8 posts categorized "Cyber"
Asymmetric warfare isn't new. It has a long history, from when 300 Spartans held Xerxes' Persian army of more than 100,000 in 480 BC, right through to modern day. You might even argue that Odysseus and the Trojan horse in 12th century BC qualifies as the earliest. All very interesting - but what is the relevance to modern business?
Cyber attacks - the similarities are striking. Often small groups of highly-focused and motivated attackers with little in the way of hierarchy or command and control take full advantage of the anonymity, flexibility, agility and rapid response offered by the use of modern technology. Cyber attacks also share the latest trait of asymmetric warfare; they are global, both in origin and effect.
Looking back through history can provide two insights for businesses faced with cyber attacks.
The first is that brute force, throwing masses of resources and technology at the problem, alone has a limited effect. As you increase your cost and effort, the effect diminishes, ultimately becoming counter-productive and sapping vital resources. Instead, a careful, considered and proportional deployment acts both as a deterrent and sustainable first line of defence. Back in ancient Greece the Spartans were making the best possible use of their forces, with only a 300 strong army they had to lead a defensive battle rather than a decisive one. This strategic plan worked to their advantage as they were able to move quickly, defend multiple constricted passages and tactically block the narrow passes.
The second is that intelligence-led operations prove amongst the most effective methods to detect and nullify the enemy. Although they had a small army, the Spartans had a greater knowledge of the battlefield, they knew their enemies weaknesses and were able to exploit this to their advantage. In network defence terms, this is the logging, monitoring and threat surveillance by capturing and analysing the traffic on your network. Just like the intelligence work in the world of spies, it is painstaking, methodical and frequently boring but importantly requires a highly skilled human touch. You need the relevant tools tuned to your business and skilled operators to protect your business. While it may appear expensive in cash terms, it is one of the few means to take a pro-active stance against cyber attackers. The re-active and often more expensive alternative is a phone call in the early hours telling you "we have a problem".
The analogy between cyber attacks and warfare is not perfect; there is a crucial difference, vulnerability in the adversary. Not all cyber attackers have access to the same amount of resources and sophisticated technology and only rely on weaknesses in organisations. There are known defences, which if applied carefully and rigorously, will successfully deter, detect or defeat the vast majority of common attacks. The SANS Top 20 Controls is one collection of such defences of proven best practices. They are developed globally, published freely and applicable across all industries.
The situation might appear overwhelming, but there are tactics and strategies which can help you turn the tables, and can even the odds. From Xerxes to the World Wars, the massed hordes have been held back by the few. Asymmetry works both ways if you choose your battle carefully.
Gary is a manager in Deloitte’s Security practice. He works with clients to understand the threats they face, and to reduce them through proportionate effective changes in culture and practice. Gary also works with multi-disciplinary teams to investigate, control, and help clients return to business as usual following cyber incidents, data breaches and attacks.
Companies spend plenty of time, effort and money protecting their networks from hackers. Firewalls, Intrusion Detection and Protection Systems (IDPS) or security gateways are commonly used to protect connection points between internal networks and the internet.
However, despite all these protections, networks can still be breached. In April 2011, Sony revealed that their network had been hacked exposing 77 million personal details of PlayStation Network users which included names, date of births, e-mail addresses, passwords and credit card numbers.
Unpatched server software, as well as a custom firmware release (Rebug) effectively turned the PS3 console into a developer kit which activated a number of features users could not normally access. Most importantly, the firmware gave trusted access to Sony’s internal developer network. Hackers exploited this to access and pull out information from the customer details database – 77 million customer accounts compromised.
With one of the biggest data breaches in history, how do companies ensure these attacks do not happen to them and they are safe from the bad guys? I suppose they could call on the good guys pretending to be the bad guys…penetration testers (aka “white hats” or ethical hackers).
Penetration Testing is normally conducted as a service to clients by mimicking the types of attacks performed by malicious hackers using the same tools and techniques. The aim isn't simply to break through an organisation's defences, but to identify the depth and breadth of vulnerabilities.
Network infrastructure penetration testing focuses on performing attack simulations or exploitation on clients’ computer networks/systems in order to determine these vulnerabilities. Testing also requires permission from the person owning the target systems, otherwise hacking these systems would be illegal!
With network breaches on the rise, many companies have realised the importance of security, and have incorporated penetration testing activities as part of their information security strategy. The results from these tests and guidance will help companies to better protect their networks (or sensitive data) and prevent them from falling into the wrong hands.
Yeo Bon is a Consultant in Deloitte’s Security & Testing practice working within the Cyber Intelligence Centre. Yeo Bon specialises in ethical hacking, focusing on network infrastructure and web application penetration testing.
Wireless networks are growing more and more numerous, and the corporate landscape is no exception. The convenience offered by a laptop or mobile device together with WiFi connectivity to the corporate infrastructure allows employees more flexibility around the office than ever before.
However, the pervasive nature of a wireless signal means it can be available in places you would never dream of rolling-out your wired network. From an attacker's point of view that's one of the most appealing things about WiFi.
