12 truths about targeted business data attacks

By , on
12 truths about targeted business data attacks

This list shows how important it is that you take computer security seriously, especially if losing data would be critical to your business.

As part of our mission at BIT to help you understand the latest technologies, we've touched on the importance of of data security many times.

In fact, from schools to medical centres and even fish and chip shops, you don't have to look to far to find small businesses or organisations that have been the victim of data attacks.
With this in mind, below we bring you a list of 12 truths about targeted business attacks from our sister publication CRN.
This list was written with technology resellers in mind - the people that sell you the laptops, networks and equipment you need to keep your business running. But it should also make interesting reading if you're a business owner.
While some of it might seem technical, it shows how important it is that you take computer security seriously, especially if losing data would be critical to your business. Above all, make sure you get good help and advice.
1. Email, instant messaging are your worst enemies
When the company RSA was attacked – using a Flash object embedded in an Excel file – emails were sent to RSA workers, titled “2011 recruitment plan”. They were caught by spam folders but a worker fished out the dodgy email.
RSA was reasonably lucky. It had NetWitness to identify the threat, but not before the attacker wormed its way up the vendor’s information food chain.
Securus Global says an average length of time for an intrusion – its “persistence” – is six months to a year, and the attacker is hammering away daily.
Once an attacker gains access, they may install command shells and elevate their privileges – as happened with RSA – to access more resources and build a life raft in the event of exposure.
Trend Micro antispam senior architect Jon Oliver says the Blackhole toolkit is the most favoured by hackers: “It’s the best on market in terms of exploits. As soon as you click on it, you are exploited,” Oliver says.
Staff must be on their guard when dealing with the outside world especially on untrusted connections. That includes talking to overly friendly strangers.
A Securus Global researcher says instant messaging “presents a far greater threat” than email: “It’s the ability of an attacker to directly communicate with a victim”.
And organisations should invest in virtual private networks, email encryption and signing to reduce the incidence and severity of such attacks.
2. Every business is at risk (but not equally and not all the time)
You may think you are small fry, so you spend little on security, or you may be lulled into false confidence by the amount of money and time you do spend. The fact of the matter, however, is that every business is at risk, although the spectre is different for each.
Larger organisations tend to face more varied threats while SMEs face attacks on point-of-sale devices and maybe the insertion points into bigger partners.
Few retailers – especially in hospitality, the most afflicted sector – have PoS anti-tampering processes. And manufacturing and information services are most at risk when it comes to number of records stolen.
Small to medium businesses are six-times more likely to be breached by using default or simple credentials.
Securus Global’s Drazic says the scale of big companies insulates them from the consequences, but a “startup that is compromised may lose support, financing and consumer confidence” that could cruel their growth or end them in the crib.
Verizon investigator Mark Goudie says on an audit in which he was recently involved, an Australian business found its vendor was using the same password – the vendor’s company name – for its customers worldwide. It would take just one of them to be breached for all to be laid bare, he says.
Goudie says if you don’t need data, delete it, securely, even if that puts you on a collision course with the organisation’s “big data” forces.
Small to medium businesses may also find themselves swept up in a hacking driftnet as attackers scan IP ranges or execute application vulnerabilities, especially those known as “zero-day”, for which defences are lowest.
3. Physical security matters
It could be easier and cheaper to physically break into your customer’s organisation than through a computer system either to exfiltrate data or to plant malware.
“Social engineers were leaving thumb drives around an organisation, giving them away for free – that bypasses a lot of procedures,” says Imation Asia-Pacific general manager Sven Radavics.
He says China was implicated in an attack against the Indian Navy that used this approach. And he says those “walking around with some sort of authority are left untouched by employees except in the most rarified environments”, allowing them to steal data or plant malware.
Organisations may print data they sense is too valuable to be left online, but leave it labelled in unlocked cupboards for the attentive thief.
Goudie says technology resellers should tell their customers to “automate processes to remove the human element”.
4. The company you keep
This year saw the “watering hole” attack, where criminals targeted websites allied to their ultimate target.
The attacker scans the websites for vulnerabilities, redirecting victims to malicious sites.
An SQL injection, for instance, takes advantage of website forms that don’t validate input and pass unauthorised code to a database. Or a website may invite uploads that run a program or install a shell the attacker uses to elevate access.
Trend Micro engineer Vlado Vajdic says there are cases of supply chains being targeted – sometimes a bigger company is “owned” when it buys a smaller company.
Make sure partners in the supply chain have the same security posture.
5. Bad guys are inside the firewall – and likely have been for a while
“Assume that the network is infected,” says Lastline’s Ben Teh.
To mitigate threats from the likes of drive-by attacks and roaming devices (especially in an office where staff can bring in their own laptops and tablets from home and have guest access), Teh advises scanning traffic to analyse code for dangerous behaviours.
Red flags the system is compromised: 
domains failing to resolve; 
connections that go to unusual destinations; 
login failures on database servers;
• programs running that ought not; 
users or applications escalating their privileges;
unexpected secure web traffic (https).
A chained assault that started with a rogue email or IM session may communicate with a command-and-control server, trickling information out of the network, at unusual times or over secure web connections.
Compromised devices may be re-imaged or destroyed to curb the infection.
Virtualised systems offer protection because they are viewed by an overarching framework (assuming the hypervisor is secure) and can trivially revert to a clean, earlier version.
6. You have all you need to find the intruder and get rid of him
Australian Federal Police acting manager of cybercrime operations Brad Marden says “logs are the most critical” tool for remediation.
