Security Fundamentals – Why

The Why;

The reason why is typically broken down to 6 main areas;

  • Your business is perceived as being cash rich and as such the attackers want your money
  • Because your business has an identified risk that they can exploit easily
  • The business has some intellectual property the attacker wants
  • Because your business provide a measure of kudos to the attacker to use to increase their prestige amongst their peers
  • You are a challenge to them
  • The business provides an indirect link through your supply chain to your clients ( their real target )

 

There are others, but these are the main reasons.

When we talk about risk, we mean the actual tangible chance that they can be successful in their campaign against you. In order to understand a risk, I prepared a heat graph with some common risks that will demonstrate what we are talking about.

As you can see, the weighted scores given to each of the 4 categories I’ve chosen for this example are generally the more prevalent generalised categories.

User social engineering impact and likelihood are high as most organisations do not run an education awareness course to keep users aware of current trends and methods of gaining information or access. Think about the CEO bank transfer scams. The human element is the one with the highest risk and likelihood as it’s the most easily controlled from the outside given a certain level of understanding about the human character.

Likewise are End point (workstations/laptops/tablets/mobiles) vulnerabilities, these include regular software updates, Anti-Virus updates, administration control of the endpoints. Not being able to manage this effectively means a single workstation can compromise the entire network through lack of effective security controls.

For perimeter penetrations, generally, unless you have a gaping hole, they are unlikely to attack your firewall directly, but they might well attack your Wi-Fi or unsecured tethered devices connected inside your network.

Lack of internal monitoring is pretty simple. Unless you know what’s going on inside your network, you’ll never know if you’ve been breached unless you stumble on it by accident. The technology nowadays used to gain a foot hold inside your network is sophisticated enough to attack Anti-Virus packages installed on local workstations before running their main payloads. And those payloads can be anything they desire up to and including turning your computers into an army of zombie bots.

In general, the primary motivation for any would be attacker is that they want something. That something can be your money, your plans, your contacts list, your supply chain files, your computer, your network, your telephone system, literally anything you have that they can assign a perceived value to will automatically make you a target of interest to them.

Switch this around the other way, just as an example.

Suppose you wanted to obtain my little digital black book. You know I have one as you overheard me talking about it in conversation in a coffee shop. You know who I am, where I work, my email, my telephone number and place of work because I accidentally dropped a business card. You know several bits of critical information already;

  • It’s digital information (likely stored on a laptop or similar device)
  • You know I probably access it a lot so I need to keep it handy
  • It probably contains lots of contact information you can exploit
  • You know what I do so can probably surmise from the card my level of contact in the industry

So the next thoughts are;

  • If it has value to him, it has value to me
  • If it has value I can sell it to someone else who might place a higher value upon it
  • If I can get it easily, I make easy money

So now you think about how to get it;

  • I can send him a Trojan and see if that works
  • I can physically break in and steal it
  • I can try and trick him into visiting a website and installing my software
  • I can attempt to hack him directly
  • I can lure him into using a resource I can control

All of the above thoughts are processed in about 10 seconds to a normal bad guy with an offensive mind-set.

Characterising a victim take a bit of a weird mind-set, think Benedict Cumberbatch posing as Sherlock Holmes, it works pretty much the same way except your looking for a pattern that fits… in this instance… coffee shop +  Wi-Fi.

If I visit the coffee shop a lot, chances are I’m comfortable there, and if I stay for a while, I’m likely to bring my laptop with me to check mails, do some work, catch up with friends… I’m a busy guy after all J

This is your road in. You can run a man in the middle attack, pose as a free Wi-Fi hot spot, and hope that I don’t pay attention or my laptop is set to connect automatically and use your Wi-Fi connection. Once my data is travelling across your network, you own me, my data and my history for everything my laptop transmits or cloud services it talks to for the duration of my visit.

So whilst you’re recording my traffic, you notice that I’m using an old protocol for connecting to a mail server which by some startling coincidence the username and password is sent in the clear as the connection is not encrypted.

You use these details, log in as me, and lo and behold, I’ve been using a mailbox to back up my little black book backups! You now have about 4 years’ worth of data to mine, all of my contacts, numbers to CEO’s, CIO’s, private email addresses, mobile phone numbers, some cloud service usernames and passwords and other little bits of info.

This sort of information on the dark web would be auctioned to the highest bidder and you make about $2000 for about 30 minutes’ worth of time sitting in a coffee shop slurping an expresso and about 30mb of data from your Wi-Fi hotspot.

This sort of thing does happen, every day up and down the country, you’d be surprised how many people in a busy coffee shop would connect to a free Wi-Fi hotspot without thinking about the ramifications.

Take some time to digest this one, next time you go for a Starbucks or Costa, look around and see how many people are on their mobiles or laptops… food for thought eh ?

 

Stay tuned for the next Post on How