Cyber Crime (Part 3) – how a common hacking scenario could look like…
As promised in my last blog I want to continue with my story. Within my next entry of my blog series about Cyber Crime, I want to describe how common attack scenarios could look like and what you could do to prevent or at least minimize the impact of such attacks.
First and foremost, it is important to know what we are up against. Security is only effective when we know what we’re trying to defend against, so here is a list of the most common attack paths used to break through security. Most attacks have a similar approach using one or more of the following steps…
Social engineering plays on the confidence of people to gain privileged information. When confronted with a “person of authority”, people tend to give information such as passwords freely. This works because the targeted victim feels that the person asking has a right to know or needs the information to complete an important task, such as repair a “compromised” computer or ensuring that a big deal is finalized. Many experts have claimed that this is the most effective technique available to obtain access to systems or personal information as the effort expended is small in comparison to the payoff.
Phishing & Spearphishing
Standard phishing involves sending out an official-looking email to thousands of users in the hope that one or more will be careless and open the attached file or link, releasing the malware program. The mails are usually formulated to prey on the fear and doubt that users have that something has gone wrong and they need to enter login information/passwords to access their account and fix whatever has gone wrong.
Spearphishing is similar to phishing except that a single user in an organization is targeted, using personal information that the hacker has obtained during the reconnaissance phase. Such mails look far less suspicious than standard phishing mails and are most likely to be quickly trusted by the user.
Usually in combination with a phishing attack, mails containing attachments harboring malware are opened by unsuspecting or careless users, allowing hackers to gain control of the user’s computer to view passwords and search through stored documents. Spyware, adware, viruses, worms, and trojans
are all common forms of malware.
Each system has weaknesses and the publishers of software are always trying to find these weaknesses and inform their customers about them. Unfortunately, the hackers find out this information as well. Systems that aren’t regularly patched or updated or even properly maintained over time are susceptible to such attacks. Fortunately, such attacks can be defended against via patching.
The strongest door in the world is useless if the lock is cheap – authentication that is poorly implemented or designed is as good as leaving the door open.
Weak and/or easy to guess passwords are the most prominent factors in this type of attack. Passwords that appear as words in a dictionary are also at fault. Not having an automatic lock after a certain amount of false password attempts allows hackers to use cheap and simple brute force attacks. Unsecure password reset mechanisms with weak or easy to guess security questions are easy to bypass, particularly in combination with personal information found in the Internet.
As you already know there are so many other ways such as SQL injection, cross-site scripting, cross-site request forgery, HTTP header manipulation etc. that were not listed here but could also harm your company.
Now that I have shown some of the more common methods to gain access, let’s simulate an attack on our systems:
ℹ This attack begins with an unsuspecting HR employee receiving an email addressed directly to her with a document attached with information regarding layoffs in 2013. She opens the document, only to find that there is no content. The mail gets deleted and she goes about her daily business.
❗ What she doesn’t know is that the attachment also contained a malware program that, via a weakness in a commonly used application, inserts and activates a Remote Access Tool allowing the hacker to gain access to her computer and view unauthorized information such as sensitive employee files and personal information about the Executive Board members…
- The compromised computer is used to conduct a port scan and to search for vulnerabilities in the network, further victims, and interesting data. Once this is accomplished, the hacker uses this entry point to gather sensitive information.
- With the information having been collected, the hacker encrypts what he has found and safely stores it away on an FTP server in another country to be sold to the highest bidder.
- At this point, the company discovers the attack and a search is underway to discern the severity of the attack and to know what information has been taken…
As you can imagine, this is a disastrous scenario but certainly not an impossible one if the right security strategy had not been formulated and implemented.
Let us take a look at the outcome of this scenario using the recommendations from my last blog entry:
➕ The HR employee has been well trained to be suspicious of such mails, especially when coming from a source she doesn’t know, so the mail is brought to the attention of IT Security and not opened. The attachment would have been ineffective as the attachment would have been blocked to begin with.
➕ Vulnerability filters and methods, such as limiting end-user computer admin access, protect the application from being used as a kick-off point for the malware. Via the information gained through intelligence gathering, Intrusion Detection/Prevention systems block communications to known bad hosts.
➕ The SIEM solution would detect the port scan, which would connect the infected system to a specific user, who would be contacted and told what to do. Meanwhile, the system itself would be quarantined, sealing it off from the network and preventing infection of other systems.
➕ The Security Monitoring Center would have immediately noticed the suspicious port scan and would have activated IT Security teams to locate the source of the activity and stop it. Knowledge of suspicious and malicious domains would allow access to be blocked, preventing the company’s IP from leaving the network.
As you can see, the attack is stopped at each location due to the far-reaching security defined by the IT Security Strategy. This is all possible because management realizes the value of having such methods and tools in place and their implementation is supported at the highest levels.
To give you a bigger picture about what has to be considered in a central Security Team, I want to inform you in my next blog what you should consider in defining an IT Security Management process.