achieve that without hampering the business, is key.”
Glass says that these steps need to be accompanied by education and awareness of employees, as IT tools are only part of the picture: “For example, spoof emails that look as though they come from another employee but actually contain a malicious link are almost always easily identifiable by employees, but will often not be caught by IT tools. GCHQ estimates that about 80% of known attacks would be defeated by embedding basic security techniques, and education is a key part of that process.”
Criminals threaten both consumers and enterprises, and while both attacks are similar in that they involve persuading the end user to click on a link or open an email attachment, the difference is in the malicious payload.
“For consumers, it tends to be a more crude threat aimed at the masses with a low expectation of click-through for a backdoor trojan that is only sophisticated enough to do its basic job without creating too much noise,” says Context’s Kevin O’Reilly.
“For the enterprise, the lure is often slicker with a more intelligently worded email appearing more trustworthy or with more context, leading often to a more advanced exploitation method (perhaps a rare and therefore more valuable zero-day vulnerability in a web browser or plugin) and almost always leading to a more advanced backdoor threat.”
Glass says that, at the enterprise level, there is usually a bigger prize, so the time put into more advanced social engineering can be worth it for a hacker. He adds that, “This is particularly the case if the target has access to large volumes of personal data, valuable commercial assets, or large volumes of credit cards or bank accounts, and a hacker can remain undetected, slowly extracting data, over a long period of time.”
Glass says that education remains key at an enterprise level; also critical are access to data (restricting access to only those who really need it) and the ability to quickly identify when security is compromised and take action. “As Target found out, having advanced security tools is of little use if the IT security team doesn’t use those tools to identify a threat.”
This feature was originally published in the Q1 2015 issue of Infosecurity – available free in print and digital formats to registered users