Breaches You Don’t Hear About
I think it’s fair to say that, over the decades, if the general public had been alerted to all the attempted terrorist attacks tracked down and prevented by intelligence – as opposed to just the ones they know about – they might be a little edgy…
It’s exactly the same with cybersecurity breaches. I tuned into a Cato Networks presentation along the lines of “three breaches you didn’t know about” via LinkedIn in my case, but here’s the generic link:
Some of the most interesting takeaways from the presentation – other than the breaches themselves – is that so many of the problems a) are age-old and b) could be so readily avoided. And we are talking big, well-staffed entities here, not some backwater business with a person and a dog running it. Though, looking at the some of the errors still being made by SecOps, it is entirely possible that a dog might do a better job, just by randomly pressing (a suitably sized) keyboard 😊
Still incredibly common are mis-configured security appliances (generally firewalls) and the never-ending issue of patch (mis)management. For all the talk of AI-driven, ultra-smart attack technologies, in many cases it is simple back doors – a la the 90s – that are left wide open for hackers to eStroll into that lead to the biggest breaches, whatever the nature of the attack.
Etay Maor, senior director of security strategy at Cato Networks, who delivers the presentation equally notes that supposed “modern” attack forms such as ransomware, are actually as decades old as the issues they exploit – 1989 in the case of ransomware in its earliest forms. Interesting that my first exposure to a security threat came a year earlier than that, when visiting Alan Solomon to interview him on the “new anti-virus” threat. I mean, we are talking floppy-disk based attacks back then; a decently aimed throw into the nearest rubbish bin would serve as a perfect security defence system!
Unsurprisingly, the first breach described was of a ransomware guise, but what is most interesting here is that an original attack on the same company took place 13 months previously and – meantime – the information extracted had been sold on to a new ransomware group, so the second – and recorded in this presentation – attack came from a totally different source (and with obvious evidence, but I’ll leave that with you to enjoy by clicking on that presentation link). An intriguing point Maor made, that you might not expect, is that the ransomware gang actually provides advice on how NOT to get breached! But, here’s what make you wonder what the security teams are doing to earn their $$$, when you look at the advice being proffered, obviously as a result of it enabling the attack in the first place. No, it’s not layers of complex requirements, but observations such as:
- Secure vulnerable ports
- Use proper passwords
- Write in a “real programming language
- Employ the right people
- Watch for misconfigured firewalls
I was going to say “hardly rocket science, is it” but noting that NASA still doesn’t appear to have cracked it either, probably best not to mention it… Or more to the point, they did crack it, but not in the right way!
The big problem for the SecOps guys though, as we’ve observed in this ‘ere blog before, is that the job of creating and maintaining a security strategy/infrastructure using the “nuts and bolts” approach that most business have over the past three decades, is essentially impossible. Maor notes that, on average, small businesses have around 20 multi-vendor security products to integrate and manage, mid-sized businesses up to 50, and large companies many more still. That is not a manageable scenario. Unless companies look at single service/supplier solutions, cyber bad boys will continue to milk the vulnerability cash cow.
It all boils down to a simple mantra that I have repeated more times than BBC has shown East Enders (possibly) and that is: “if you can’t see it, how can you secure it?” In other words, visibility is the key – and it always has been in networking, regardless of the nature of the task. Maybe the advice the ransomware guys offer their victims ought to be: “should have gone to Specsavers”!