The hurdle of gaining physical access is removed, being replaced by the far more alluring prospect of attempting a breach from the comfort of the coffee shop next door.. In the event network traffic is permitted between the wireless segment and the corporate LAN, the attacker may even consider getting a loyalty card.
One of the latest methods of attempting to breach wireless networks (even those operating strong encryption protocols with long passphrases) comes via the WiFi Protected Setup (WPS) functionality offered by newer access points. WPS is designed to facilitate more consumer friendly association of wireless devices with routers. WPS supports a number of association models, but the one of most interest to an attacker would be the PIN only method. The WPS PIN is 8 digits long, and entering it correctly leads to an association being established between the device and the router, with the router then transmitting the passphrase required for successful authentication.
In late 2011, it was revealed that the implementation of WPS was flawed, dramatically reducing its effectiveness against what’s known as a brute force attack. This attack attempts all possible combinations of the PIN, eventually guessing the correct one. It was shown that wireless routers typically split the validation of the PIN in to 2 steps, rejecting a user’s request if the first 4 digits are incorrect. This lets an attacker focus on the first 4 digits and once verified, the next 4 digits. Further to this, the last digit of the WPS PIN is a checksum – a validation bit designed to ensure the PIN value has transmitted accurately. This reduces the complexity of this second half to only 3 digits, as the checksum digit can be calculated during the attack.
As a result of this, the attacker only needs to attempt 11,000 combinations (104 followed by 103) to guess the whole PIN. Given that the attacker needs to wait for a verification or failure message from the router after each attempt (which takes around 1.3 seconds), it would take over 4 years to complete the attack had the 8 digit PIN been treated as a whole (108 or 100,000,000 combinations). However, 11,000 combinations cuts this time to less than 4 hours.
The recommendation from suppliers is to disable WPS or upgrade to a firmware version which addresses this issue. That said, even plugging this hole, using strong encryption and passphrases, doesn’t stop an attacker from setting up rogue access points for unsuspecting users to connect to or sending de-authentication packets to devices they wish to knock off any given network. These attacks could be used to gather information such as login credentials - useful for attacks against individuals directly, or companies posing as legitimate users.
It is clear that while wireless network popularity has grown, their accessibility requires appropriate segregation to be in place. The protective measures surrounding wireless networks need to be as strong, if not stronger than their Ethernet cousin. Once the physical walls are stripped away, a strong configuration is all that is left.
Stuart is a Consultant within Audit Advisory, specialising in ethical hacking. Stuart is experienced in both remote and onsite penetration tests, and has a keen interest in the vulnerabilities affecting wireless communications.
So, is enough attention paid to the protection of their non-financial assets?
They say that information is power, and I’ve always thought that it’s particularly true in fund management. The very core of the business is about gathering information, analysing it and turning it into market-beating performance. ‘Inside information’ is so powerful that people go to prison when it’s in the wrong place. Many houses refer to their investment functions as ‘manufacturing’, but there’s no stock and no factory - information is the raw material and the output. This really is the peak of the ‘information economy’.
So, the one business that should recognise that information is worth protecting should be the fund management business. Last week I ran a briefing session for Non-Executive Directors (NEDs) from the fund management sector, and was pleasantly surprised to see that this is very true for those charged with providing governance over these firms. NEDs recognised the risks of handling information like live portfolio information, electronic payment instructions, and clients’ personal information.
In the briefing we talked about the new shape of the cyber threat – and I was a little taken aback by the level of engagement. It’s worth thinking about why I was so pleasantly surprised.
In the past I’ve heard fund managers decide not to prioritise cyber security on several grounds:
• “This sounds like science-fiction”
• “We’re not a high profile brand, so not an attractive target”
• “I’m not an investment bank, I haven’t got the resources to beat them”
During the discussion it came out that one London-based house trained its staff on this subject by attempting to value a memory card (like those in a mobile phone or a camera) containing their retail client database. Identity thieves will pay big money for personal information – and given that these databases usually hold bank account and “know your customer” information for many high net worth individuals, they’re an attractive target. So attractive, this house reckoned, that their little memory card was more valuable per square centimetre than the Mona Lisa.
So it’s likely that an economically rational fraudster will one day target that database, the systems that transfer billions of pounds (whether executed by an outsourced provider or not), or even pre-trade information that can be easily monetised in the market in a determined way.
But this has been true for a few years, so what’s changed? In our discussion we focussed on criminal gangs who are skilled, resourced and determined. These are part of the new internet threat that has to some extent replaced the ‘old’ threats of viruses written by loners pursuing only cyber-kudos from their peers. So how does the new cyber threat relate to those risk attitudes I mentioned earlier? Here’s my view:
- This is real and it’s happening now. There are plenty of doom-merchants trying to scare people, but there is at minimum - a kernel of truth here. Firms are being attacked, and they don’t speak about it for fear of client redemptions.
