Organisations such as UK phone and broadband provider TalkTalk claim to take security seriously and have made significant investments in cyber defences, and yet still fall prey to data breaches.
The reason is that organisations, including large and well-resourced ones, are failing in several key basic areas, according to former hackers Cal Leeming and Darren Martyn.
Leeming is a security advisor and risk mitigation professional, but in a previous life he was the UK’s youngest convicted hacker after he was arrested at 12 years old for hacking.
Martyn is a security researcher and engineer. After being arrested in 2012 for his involvement with hacking group LulzSec, he went on to use his skills to help protect companies across the world.
Basic failings expose most organisations to cyber risks, they told Computer Weekly, citing the fact that the TalkTalk hackers used a SQL-injection attack, which is a well-known technique, as an example.
One of the biggest problems, however, continues to be compromised passwords, says Martyn, who breaks into organisations as part of enterprise network security assessments.
The easiest way into any organisation, he says, is to search for people’s usernames and passwords online from previous breaches and trying them in their work environment.
“You don’t need to do anything complicated or fancy when someone in the organisation somewhere has re-used their work password on LinkedIn or MySpace with a leaked database out there,” says Martyn.
“If a business is sufficiently large enough you are going to get in. There is nothing spectacularly complicated required.”
Once an attacker has a valid password, they are able to bypass any firewall or other security system because they have the same access to corporate systems as the employee they are impersonating.
Phishing for passwords
Another easy way in with unfettered access to corporate networks, applications and systems is to use a phishing email to trick employees into revealing their usernames and passwords.
“It is simple stuff. If you send a phishing email to every single employee, you are going to get in, that is pretty much guaranteed. From an attacker’s point of view, that is usually the cheapest and easiest way to go about things,” says Martyn.
Default credentials are another golden opportunity for attackers. Organisations routinely install new kit such as routers and switches but fail to change the default passwords set by the manufacturers. They do not realise that these default passwords are easy for attackers to find with a simple internet search.
If further credentials are required, hackers will typically capture password hashes (encrypted passwords) from network traffic generated by client applications using the server message block (SMB) protocol to read and write to files or to request services from server applications.
Hackers will then crack those hashes to find the passwords, which can then be used to access more systems and crucially elevate privileges using stolen or cracked administrator passwords.
“Gaining administrative privileges usually does not take long, but if people used something like two-factor authentication and a password manager it would make an attacker’s life infinitely more difficult because they couldn’t rely on credential re-use and phishing as they would still need the second factor,” says Martyn.
“After [you do] that, then [you can] go about stuff like configuring mail filters to block phishing attempts, but you have to get the basics down first – kill off credential re-use by introducing appropriate policies and technical controls.”
Blocking access to corporate systems using stolen credentials is extremely important, but many organisations are still failing to do this, rendering costly intrusion detection systems (IDS) useless because someone logging in remotely using a valid username and password looks normal.
Once hackers have access to legitimate credentials, they typically can make an inventory of an organisation’s assets because they are free to move anywhere on the network, due to another common basic failure to segregate networks to ensure only appropriate people can access sensitive data sets.
Many organisations use virtual local area networks (VLans) that not only allow geographically dispersed network nodes communicate as if they were on the same physical network, but also allow network administrators to partition their networks to match the functional and security requirements of their systems. But there is seldom any VLan segregation, says Martyn.
“Flat networks are depressingly common. Few businesses attempt to segregate assets, which is usually because non-IT people typically complain about not being able to access stuff. IT staff tend to take the easier route of having a flat network because there are fewer complaints.”
A related failing is that few organisations know exactly what their most important data assets are and where they are on the network.
“We often discover that enterprises will protect something such as a client database, but will completely overlook an accountancy server that could provide an attacker access to all sorts of financial and employee information,” says Martyn.
“You end up having to explain to them that the attacker will care less about their clients’ list than information that will enable them to transfer money into accounts they control. Typically, you have to get across to them where the actual risk is, and that is often different to where the perceived risk is.”
Vulnerabilities in commercial applications is also a risk that enterprises typically overlook. Most are unaware, for example, that attackers can abuse some features in Microsoft Outlook and Exchange to install malware on enterprise laptops.
“Outlook’s mail rules enable attackers to create malicious mail rules. All attackers have to do is log in to a mail server using stolen credentials, push a malicious mail rule to the server and, when their Oulook client syncs with the server, it will download the mail rule and execute it if certain conditions are met,” says Martyn.
“So you can run code on their computer and completely compromise the end-point device, but a lot of enterprises don’t realise this. People are surprised when I use this method to get into places. But essentially I am just using a feature of Outlook, which is just one of many interesting, poorly thought-out functionalities in business applications.”
To identify and mitigate or avoid these risks, he says some form of security testing should form part of any enterprise software procurement process. Enterprises should look for features that are, in effect, security vulnerabilities and go back to the supplier to find out if that functionality can be fixed or at least turned off.
