Protect your data from the bad guys
Contrary to popular belief, hackers don’t tend to don ski masks or make sure their tie is straight before they start their silent attacks on our infrastructure; however, we seem to associate this “bank robber” image with hacking and computer security activity.
In today’s world security is a way of life for all of us, just go to the airport and you will be reminded how serious it can be. For technologists, data security is certainly ‘business as usual’, but as we develop more complex methods of presenting our services and allowing users to interact with them, the greater the risk.
How safe is safe?
Securing your infrastructure can take considerable effort, and achieving the right level of security, at the right level, is key. It’s easy to over-design a solution that can affect the entire user experience. On the other hand, a poorly designed solution will require more effort on the other end in maintenance and monitoring, and may even result in sleepless nights…
When designing an approach, the infrastructure, application, and data layer must be viewed as a whole, or you can protect one layer but leave another open to attack. Some questions to consider, do you want to use a DMZ (“demilitarized zone”) and open ports on your internal firewall for each service required? Or do you just want to keep everything internal so you don’t turn your Firewall into ‘Swiss cheese’? Then there is the CMZ (“Classified Militarized Zone”) which, by choice, contains your sensitive data and is monitored to an extreme degree to ensure it is protected at all costs. When presenting data, do you use a staging database on a different subnet to limit the possibility of a direct connection to your back-end data layer? Will you consider emerging proactive database monitoring tools like Fortinet’s FortiDB?
Of course, your approach will depend on the services you’re showcasing, and each provider will have a different set of options for you to choose from.
Good practice
The Annual Security Review and PenTest, while still important, is now giving way to more “live” security reports and analysis to give you the reassurance that your data is safe. Many security vendors now offer proactive monitoring of their third-party services to ensure Firewall administrators haven’t accidentally opened known vulnerabilities.
Some simple best practices can make a real difference, like making sure you have multi-vendor firewalls separating your networks. This may seem like an expensive luxury at first, but it means that any would-be attacker has to overcome two highly complex firewall technologies instead of just one. It also means that in the rare event that one vendor’s firewall has a known weakness, it is unlikely that the second vendor has the same vulnerability, reducing attackers’ chances of success.
Making sure your systems are patched to current levels is also an essential activity in the battle against the hacker.
But let’s not limit this to just the technology itself, ‘change control’, as a process, is an important defensive weapon against ‘human error’ which could otherwise cost you dearly. Knowing what needs to be changed, getting approval, planning who will do the work and when, as well as ensuring a full impact assessment is carried out, will save you a lot of pain later on.
Who are these bad guys?
So who are your potential attackers? Well, they can take many different forms, from hobbyists or students experimenting with port scanners and looking to see if there are any open ports on their firewall to the smartest hacker who knows how to handle SQL injection scripts. Some do it for fun, some do it for prestige, but serious hackers are often linked to organized crime and even cyberterrorism. Serious money can change hands for data that has been looted.
In most cases, the attack vector will be your database. This is where an attacker can collect personal information about your customers, collect passwords and login details, collect credit card data or worse, medical history and other “sensitive” data. While these data assets can be processed and bypassed using complex encryption techniques, the reality they face is that many organizations suffer enormous reputational damage by having to publicly admit that the data was stolen in the first place. , even if there is no chance that the data is not encrypted.
Attacks from within, by members of staff, are also now commonplace. Take Aviva’s recent account where two staff members acquired data on recent customer insurance claims and sold it to claims management companies.
It is also wise not to assume that a hacker will always attack from the perimeter of your network from an obscure country to the east. Keeping the front door closed but leaving the back door open can be a perfect way for a determined hacker to gain access. Local attacks are just as risky as remote attacks…
The tiger hunts…
For example, if a hacker knows where your office is (let’s be honest, Google will show them the front door!) they might try to break into your premises as a printer or air conditioner repairman. Of course, you’re not on the list of expected visitors, so outside the front desk, go find out the score from facility management and leave the front desk unattended. Our hacker printer fixer pulls out a WiFi router and plugs it into the back of the reception PC and hides it behind the desk. The receptionist returns and informs our printer fixer hacker that there are no repairs scheduled… “It must be a mix-up at headquarters,” she says and politely leaves. You now head to your car and connect via WiFi to the router you just put in, you now have access to your LAN and the attack begins… This activity is often done by ‘Ethical Hackers’ who are paid by companies to find weaknesses. in their security processes and is known as ‘Tiger Attack’. However, it could be a real event if your data is valuable enough to an organized crime syndicate or someone who wants to damage your company’s reputation.
Unfortunately, the weakest link in data security is almost always the human. Social engineering attacks are the first weapon in the hacker’s arsenal. With it, they can impersonate their local Service Desk team and send an email to unsuspecting staff of an “urgent security breach” requiring them to change their password immediately. His staff is super trained in security and data protection, the email has the company logo on it and looks genuine, so the security conscious staff member clicks the link to change his password. Once complete, the staff member feels proud that they diligently followed the security advice and probably begins to encourage the rest of the team to do the same… Little do they know that they just typed their username and password in a fake (phishing) website page where our hacker will collect and use the entered details to access services such as Outlook Web Access to read sensitive emails or a VPN service to gain remote network access.
However, since we always use different passwords for all of our internet accounts, there is absolutely no chance that our hacker could use the same collected data to access our eBay personal site, PayPal, or other finance-related site. .. TRUE?
My account(s) is(are) safe!
One of the best examples of how hackers can use your login details is the account of Mat Honan, who works as a writer for Wired.com, it’s a cautionary tale everyone should read. In this example, the hacker used various account/password recovery methods to finally gain access to Mat’s Twitter account, along the way leaving a trail of digital devastation… One thing that stands out is the risk they pose logon and recovery processes that do not follow standard.
So there you have it, how confident do you feel right now? I’m writing this particular article not to fill you with dread or fear, but just to trigger some “common sense” thinking about how to protect both your organizations and your personal online security, and ultimately defend yourself from those pesky bad guys out there. They wear balaclavas and nice ties…
ITwaffle.com Copyright © 2014 Gareth Baxendale