Your security is obsolete
Security is a rapidly moving beast – faster than any other facet of the technology industry. We are in a constant battle with everyone from hackers to script-kiddies, from targeted data theft attacks to Denial of Service. Our security teams and network administrators are playing catch-up with the malicious operators. So, no matter what happens, your security is obsolete already. If you respond today and are fully up to date, by tomorrow, your security is obsolete again.
Security Training
Have your network administrators done security training? Let’s work backwards from a timeline; your company gave approval for the training expense, and the students attended the training. Before that, the training company had to schedule and advertise the course, hire a trainer (who probably has never seen the course material before), and book a venue. Before that the training company would have had someone develop the training course and course materials, based on their knowledge and understanding of security products that are available and released – probably by reading the manual or trying out the product to see how it works. The course developer would be dependent on established knowledge and approaches, which are also the knowledge and approaches that are in commercial software – after all, the training course would be based on commercial software or other widely available products. These security products are likely to have been developed with a structured approach to software development, with products going through development cycles and testing. All of this would be based on known security exploits or attacks that had been detected and stopped – a known solution for the exploit is available.
The training that you have attended is probably 1 to 2 years out of date, based on known exploits and attacks.
Hackers also attend these courses, buy the commercial software such as anti-malware or security software. They also obtain the open source tools that you have been guided towards in your training courses. They even buy the physical firewalls and security devices – so they can test their exploits against it and try to find a weakness. The difference is, they are unlikely constrained by corporate budgets and resource planning, their “day job” is not filled with bureaucracy and needing to understand the intricacies of system interaction to deliver stakeholder benefits.
Catching Spam
If you have ever been involved in catching and blocking Unsolicited Commercial Email (UCE – known as Spam by everyone), you will know how crafty the spammers can be. In the late 00’s I was amazed by the creativity of spam that was designed to get through the pattern filters. First spam filters were looking for key words that would indicate that the email was undesirable, such as; “guaranteed money back”, “no obligation quote”, and “viagra”. So, the spammers simply changed their wording, as they could also see the word pattern matching in the commercial or free software. So, the spammers would then miss-spell words, put in a digit; “v1agra” or put spaces between letters (in a smaller font). This was then added to the pattern matching by an update from the anti-spam companies, so the spammers would get more creative – one that I thought was clever was V<junk>1<gibberish>agr<junk>a – then when the HTML was rendered, the unknown tags would simply be ignored, and what was displayed for a human was different to what was matched by pattern matching.
Spam is a great example to show the intent of malicious actors. They may send a million emails, and even if 90% of them are completely blocked, and only 0.01% of them are actually read by a user – that is still a hundred suckers to get a few dollars from. The cost of sending a million emails is tiny, compared to the return of even one successful deal.
Script kiddies
Much of the average security attacks is down to script kiddies or bots – that is, repeated and routine probing attacks, using known exploits and risk vectors. These script kiddies will download penetration software or hacking tools, and use well established routines of attempts – I remember seeing IIS logs showing exactly the same order of URL traversal that was trying the same attempts several times a second – definitely scripted and not a person typing the paths.
These bots and script kiddies are still available, and still used. Why? Not because they are attacking you, they are simply looking for any vulnerability to exploit – the same way as a pickpocket looks for an easy wallet or bag in a crowd, they are looking for anyone, and so we still need to protect from these attacks, even though they are obsolete. The bot or script kiddie will simply put in a whole IP subnet and wait for success – they may not even know that your business is being probed, so you cannot claim security through obscurity.
The fallacy of security through obscurity
Many people think they are secure, because their business is not a big well-known brand – so people will not target them. The truth is that apart from the top 50 or so brands, almost all organisations are unknown in the countries and cultures that are the source of most hacking, script kiddies and bots – Russia, China, Iran, Turkey, Romania etc. – so almost everyone is obscure to the attackers.
In the same way that consumers do not protect their security because they think they are not worth hacking, businesses make an assumption that no-one would want to target a small company of just a few hundred employees and low turnover. In reality, most hackers just want to find a vulnerable system – and it does not matter to them if it is in under a desk or in a datacentre, if it is on a home ADSL link or on a 100 Gbps link – just that it is vulnerable and able to give them something.
You can make it harder to be a target of attacks by hiding the version and type of system you have, or by not having human readable names for systems, which will slow down a targeted attack – but not stop it.
The pointlessness of password changes
Are you still enforcing password changes? in a recent announcement from Microsoft;
Recent scientific research calls into question the value of many long-standing password-security practices such as password expiration policies, and points instead to better alternatives … If a password is never stolen, there’s no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem.
…If an organization has successfully implemented banned-password lists, multi-factor authentication, detection of password-guessing attacks, and detection of anomalous logon attempts, do they need any periodic password expiration? And if they haven’t implemented modern mitigations, how much protection will they really gain from password expiration? …Periodic password expiration is an ancient and obsolete mitigation of very low value
This goes to prove that even commonly held beliefs around security can be obsolete and no longer relevant in the modern world.
Why your security is out of date
Your security is out of date, but in some respects it needs to be. We all need to protect ourselves from being the easy victim in a crowd, and resist the known threats that are still being tried. However, the hackers and attackers are so far ahead of current products, practices and skills that you need to go further than just hiring experienced people and buying the latest tools.
Probably the best answer is Cloud. The people who work in security for cloud companies are ahead of the latest threats – they see many more examples of attacking attempts, and react to them. Who do you think writes the guides on how to protect from attacks? The people whose entire job it is to manage the security of cloud systems, 24×7, will be far ahead of what any of your team can do.