“Logs are crucial to recreating activity to system incident responders – even if they don’t report to police – if they just go to their anti-virus company or CERT Australia; it’s the most critical part of maintaining a security posture,” Marden says.
“They need to know how the hacker accessed their network and what information might have been removed in order to have a successful outcome in prosecution or identifying the harm.”
Logs were critical to helping NBN Co partner Platform Networks recover from David “Evil” Cecil’s attacks last year.
Cecil, an unemployed truckie and self-taught hacker from Cowra, had earlier crashed Melbourne hosting provider DistributeIT in a devastating half-hour assault, costing it $4.5 million, the loss of 4,000 websites on four unrecoverable servers and throwing its resellers into disarray when the company folded.
DistributeIT had inadequate systems to support investigation, but when Cecil soon after attacked Platform Networks, Marden says, a stronger defence informed by logs resulted in a 2½-year jail term for the assailant.
“Through cooperation with police there was little harm” to Platform Networks, Marden says. “If we have a good case, we have good prosecutional outcomes.”
It’s imperative action is taken as soon as a breach is suspected, he says.
Technology resellers should work with their customers to preserve chain of evidence, isolating logs on a separate device and imaging affected systems.
Investigators will often use the Encase software to preserve data from being contaminated or over-written and a good security incident and event monitoring solution prior to the attack is vital. “Preserve (the data) by taking it offline or getting a mirror,” Marden advises.
7. Know your “3 Ps” – Patches, Privileges and Programs
Many intrusions could be prevented by:
• patch applications and operating systems;
• limit user privileges;
• whitelist applications to prevent malicious apps from running.
“(It) can be achieved gradually, starting with computers used by the employees most likely to be targeted,” the DSD advises. 
Trend Micro’s Oliver says users must be trained to accept critical security patches, even though it may slow their workday: “Especially Flash and Java because it’s on every device in the enterprise”. 
Microsoft Office and PDF documents are also well targeted. And technology resellers should install software on their clients’ networks to monitor that the patches are installed and up to date, Oliver says.
8. Who you gonna call?
This one is more for technology resllers, but it's no less important.
A cybercrime is a crime and should be reported to police, says AFP’s Marden. “We will take every report into consideration whether it’s to build up a bigger picture or to prosecute,” Marden says.
Verizon’s Goudie says relationships with police and security contractors must exist before you need them: “The last time you want to negotiate contracts with an organisation is when you’re” under attack, he says. “Everyone knows to dial 000 when you need it, but very few people know who to call when negotiating a security event.”
AFP Cybercrime Operations: cybercrime@afp.gov.au or tel: 1800 813 784
9. Learn the lingo
“Veris” is emerging as a standard language for reporting incidents, defining “Who did what to what (or whom) and with what result”.
The Vocabulary for Event Recording and Incident Sharing is a framework against which attacks are defined and shared and a basis for historical and trend analysis.
It is becoming a standard way for expert witnesses to describe agents, actions, assets, and attributes of an attack.
10. Deal with the social 
Intruders scan LinkedIn and social media profiles, and may escalate through individuals to get to their ultimate target.
These recces may take up to a year or more of daily diligence to map out the target.
“It’s a military-style attack,” says Websense A/NZ sales manager Gerry Tucker. Often the insertion point is an attractive lure, such as an email notification of an award, employment or promotion. 
More than four in five unsolicited emails have a web link to a compromised host, Tucker says.
“Even those who are paranoid get caught out because of how these emails” are written, he says.
And it’s possible that mobile technologies, which encourage people to respond to such contacts on the go and at speed while their attention is diverted, may exacerbate the problem. 
RSA’s Farquhar tells the story of a customer’s employee who got an email that he had won an award for five years’ service and should click a link to get his prize.
“It had all hallmarks of spearphishing, and he immediately disregarded it, but turns out it was legitimate,” Farquhar says.
The company had outsourced the awards to another organisation: “Companies need to understand not to muddy the (security) message”, he says.
Bitdefender chief security researcher, Catalin Cosoi adds: “Once you have those details you can easily create a targeted email that is very believable to the targeted people."
11. Don’t neglect anti-malware and DNS
Again, another one for a security provider or technology reseller.
CSC’s Lawrence Ostle recommends Layer-2 and application whitelisting solutions to immunise againstmalware while keeping an eye on how the layers within the network talk to each other to spot irregularities.
A stable, secure and responsive domain name server is critical to weather assaults against applications, he says.
Watchguard’s Rob Collins advises “factors of two”, for instance, using overlapping anti-malware software because they vary in the ability to respond to threats.
“And secure your DNS channel – there’s no need to have port 53 (DNS requests) open and, if you do, only for certain servers,” Collins says.
12. Your customer’s PoS on the front line
Humble point-of-sale terminals such as cash registers, mobile payment-collection systems, automated tellers and swipers at fuel pumps are vulnerable to skimming exploits owing to being often unattended.
Organisations have payment card-industry requirements to monitor and guard these systems that they often underestimate or neglect to their detriment and that of their customers. 
Organisations should make tamper checks a part of each shift change, and quarantine suspected terminals for forensic investigation.
Casual internet use by employees using these devices should be discouraged and they should not be connected to the net unless necessary.
Organised crime is targeting payment card information from such systems and “can launch a sting against hundreds of victims during the same operation”, Verizon says.
You should change default credentials and administrative passwords on PoS (and other internet-facing devices).
A firewall or access-control list should also be applied to limit outside incursion. Technology resellers should make sure the PoS is PCI DSS compliant.
[This is an excerpt from an article published in the October 2012 isse of CRN magazine]


Copyright © CRN Australia. All rights reserved.

Most Read Articles


What would you like to see more of on BiT?
How To's
Photo Galleries
View poll archive

Log In

  |  Forgot your password?