- A high profile brand might mean that casual attacks are more likely, but organised criminals are willing to do fieldwork. They look past the first few results on Google, and will target organisations that are less likely to go public about problems and who are less likely to pursue them to the courts
- In any case, the likelihood may be debatable, but fund managers will be just as out-of-a-job as anyone else after a successful attack.
- Even the world’s largest investment banks admit that they can’t stop the criminals getting through every time. Increasingly, efforts are turning towards effective preparation for and response to breaches. This levels the playing field with criminals going for the firms that can’t act quickly and decisively when things go wrong.
Imagine the Mona Lisa left on a bench in a London street - it wouldn’t stay there for very long. It dawned on our group that every day firms expect internet criminals (not to mention all their employees and contractors) to simply walk past assets a lot like these and not be tempted.
Jon is a Director in Deloitte’s Enterprise Risk Services practice. Jon is an Asset Management technology risk specialist, having previously been Head of Technology Risk for a leading UK fund manager for over six years. He has led operational risk programmes covering 3rd party management, procurement, business continuity, project assurance and security.
Today the average ethical hacker (or penetration tester) skillset is a lot more complex than “breaking into networks”. This was an evolution and a response to the changing landscape of security. When I started, not once did I think I would find myself pretending to be someone I’m not, using pin-hole cameras, Neuro-linguistic Programing (NLP) and lock-picking as part of my skillset. – I honestly thought I was a computer guy!
The rapid pace of change in the way organisations do business has developed new models, new services and new products that sometimes we wouldn’t have thought a decade ago. As a side effect, this evolution however has also changed the playing field for criminal organisations and has generated not only an amazing new way of doing business, communicating and going about our daily lives but also has provided new opportunities for theft and fraud.
In the present day, Information has moved away from IT as much as Hacking has moved away from the classic portrayal of Mathew Broderick as the teenage hacker in the movie “War Games” or Angelina Jolie in “Hackers”. Today hacking is a multi-billion criminal industry, where you can buy bot-nets in bundles of hundreds and thousands, and subversive click-to-hack exploit kits that require no technical knowledge.
There is an established pattern of organised crime focusing towards the human element in order to reach to the Holy Grail of Information, via sometimes evading traditional IT defences altogether, such as using social engineering techniques like Phishing.
However as cybercrime is becoming more involved and sophisticated so is cyber security. It has become apparent that static, defensive measures, whilst important, no longer provide sufficient protection to address these dynamic, targeted threats to an organisation’s physical assets or digital information; we need to start engaging in what we could call a “cyber security transformation”. By taking advantage of emerging and maturing techniques and technologies along with specialised skillsets we can improve our security posture as businesses by allowing for more proactive threat management and incident response.
It may sound complicated but we simply need to start thinking along with the three pillars of cyber security transformation:
• Awareness - Real time threat intelligence, identifying existing vulnerabilities and continuous monitoring and service improvement.
• Preparedness – Being able to anticipate, assess, plan and prepare for a cyber-attack.
• Response –Attacks will happen. How do we respond, contain and manage the impact?
Ari is a Senior Manager within Enterprise Risk Services with over 12 years of information security and ethical hacking experience. Ari is an experienced penetration testing consultant and engagement manager with notable experience in extensive and complex multi-tiered security engagements as well as an extensive background in security operations. LinkedIn
In less than 300 seconds you can experience the speed and intensity of a cyber attack. Today companies can defend themselves, taking control of the situation -- effectively fighting back. Are you prepared?
There is rightly a certain amount of cynicism around the headlines about cyber threats – between wildly varying estimates of the billions which cyber crime costs businesses, and the perception that the attackers are either opportunistic individuals or even state sponsored aggressors (sometimes a combination of the two), cyber has often been seen as an issue for the government and the ‘techies’ to worry about.
Putting the imagery aside however, given the explosion of stories there has been an awakening: most businesses now recognise there is a threat – what they struggle with knowing is how big a problem it is for them and what they can then do about it.
Of course, there are still servers to protect, firewalls to maintain and malicious emails to be filtered, but given what’s at stake there’s a response needed from much higher up the organisation too. Pressure on Boards and Audit Committees is growing - to pay attention to cyber as a business risk, rather than a technical one.
While the ‘cost of cyber crime’ may be a contested figure depending on whose research you read, the reality is that no CEO will want the news that the payments processing systems have been taken down, or customer details have been leaked online.
A “zero-day" is a previously unknown vulnerability in a software package or hardware component where no fix exists. This is usually because the software vendor or information security industry are unaware of the root cause of the vulnerability.
Zero-days are commonly used to propagate malware amongst computers running the vulnerable software; for example, the well known 'Stuxnet' malware exploited zero-day vulnerabilities within computers handling of USB storage media.
But, not all zero-days are born the same. Some are limited to 'crashing' the targeted system and some allow the attacker to take full control over the targeted system using this as a base for further attacks. In the latter case, the zero-day may allow an attacker unfettered access to an organisation’s IT assets.
The business impacts include, but are not limited to, reputational damage, theft of client / customer information and intellectual property, disruption of business as usual activities and the destruction of information assets.