Security Depends On The Devious Human Touch
Hacking has become a dark, heavily financed force and digital defences alone are no longer enough to hold it at bay, says Eric Doyle
Is it just my paranoia as a security pundit or are the bad guys winning the hacking battle at the moment? Ever since Stuxnet there seems to be no end of stories about hacks, leaks, massive attacks and shady “mafia” and nation state subversive activities.
Symantec’s mid-term Internet Security Threat Report shows that the advent of cloud technologies to bring affordable, untold power to businesses is being mirrored by the anti-cloud – a network of online services that offer a black marketplace for products and services.
The Dark Side Of The Market
A measure of the growing sophistication of the market is the fact that many of the “companies” involved have logos for their products – partly because some of them are actually penetration testing tools which can easily be configured for use as a weapon. The ambivalent nature of the products allows true malware to be sold openly with the proviso: “This program is developed for educational and research purposes. The developers accept no responsibility for its illegal use and liability rests with the customer”.
Apart from this gloss of respectability, the companies are now publishing competitive pricing structures in their battle for customers. Multiple installs of the Zeus Trojan on a single computer cost up to £5,000 with modules available for between £300 and £1,250. Golod, a Russian botnet loader/encryption system for Windows, costs a basic £370, with free upgrades, but also offers unlimited support around the clock for customers paying an extra £550.
Added to this we have covert gangland plotting and international espionage creating an environment that makes the Wild West look tame.
Despite all of the crowbars and sledgehammers in the hacking toolshed, it is often unnecessary to blow the doors off when gentle persuasion can open them without waking up the IT guard dogs.
EMC’s RSA Security found this out to its cost when a poisoned spreadsheet was cast out to its lower-grade employees in a phishing attack. Floor-level workers are considered more vulnerable to attack because they are generally less aware of security issues but their security clearance is also at the base level which sounds like a suitable damage-limitation policy.
Unfortunately for RSA , that was probably the reasoning that started the problem. Once one of the employees opened the phishing mail containing the spreadsheet, the hackers were able to install a Trojan. This meant that password details of any employee accessing the email ware passed on to the hackers and, through more social engineering and hacking from inside the company’s networks, the attackers were able to escalate their security levels.
Stealth and persistence paid off and soon they were into RSA’s secret stash of SecurID seeds like rats up a drainpipe.
It seems that RSA’s mistake was the common one of assuming that securing the “doors and windows” would protect the corridors of the internal network. It’s similar to fixing locks and bolts on a house and not having an internal motion detector – or not checking that the system is working properly.
It is likely that RSA had log management systems in place but they were not being checked and analysed properly. Judging by the speed with which the company has been able to produce a forensic report on the attack implies that all the clues were there.
Battle Of Wits
Security is a battle of wits against hordes of very bright and cunning adversaries which cannot be overcome by technology alone. Traffic and access monitoring is needed, alarms need to be set to warn of unusual activity. But this will all be for nothing if visual checking is ignored.
Computers are great at crunching numbers and finding where these figures don’t add up as they should. It makes them seem intelligent but they work on logic. Hackers don’t.
Attackers are masters of illogic. Take a fuzzing attack as an example. It hits a system with all manner of nonsensical data until the servers or firewalls appear to “blink”. Once this happens, the hacker brings learning and ingenuity to bear on how this can be used to their advantage. It requires a similar devious intelligence, that only the human brain is capable of, to combat it by spotting the signs and out-manoeuvring the forces ranged against the company.