Subscribe Now

* You will receive the latest news and updates on the Canadian IT marketplace.

Trending News

Blog Post

One hack away

One hack away 

Security breaches are damaging our economy, eroding our privacy, and pushing businesses toward bankruptcy. Attacks are increasingly sophisticated, targeted, and often succeed with relative ease. The products we use are full of vulnerabilities. Criminals can attack an unlimited number of times and they only need to succeed once, but those seeking to defend the enterprise must succeed every time. The odds are not in the corporate security team’s favour.

The Cyber Kill Chain (CKC), originally developed by Lockheed Martin in 2011, describes the general phases of an attack by a sophisticated adversary. They begin with reconnaissance to select targets and determine which attack methods are most likely to succeed. They weaponize (or package) malware for use against a specific target. They deliver the malware, most commonly through email or a web server.

Malware gains a foothold by exploiting vulnerabilities in operating systems or applications. While zero-day exploits make for more exciting news, attackers generally reserve them for when more common exploits fail. Many systems are not patched and zero-day exploits are simply not required. The initial malware installation – usually a remote access trojan (RAT) – communicates with the adversary through a variety of command and control mechanisms. In the final phase of the CKC, the adversary may simply gather and exfiltrate data from a single server or expand their footprint within the enterprise to obtain additional data over a prolonged period of time. The level of effort expended, attack sophistication, and prolonged duration of operations leads to these sophisticated adversaries being referred to as Advanced Persistent Threats (APTs).

The CKC provides a framework for better defence. It is not possible to achieve 100% detection or prevention at a single point in the kill chain. However, if an attack is detected and disrupted at any point in the CKC prior to data exfiltration, the adversary will be denied their objective. Products such as next generation firewalls, advanced threat detection systems, web filtering, and forensic tools are available to help. But few organizations appear to understand that they could significantly improve their security posture by adopting a more disciplined approach to security architecture and focusing on two simple points: Software contains vulnerabilities and poor choices are being made with regards to how things are being connected.

Android, iOS, Java, Linux, OSX, and Windows along with our web browsers, plug-ins, and office suites all have poor security records. While the discussion tends to revolve around market share and the number of discovered vulnerabilities, it’s a moot point. In the end it only takes one serious vulnerability to compromise the system, and until software vendors make drastic changes to their design and development processes, serious vulnerabilities will continue to exist.

If computers and the networks to which they are connected were only used to surf the web and respond to Internet email, APTs would face an exponentially more difficult challenge. Emailing infected pdf files and drive-by downloads would likely not result in massive payment card compromises and the theft of proprietary information. However, that’s not the reality in today’s corporate environment. The same laptop is used to surf the web and access sensitive information and systems. This creates a nightmare scenario that should keep CIOs awake at night: PCs used for web surfing, email, and running vSphere Client or Hyper-V manager (to name but a few). While the computers may be in the hands of trusted and tech-savvy employees, in this all-too-common scenario the enterprise is one RAT away from a wholesale compromise.

Another example is that Internet-facing web applications frequently suffer from serious security architecture defects. Web servers often have unrestricted access to back-end databases. SQL injection attacks are well understood, as are the coding practices required to prevent them. Yet they remain rampant. Most common implementations also store SQL credentials on the web server. In the event an intruder gains access to the web server it’s game over.

These design decisions are incompatible with the proven inability of common operating systems and applications to successfully withstand attacks by determined adversaries. Yet it appears that most vendors are doing little to address design deficits, and most companies are not paying nearly enough attention to fundamental security architecture issues. As a result, despite several decades of experience with computer security issues, many businesses are still only one hack away from disaster.

Related posts