I’ve finally been convinced by colleagues in the industry that the recent “activities” of LulzSec and parts of Anonymous are starting to make some senior people in big corporates ask some questions about their own security. (I’ve been a cynic as usual).
It’s funny that. I suppose a lot of media, particularly mainstream media will eventually push IT security issues into those non-IT business management areas, however sensationalised and poorly reported some of it may be.
But sitting back here, it’s a case of; Hey business world that has neglected good security practice for a long time - you’ve probably already been owned and possibly still are, but not by LulzSec and Anonymous! There have been bad nasty hackers out there for a long time hacking into your systems. The world isn’t that much more insecure these days ... you’ve just tuned into the program late! Hopefully you can catch up if it’s not too late.
So here we are today. How many companies are now starting to kick off their own security testing, (read: penetration testing) to keep the bad LulzSec and Anonymous out of their systems? From what I am starting to hear, quite a few.
I can’t help but wonder if these companies, (given they’ve needed such media) are also the same ones that buy security products like your IDS/IPS etc, switch them on and expect miracles without putting in any effort on their own part to support these tools with strong core business standards and processes. I can’t help but believe many of these companies now see penetration testing as another silver bullet, that on it’s own, and without much effort on their part will make them safe!
Sure, a well scoped and all-encompassing test will provide a company with some good valuable information on where they stand - assuming they’ve engaged a good team of testers and not just gone for the cheapest option. (Remember, it’s harder being a penetration tester than a hacker. The latter only needs to find one good entry point into a company’s systems. The former needs to find them all! The old lesson you get what you pay for when you head down the path of cheapest option can be an expensive lesson further down the track!).
But, how many companies will actually do a well scoped and all-encompassing test? How many will baulk at the price and go for a smaller scope of testing or go for a cheaper and less skilled provider? And, what will be the result? It may well make someone in senior management feel like they have performed their duty of care and the “main” website may well become more secure, but what about those areas that were neglected because they baulked at the cost and effort required? Well as I said, a hacker only needs to find one good entry point. GAME OVER.
A company needs a holistic view of their organisation’s security. They need to understand what it is they have, because without that knowledge, how can a company protect itself when it doesn’t know what their network is and what sits on it? (“Cloud” anyone?). A prioritised and risk based approach is all good and well – if done well. What happens in the following scenario?
Company X decides that their Business Partner Portal (Extranet) is their key system and thus the only one they will test right now, (because a full penetration test of their whole environment was deemed too costly). They get it tested, fix all the identified issues, and sit back feeling more secure. In the meantime, a low-key, (deemed low business priority/risk) brochureware webpage they have, is left out of testing scope. There’s nothing on this site apart from some marketing blurb and one link to the Business Partner Portal. Follow me if you’re not already a few steps ahead of me ...
Hacker compromises weak CMS on brochureware site, (did I need to add “weak”), quietly redirects the link to a website not the company’s but looking exactly the same. Business Partners click the link on company brochureware site, “login”...and GAME OVER.
This is just one of scores of examples and attack types out there. Hackers don’t use a prioritised and risk-based methodology inline with how a company will use one. One good entry point is all that is needed. They’ll take that low risk, low priority, easy entry into your environment. I know we will also when we do our testing for our clients to show this to them.
I’m far from saying a complete penetration test of your whole environment will make you secure. It won’t. You never will be 100% secure. If someone wants your stuff really bad, they’ll find a way to get it. All you can do is minimise your risks. If you’re really serious about your security, you’ll invest the time and effort required to educate your people, set-up your systems as securely as you can and most importantly, you’ll stay on top of this ongoing – consultants come and go. If not, you’ll be an easier target ... one day ... for someone. It is only a matter of time – whether you are a large or small business. Don’t ever make assumptions that it could not happen to me. Distribute.IT? (Bad poetry).
In the meantime ... the “other” criminal hackers – remember them, the ones WE were talking about before LulzSec and Anonymous came into the picture? They will have enjoyed all this. The attention is even less on them now and probably, many are taking advantage of the situation as people blame LulzSec and co for anything that goes on. They’re going BAU.
I’d be more wary of a “quiet” business IT network at times. Paranoia is a good thing if your business is IT security.
To be continued …