SYDNEY – Australia’s defence department says organizations need to be more proactive if they expect to ward off attackers that readily exploit the high levels of trust usually reserved for employees and known systems.
Speaking at this year’s AusCERT security conference, Paul Chamberlain from the department said even if your organization doesn’t have sensitive information “you still have people to pay and an attacker could end up on your payroll.”
“Before you move to latest and greatest technology have all your bases covered,” he said.
“Cyber criminals are generally motivated by profit or they could be issue-motivated groups that wish to penetrate your network for their own goals. There is the risk of a denial of service and theft of customer data, and there’s also proprietary data your company will hold, for example, a press release you are about to release in a week or two.”
What is the attacker going to do? Harvest as much information about the organization, and its people, for starters.
“They need to know all they can about your organization. It turns out it’s easy to find out who works at your organization, there’s Google, social networking Web sites, public company information, and what you post to your public Web site, like job ads.”
In addition to gathering public information, attackers can still use technical measures, from DNS guessing, port scanning and service emulation, to cracking external services like Citrix gateways, VPNs, and Outlook Web Access.
“From there you take this information and look for entry points,” Chamberlain said. “It doesn’t need to be a zero-day exploit as it is more likely to be targeted at users. An attacker will rely on one user to receive a malicious word document for code execution to happen and the risk grows as the organization grows.”
Chamberlain said even if there is only a 10 percent chance per user, a small organization may fail a user-targeted security incident over time, and, to make matters worse, an unsuccessful attempt may only look like spam, meaning users will most likely not be alerted to the danger.
“Once remote code has been executed all the person’s e-mail and other information can be read,” he said. “The attacker may move to another target once inside the organization by using Windows or Linux tools to move around so it’s often built right in to the network.”
As for dedicated security systems, these may also fail to stop penetration as the attack can use accepted protocols like HTTP, SSL, DNS and SMTP, so to a firewall it looks like regular traffic.
“An attack could use local admin privileges and the implicit trust your network will have inside your gateway,” Chamberlain said. Given attacks are likely to be multi-pronged, what do you do? Chamberlain said there is no one product or method so “it’s all about managing your trust relationship”.
“Do you need your intranet to be unauthenticated? It’s about identifying your important data and how to protect it. It’s about defense everywhere on your network. If a privilege isn’t needed you shouldn’t have it.”
Chamberlain recommends organizations start with the security policy and develop a clear understanding of what users are meant to be doing because without a clear idea of who’s allowed to do what “you won’t be able to identify what has happened.”
“For example, patch management is almost a solved problem, but you have to make sure it’s turned on,” he said. “Process whitelisting can cut down on code execution.”
Other recommendations include knowing what to look for in log analysis. “Look for abnormal patterns. How many e-mails does your network receive each week? If there is a spike there may be a compromise. When you know what your network traffic is you can identify anomalies.”