Budgets are Tight, but Secrets Should be Even Tighter. Why Aren’t Companies Getting the Message?
Ethical hacking, the topic of IT security assessments, along with threat and risk assessments have all been written and spoken about, with experts dissecting different kinds of breaches. One thing continues to stand out–the company CEO mindset: “how much” for a “good enough job”? Many companies considering a penetration test either don’t have a budget for a real assessment, or they just want a “good enough job” to get the compliant “PASS” for their bank.
Being compliant doesn’t mean you’re secure. Why aren’t companies getting the message? What I am getting at is perhaps these companies consider themselves small and irrelevant compared to larger companies, and they think no one will ever hack them.
Ethical hackers are continuously schooling larger companies, and even with their large budgets they are not getting the message. Imagine small companies, or new companies hoping to climb that ladder to the fortune 500.
Budgets are tight, but secrets should be even tighter. For all companies, the number 5 should be the first thing they think about when it comes to protecting their system. Why? In five steps, the hacker could ruin and smash all those big dreams.
IT Security Resource: Justifying IT Security: Managing Risk & Keeping Your Network Secure
1. Reconnaissance and Foot Printing
Footprint is like information warfare with proper battle plans and surveillance techniques, kind of like a strategic battle map, if you will. The goal is to find out EVERYTHING about the company. A great place the hacker will start is the job board postings, because it reveals sufficient details about the technology being used inside your organization. Another example is Google, which has proven to be one of the best and most comprehensive search engines to date. Google often violently spiders your website, inadvertently exposing sensitive information on that web site due to various web server misconfigurations (such as directory indexing, etc.) This results in huge amounts of data leaking into the web and, even worse, leaking into the Google cache.
One thing is clear; while CEO’s want “good enough” security, a hacker is strategizing his or her next move.
2. Scanning
In this phase the attacker will load up a few tools and begin scanning your infrastructure, trying to figure out what ports are open and what machines are alive. He’ll be able to map the vulnerabilities that exist for the version of software he found running. It’s almost like rattling doorknobs.
In today’s world, we’re all connected to broadband technology and we’re being port scanned all the time. It’s a perfect opportunity for an attacker to blend into this traffic and become a ghost.
3. Gaining Access
The third phase is gaining access or system hacking. The attacker will try many techniques such as cracking passwords, eavesdropping, Denial of service, Buffer overflows, password crackers, key stroke loggers, sniffers, remote controls, and impersonate users. They’ll set up back doors for another return, and escalate their privileges to get administrator access.
Once the hacker begins this phase, the time clock changes. He’ll be well prepared, and expect that your company has safe guards in place that will begin tracking back to him.
If the hacker obtains a password, which doesn’t have to be the administrator password and is able to login or make a connection, the next step a hacker is going to take is a process called Privilege Escalation. It basically means that he’ll take his existing connection and run an exploit against it to see if he can escalate his privilege to get Root, admin or some operating system service permission. Once he achieves that, he can do more with his original account. The worst part is he won’t often show up in any log because he exploited a file or service on the system and he’d be acting as that service, not as a user.
One of the big problems is that admins play down the criticality of “Local exploits” during a patch review. The reason being you have to be inside the network to use them. With today’s social media hacks, any user or hacker that gains access to your machines inside the firewall from opening a malicious email link can launch a Local exploit on a server and compromise it.
4. Maintaining Access
Maintaining Access is the fourth phase. Once the attacker gets in, you’ll be playing by his rules. You also need to understand that once he gets access, he won’t want other hackers coming through the same vulnerabilities that he did, thereby taking over after all that hard work. So a good way for him to maintain access could be a hardening of the system.
Essentially the security gets increased without the organization’s involvement. What will happen here is that the hacker will install a backdoor in the form of a root kit or a Trojan so that he can come back whenever he wants. Rootkits are extremely powerful, because it allows the hacker to have “beyond” administrator access. This would allow him to hide programs that are even running. Once a rootkit gets on your system, it’s nearly impossible for you to actually trust this server again, so a complete reinstall of the server is usually in order. I recently ran into a scary situation during an investigation where a rootkit got on a server and wasn’t detected until we got onsite seven months later. What companies forget is that full backups are constantly being taken. Once we restored the server’s data, the rootkit came back. We had to mess around with seven months of backup tapes to clean this up.
An evil hacker is always gathering, thinking, planning, and maintaining access.
5. Covering Tracks
Once intruders have successfully gained Administrator access on a system, they will try to cover up their presence. When all the information of interest has been stripped off from the target, the intruder installs several backdoors so that he can gain easy access in the future, as we just mentioned.
The first thing intruders will do after gaining Administrator privileges is disable auditing. At the end of their stay, the intruders will just turn on auditing again using tools such as Auditpol.exe.
Winzapper is another popular tool they’d use because you can selectively delete records from the event log of only what you did.
So why the 5 phases, and why does it need to be repeated? Well, nothing has changed. Hackers will stay with the 5 phases because it works. They are getting more technological and clever about how they do it. And they know you, Mr. CEO, who does not have a budget large enough to stop them.
Company executives should be gravely concerned. On one hand there are hackers out there who are in your system, while on the other hand companies still insist on paying for “just good enough.” Just good enough may mean using automated security tools, easily available in the market in free, but limited performance downloads, or purchased with full performance tools. These tools promote discovery, configuration auditing and asset profiling; sensitive data discovery and vulnerability analysis of how well your security is performing.
The problem with these tools is that they give false positives. In many cases, the return from a security check using these tools report more threats than there actually are, creating unnecessary alarms. So while a security team is tracking down 22 reported threats, a hacker may be scanning and gaining access through a real threat, or vulnerability. On the flipside, the actual reported threat could be much worse.
It is better to have some human testing, where a Certified Ethical Hacker will do a penetration test, which includes manual testing that these automated tools cannot do. While these tools are a good start, they are not the end all. Ethical Hackers love to do a test called “Grey Box Testing” where they have limited knowledge of your company, allowing them to pretend to be a real evil hacker and later show you how they can break in using all the tactics used. What is important for companies to understand is that we have to defend every single angle of the company, but a hacker just needs to find one way in.
My recommendation is to at least have a GAP analysis performed, which will help you gage where you are now by highlighting which requirements are being met and which are not. Spending the $10k now will save you 10 times that if a breach occurs.
We live in an era where a Smartphone that contains sensitive company emails, is protected by a 4 digit pin, and could compromise your organization. In fact I know a lot of people whose PIN begins with 19– the rest you can figure out by the smudge marks on the glass.
Buckle your seatbelts; The Hacker’s fun has just begun.
IT Security Resource: Justifying IT Security: Managing Risk & Keeping Your Network Secure
