Slashdot Mirror
How Cyber Spies Infiltrate Business Systems
snydeq writes "InfoWorld's Bob Violino reports on the quiet threat to today's business: cyber spies on network systems. According to observers, 75 percent of companies have been infected with undetected, targeted attacks — ones that typically exploit multiple weaknesses with the ultimate goal of compromising a specific account. Such attacks often begin by correlating publicly available information to access a single system. From there, the entire environment can be gradually traversed enabling attackers to place monitoring software in out-of-the-way systems, such as log servers, where IT often doesn't look for intrusions. 'They collect the data and send it out, such as via FTP, in small amounts over time, so they don't rise over the noise of normal traffic and call attention to themselves,' Violino writes. 'There's probably no way you can completely protect your organization against the increasingly sophisticated attacks by foreign and domestic spies. That's especially true if the attacks are coming from foreign governments, because nations have resources that most companies do not possess.'"
When are we going to get over this cyber prefix bs?
A spy is a spy a spy. You don't call them "gun spies" or "explosive spies". Technology is a tool like anything else.
Unless your company is a security or firewall provider I find it hard to believe that anything developed in-house will be better than a commercially available product.
"Maybe this world is another planet's hell"
Aldous Huxley
The packets are coming from INSIDE YOUR NETWORK!!1! GET OUT FAST!!1!
Seriously, just fire up nmap and start scanning your internal work networks and some key systems. If the security and network admins don't show up in your cube within 30 minutes, you might have a problem that no amount of products from CA/Symantec could ever hope to solve. Yet, they WILL sell them to you nonetheless.
Knowledge beats paranoia
Spock smashes Scissors and vaporizes Rock
Your mileage may vary.
This is the NSA, we're gonna geet U h@x0r5! Also, what is a h@x0r5?
I thought of this sort of thing in 2004 with some coworkers. The scenario we came up with would be for a disgruntled employee to query trading app databases (unencrypted) and export the data in dribs and drabs using FTP. Outgoing FTP was wide open. The place where we were working (major petroleum multinational) the information could have been used by competitors to make a killing doing commodity trading, possibly even corner a market.
The problem's not the technology. There's always security holes. It's relatively easy to get your hands on something illegally. It's safely making money off of it which is the problem. No way I'd want the kind of heat a major petroleum multinational could hire going after my ass!
Seriously, just fire up nmap and start scanning your internal work networks and some key systems. If the security and network admins don't show up in your cube within 30 minutes, you might have a problem that no amount of products from CA/Symantec could ever hope to solve.
Four jobs ago, I used to fire up nmap and scan the internal network, then tell the network admins where the trojans were! (No, I never put them there.)
Maybe its because I work for a large state's DOJ... but whos firewalls are just letting out random FTP connections? In our environment nothing goes in or out unless we directly state it should be. Its all very controlled... that and a pretty hefty usage of enterprise level AV scans on each box, then IDS, then AV on emails, filtering on emails(can only go to certain addresses).. etc etc. I guess we take the "Large amount of work in exchange for very tightly controlled systems" approach. Maybe other places should too?
So basically, -1 troll/offtopic is really slashdots way of saying "I hate that you thought of something before me."
s/cyber/blogosphere/g
Amazingly enough, it has the exact same relevance.
According to observers, 75 percent of companies have been infected with undetected, targeted attacks
anyone else wonder how that's measurable?
We use a 3rd party to monitor our sites and their IDS device runs snort.
The best stuff out there is Open.
Did you notice the story is about targeted attacks? OS doesn't have much to do with those. In fact since these are companies internal networks and servers and not workstations, I suspect they actually run some UNIX variant.
On that one you are absolutely correct and it is good that someone pointed this out. What Unix and Unix-like systems and their users tend to be highly resistant to are the automated attacks to which Windows systems and users are often vulnerable. These include trojans, self-propogating worms and viruses, and items of that nature. In the case of an automated attack, one system (the malware) is being pitted against another system (Windows, Unix, etc). Unix and Unix-like systems and their users generally do not experience automated viruses infecting machines in the wild today. After the Morris worm they tend to have learned not to repeat the mistakes that make such things feasible.
However, a targeted attack conducted by a determined adversary is an entirely different scenario. This is not one system pitted against another system. This is an attacker using any system pitted against a defender using any system. In that sense it's more like a game of chess. There is a very real chance of the attacker prevailing. In some ways, the deck is stacked against the defender because the defender must correctly deal with all practical methods of compromise while the attacker only needs to find the one thing that was overlooked. That might be a technical attack or it might be a low-tech social engineering attack, or both.
