If I have to make one prediction for 2008, it is that I think we will see an increase in reports of targeted attacks against organisations of all sizes and types. That such attacks are already happening goes without saying because penetrating the average corporation appears to be childs-play for the skilled attacker.
To remind myself of exactly how easy it can be, I was re-watching a webcast presentation given by one Marcus Murray at this years Tech-Ed. This is must see viewing with some great practical examples of inserting trojans onto the network, sniffing wireless networks, and a fascinating demonstration of compromising a domain administrator account using just the stolen password hash.
Marcus makes the observation that networks are not hacked because the operating systems are poor, but because of the way they are usually configured. This is a message I’m continually pushing out within my own organisation: you must patch (and not just the Microsoft stuff – patch everything!), you must become very fussy about change control, you must monitor IDS/IPS logs, and you must test your network from the outside.
Even then you can still be compromised the moment somebody clicks a link in an email and inadvertently installs a trojan. The above mentioned presentation demonstrates in stark detail how to do this and also shows how the trojans are designed to ensure that desktop anti-virus controls don’t get activated in the process.
Bruce Schneier wrote two years about an increase in targeted attacks:
We are seeing a decline in the “noisy” brute-force vulnerability scanning that hobbyist hackers tended to favor, and an increase in more targeted, stealthy, and sophisticated scanning.
The predominant targets back then were financial institutions. Today, it’s likely to be any organisation that values its data. One such recent example was as reported here where Oak Ridge National Laboratory experienced a sophisticated cyber attack that appeared to be “part of a coordinated attempt to gain access to computer networks at numerous laboratories and other institutions across the country.”
The reality is probably one where we should assume that sooner or later something we don’t want is going to get into the network. We can reduce the risk by looking at the various control areas (e.g. Internet access, remote access, wireless networks, device management processes and so on) and making sure basic tasks are being performed such as logging, and the right controls in place such as IPS between wireless and wired networks, and monitoring for rogue access points. We also need to become better at protecting data in-situ with encryption and ensuring that our incident response processes are well rehearsed.
My only other prediction for the year ahead is that it’ll be business as usual and more of the same. Our CIO’s and business strategists might be getting themselves all hot under the collar about web 2.0, social networking and virtual worlds, but you know and I know that we’ll continue to have plenty of work to do as all the same old mistakes get remade in slightly new and unusual ways…