In the future, Martyn would like to see the introduction of a quality assurance symbol for business software that provides purchasers an assurance that the product has been rigorously tested and does not have any obvious vulnerabilities that can be exploited by attackers.
“Enterprises need to start treating the security side of it as a minimum requirement in the same way they treat functionality. Security should be one of the things that they look at when deciding whether or not it meets their business requirements,” he says.
In the past, there has been little or no incentive for enterprises to add cost to the procurement process and risk delays in implementation, but Martyn believes the General Data Protection Regulation (GDPR) will help in this regard.
“The GDPR may be enough of an incentive because the penalties for breaches are so high, which may be enough to encourage companies to spend the extra bit of cash and time during the procurement phase to validate that stuff is at least somewhat secure to avoid more pain later,” he says.
Customised code ignores security
But commercial off-the-shelf applications are not the only software security challenge. Many organisations are commissioning customised code or creating it themselves, but with little or no regard for security.
“A lot of the time these software development teams are not following good practices or standard practices, and they are typically rushing this code into production,” says Leeming.
“Devices and services for the IoT [internet of things] is a good example of an area where everyone is jumping on the bandwagon and putting a computer on everything, but not really thinking about the security behind it,” he says.
Leeming says the problems are “very simple” and can be fixed by following good procedures, but software development teams cut corners and skip procedures.
“Often companies get people straight out of training to write the code and end up in the situation of the blind leading the blind, which is a big problem, especially with IoT. The reason that Mirai botnet was able to infect so many IP-connected devices is because simple mistakes were made from a software engineering point of view,” he says.
Any organisation developing custom software should encourage employees to learn from the best. “This can be done online. There is a lot material out there: entire courses available for free that will show how to get good quality code and avoid the common mistakes.”
Martyn continually emphasises the importance of getting the basics right, and cautions against the temptation to fix the problem by investing in yet more security technology.
“I go into big places and they tell me they have spent a load of money on some kind of firewall or IDS [intrusion detection system]. It is usually an absurdly expensive one with a support contract that will probably have some words like ‘machine learning’ or ‘anomaly detection’ in the marketing material.”
The problem is that organisations are buying these products in the belief that they will take care of all security requirements.
“They are buying a false sense of security; they are buying a box they think they can plug in that makes the problems go away – but they haven’t solved any of the trivial problems such as employees clicking on malicious link-embedded emails and using the same password everywhere,” says Martyn.
AV offers false sense of security
Around 99% of antivirus (AV) systems provide a false sense of security, according to Leeming, but he says while AV is unlikely to offer protection against truly targeted attack, a “good AV” will stop most common or broad opportunistic attacks.
A common mistake many organisations make is to believe that AV will protect them from all threats and that all AV software is equally effective.
Leeming, who once ran his own hacking group and broke into thousands of company networks across the UK, advises businesses to choose the AV they use based on rating on sites such as AV-TEST, which releases a benchmark of the performance of products every six months.
These benchmarks enable companies toweigh how much a particular product slows down a computer against the protection that it provides and what it costs.
Although it tends to be the same AV products in the top three, Leeming says it does change and companies should review their AV regularly. “If the AV they are using has dropped down, they should consider replacing it.
According to Leeming, there is “a lot of junk out there” and so in choosing AV or any other security product, he says businesses should do as much research as possible online by looking at the comments and reviews.
“Do your research and come to your own conclusion based on your analysis, taking into consideration what other security professionals are saying about it,” he says.
Test security systems before you buy
When it comes to new security technologies, Martyn cautions organisations to be wary of claims about things such as anomaly detection capabilities and use of artificial intelligence (AI) and machine learning.
If suppliers making these claims want people to take them seriously, he says they should be willing to allow people in the security industry to take a look and test how well it works.
“A demo of their pretty user interface, a couple of testimonials from their customers and their marketing spiel does not tell me anything about how well it works,” he says.
Martyn advises against investing in any security systems without formal testing or verification that shows the product in question works.
He also underlines the importance of having the technical capability to detecting intruders on the corporate network, which many organisations are still lacking.
“You are never going to have 100% prevention. You are never going to block every attacker. If someone really wants to get in, they will – especially when it comes to state-sponsored stuff.”
Martyn says the more time and effort required by the attackers to get in, the more likely it is that they will go somewhere else that is easier to hack.
“Raise the barrier as much as possible so that it takes some effort and an investment in time and resources to get, but also make sure you have stuff for detecting a breach early and responding to it,” he says.
“If you have solid detection and response capabilities then you are pretty much golden. If you can flag that something bad has happened and kick the attackers out of the network, then you are good.
