This can be anywhere on your infrastructure. From a workstation or laptop, to a mobile device to your website and cloud services right the way into your storage network and servers. Anywhere you work, access, send to, receive from, print, copy to, copy from, upload, download in fact pretty much everything you do except make a coffee ( and later on we’ll discuss your internet connected coffee maker too ! ). I don’t intend to make you scared, well actually I do and the reason why I need you to be scared is that you’re at risk. Now. Right this very second you’re at risk of being compromised.
You might be thinking about now, I’m safe, I have a firewall, I have anti-virus, I know about computers, I have an IT guy, I have backup tapes, I have a whole data centre, I have a whole IT department. Most likely you’ve had some incidences, a virus outbreak, a cryptowall attack, or an infection outbreak on a few workstations, but be under no illusion, the fight against cybercrime is always on, it never sleeps and it’s global in its presence. A healthy amount of paranoia should now be part of your toolkit when you think about your IT. This is the attitude you need to gain in order to keep your awareness high enough to protect yourself. And it might seem a bit over the top, but we need to keep asking ourselves questions like;
- When was the last time your IT department checked the network for suspicious traffic?
- When was the last time you actually tested your detection capabilities?
- When was the last time you ran a full scale penetration test?
The problem we have is that technology is an enabler and it enables law abiding citizens to do business and reach customers instantly and globally. It allows you to deliver products and services and fix problems and send invoices to get paid in a blink of an eye. It also allows your customers to reach you from work, home or mobile devices. The internet is a wonderful thing!
But the same enabler also helps the bad guys run their activities and send malware, design new software to attack a web server and mine your file structure for keywords that tells them where your valuables are instead of copying terabytes of data and sifting it offline. It also allows them to remain anonymous whilst they conduct their activities. All of this is done on the same computers you used to make money legally, they use illegally and they generally are more experienced in terms of security than your staff.
Whilst most businesses are of a fixed emplacement, the bad guys can move around, typically they would operate on a laptop they carry their tools with them, in real terms, software scripts but mostly it’s their knowledge and experience. They can be on the other side of the world or they can be in the coffee shop across the road watching your employees walk in and out of the building waiting for a face they see match a LinkedIn profile to know that person is out to lunch before they launch their attack run. They also have the ability to use the same technology to bounce their attack from another victim or a series of victims making it even harder to track their origin, in fact the movies portray the process very well… imagine the global map, the attacker is in the Ukraine, they first connect to a compromise terminal server in Italy, on this system they connect to a home computer in France, from there they connect to a web server in Germany, from there to the UK, from the UK to America, and then they attack a company in London.
Why such a roundabout manner? To throw off pursuit and tracking. And at each stage as they disconnect, they wipe the logs, trash the system and destroy enough of the information that would lead investigators to the next leg. This is one method they use to hide their identity and location, it means they can operate the attack itself and be safe and sound in a coffee shop in the Ukraine, drinking double shot expressos all day. However, that’s not all, the attack, unlike in the movies rarely operates in such a manner, it takes a lot of effort and work to set up, do the research and collect the data needed to pull off an attack of this magnitude successfully and get what they want. And this is where they will only set up this level of attack if they feel the reward vs time investment is worth it.
You know where your valuables are, in all likely hood, they know as well, you protect them with passwords and access methods, they will access it the same way, trick you into revealing them, impersonate you, socially engineer you or the bank to give you ( them) what they need.
This is where you need to out think and outsmart them, it doesn’t take expensive IDS solutions or expensive firewalls or teams of security engineers. Using the right processes, the right mind-set and above all else educating your users who after all are on the front line, should be the first and most robust steps in your armoury.
In the next post, we’ll talk about the Why and explore some motivations and characteristics.