For automated attacks you only need to be secure enough to raise the bar beyond the capabilities that can be expected from a scripted program. Since we do not have true artificial intelligence, this is feasible. For a knowledgable and truly determined adversary, what you really want is perfect security but this is not possible. The best you can do is to be so difficult to compromise that the cost of doing so is higher than anything the attacker would gain from succeeding. Even then there may be a personal vendetta that makes the attacker irrationally persist at any cost. It's an entirely different threat model.
It is a miracle that curiosity survives formal education. - Einstein
"According to observers, 75 percent of companies have been infected with undetected, targeted attacks"
These "observers" wouldn't happen to be people with a vested interest in the cyber-security industry would they?
This sounds a lot like "75% of the population has an undetectable terminal disease with no symptoms and so everyone needs to buy our miracle cure right away!"
Or Dogbert has upgraded his invisible robots...
http://www.hulu.com/watch/78089/dilbert-animated-cartoons-invisible-robot
Color me skeptical on this claim.
G.
Anywhere that deals with large files allows "random" FTP connections so employees can pick up data from clients. Email is a crappy way to send large files so FTP still fills the gap. Using something like sftp would of course be vastly better but not many people even know it exists.
"Did you notice the story is about targeted attacks? OS doesn't have much to do with those. In fact since these are companies internal networks and servers and not workstations"
Since these are companies internal networks the best bastion to launch an attack from is oh, surprise! an internal workstation (after all they usually access the servers, don't they?) and guess what the system is most probably such a workstation's going to run? Why should I hack a server when I can easily hack a workstation (and even easier a laptop) which will trustfully gain access as expected to the servers?
The way to protect against a dedicated attack is compartmentalization. Connectivity is important, but companies to structure not just machines, but the IT organization to resist compromise.
For example, log servers. These machines have to be *completely separated* from anything else in the company except the network. They can't use LUNs on a SAN (or else the storage admin can tamper with logs.) They can't use the corporate backup system (or else the backup admin can restore a tampered log.) They can't be run by the Windows or UNIX admins or else a compromised admin (or a blackhat) can compromise the machines, then the log server to completely hide tracks, or to perhaps cause damage. If you are running a program like Splunk, you don't run the thing on the log servers; you run it on a read-only mirror so people who have access to Splunk do not have access to tamper with the logs.
You can't "silo" the department where everyone works in little walled areas with no inter-group communication, but you have to have separation of duties so the damage done by a compromised employee can be mitigated.
Someone in need of some new fear? Products to sell or a new restrictive law coming up? Journo in need of hits?
1 - Secure what are secrets, and please lose the idea that security is a technical problem. It's a people problem first. You have information because you work with it, and anyone able to access that data as part of their work is a potential leak in itself.
2 - Any observation takes effort, so espionage is typically focused - stay alert if you're doing something interesting.
3 - The more data you collect, the larger the haystack becomes for a needle to hide. What happened in 9/11 demonstrated quite clearly that HUMINT is the best, but is a lot more costly. The TSA kindly proved afterwards that doing it any other way is just a way to make a couple of people very rich, but it won't contribute to security. Oh, and it proved that you don't even need to go abroad to find an untrustworthy government..
4 - Stop worrying people about what can go wrong. Every time of the day we are exposed to threats. The builder may have used asbestos, some driver may be on drugs and run you over, your secretary may start leaking data about your affair - prevent what you can, and plan for what you cannot, then get on with your life.
5 - If you want security checked, use an expert. And by that I don't mean someone who can wave some certification around, that is great for clueless HR types to avoid blame for picking the wrong person, READ the CV. The good ones LIVE their work, and not all of them have bothered getting certified. Check, check again, and if it's critical have the work cross checked with someone else. Do NOT expect consultancies to be better or worse, I have seen risk management done by a Big Name setup that wasn't worth 1/10th of what a client paid for it and actually put lives at risk if there had been a crisis. Ditto with security.
6 - Remember the law. If you let your security be tested by a setup that has been put under order to report back (UK Regulation of Investigative Powers Act springs to mind) you have just given a list of weaknesses to that same government you were so worried about. It may pay to look abroad, where such reports will have to be stored properly and cannot be accessed other than by leaving a paper trail.
Just don't think that buying a lot of kit will sort it all out, or that there is such a thing as risk free operations. Plan for failure so you can deal with it if it happens and. do. not. forget. the. people. in. this. effort..
Insert