“But most organisations are unaware they have been breached for weeks, months and even years. Quite often they find out about a breach only a third party tells them. It is a sorry state of affairs,” says Martyn, adding that many organisations still lack basic intrusion detection and incident response capabilities.
A common reason that organisations’ cyber defences are poor is that there is no executive support for cyber security.
“When the IT of the business brings in outside companies to conduct penetration tests, they are often using the test report as leverage to force people above them into giving them budget to implement security controls,” says Martyn.
“In enterprise, you often have a relatively small IT team and the rest of the business tends to assume the IT people do ‘IT stuff’ and don’t really need a budget,” he says.
“Business people often do not understand what the IT team does and typically do not see them as the people responsible for guarding the company’s intellectual property.”
From experience, Martyn says it is only when management understands that those responsible for IT security keep critical business data safe that companies adopt a better overall security posture.
Corporate culture one of ‘the biggest failings’
Corporate culture is a big part of good cyber security, according to Leeming, who sees it as one of the biggest failings.
“If you’ve got a bad culture it does not matter how good your processes are, you are going to have employees that just don’t care. When you have employees that don’t care, it doesn’t matter how good your equipment is because you are going to have problems,” he says.
At the core of the security problem is the fact that humans are fallible. “There is always someone who is going to be on the take that you can get information from. Although some organisations are using behavioural analysis, these systems are not foolproof and can be bypassed,” says Leeming.
A poor corporate culture, he says, is typically the result of poor leadership and an emphasis on productivity and profit over job satisfaction.
“If employees are underpaid, undervalued and working for a company simply because they need to pay bills rather than for love of what they are doing, security is just going to fly out the window.”
Leeming says Glassdoor, a website that shows employees’ thoughts about the company in an anonymous fashion, shows a clear correlation between companies with a poor culture and those that have a track record for terrible security.
He also emphasises the importance of ensuring that employees get regular security training to ensure they have a good understanding of security systems and processes. “You can’t just plug in a black box and have good security without the team and training around it.”
“It is a lack of understanding at all levels about what security really means that is holding most organisations back from ensuring that the basics have been done and that they have been done properly,” says Leeming.
Cyber security seen as ‘chore’
Leeming believes that because of all the recent hype around cyber security, companies and individuals are becoming de-sensitised to the phrase “cyber security”.
“People see cyber security as a chore and don’t understand that cyber security is not just about keeping your machine secure, it is also the impact it will have them, their company or their team.”
Instead of saying “don’t reuse your passwords”, he says it is important to use terms that people will understand more easily.
“Instead, say, ‘If you use your password on website A and reuse that password on website B, if website A gets hacked the hackers will also get access to your account on website B’,” says Leeming.
“Then help them understand the true risk by considering the data they enter, store and share using online services and pointing out that all that data can be accessed by the hackers and used against them.
“It is about putting it in words and context that makes sense to them, but that is a very difficult thing to do as a mass broadcast.”
Leeming says this is easier to do in small groups, spending time with people to talk them through the risks.
“Unless someone is really interested in what security means to them, it is not going to click in their heads no matter how much passive content you expose them to, such as posters, because they are not engaged. So far, the only way I have seen to do that is to have small groups and do it on a one-to-one basis.”
Goverment heading in ‘right direction’
Although Leeming believes there are currently few really effective security technologies that are accessible to smaller companies, which lack the money and expertise of larger organisations to buy and run state-of-the-art security systems, the message is clear for all companies of all sizes.
Leeming and Martyn say it is almost pointless worrying about advanced cyber security attacks before taking care of all the basic things that attackers will look to first to get easy access to corporate networks.
On a positive note, they recognise that the UK National Cyber Security Centre (NCSC) is doing good work in engaging with businesses and providing useful guidelines on how to improve cyber security.
“We are not there yet, but from the results they have shown from the small amount of time they have been operating, I have high hopes. The government is finally going in the right direction,” says Leeming.
From the perspective of two former hackers who are now practising those same skills on the right side of the law, the message is clear: not every organisation will be hit by the lastest, most sophisticated targeted attacks, but most are leaving the door wide open to the simple hacking techniques used by the majority of attacks that could hit any business to steal money and data.
Quick security wins
- Leeming and Martyn say following simple guidelines will enable enterprises to greatly increase security and avoid the majority of fairly low-level attacks.
- Educate employees on using a password manager and mandate their use in the security policy.
- Introduce a robust password policy to ensure passwords are strong, unique and changed frequently.
- Introduce two-factor authentication to stop attackers using stolen credentials.
- Educate employees not to open untrusted attachments or download untrusted software.
- Ensure computers are password protected and locked when not in use.
- Ensure Wi-Fi is secure using the WPA2 security standard.
- Mandate encryption for essential files.
- Block advertising at the network edge to eliminate malvertising campaigns.
- Disable Flash, Java and macros across the enterprise wherever they are not needed.
- Apply software security updates regularly.