How Cyber Spies Infiltrate Business Systems

snydeq writes "InfoWorld's Bob Violino reports on the quiet threat to today's business: cyber spies on network systems. According to observers, 75 percent of companies have been infected with undetected, targeted attacks — ones that typically exploit multiple weaknesses with the ultimate goal of compromising a specific account. Such attacks often begin by correlating publicly available information to access a single system. From there, the entire environment can be gradually traversed enabling attackers to place monitoring software in out-of-the-way systems, such as log servers, where IT often doesn't look for intrusions. 'They collect the data and send it out, such as via FTP, in small amounts over time, so they don't rise over the noise of normal traffic and call attention to themselves,' Violino writes. 'There's probably no way you can completely protect your organization against the increasingly sophisticated attacks by foreign and domestic spies. That's especially true if the attacks are coming from foreign governments, because nations have resources that most companies do not possess.'"

Cyber Spies

[omni123]

When are we going to get over this cyber prefix bs?

A spy is a spy a spy. You don't call them "gun spies" or "explosive spies". Technology is a tool like anything else.

Re:Cyber Spies

[teh+moges]

I like your idea of calling non-cyberspies 'meatspies' from now on.

Re:Cyber Spies

[Trepidity]

Here's what Ted Nelson had to say about it:

"Cyber-" means 'I do not know what I am talking about'

"Cyber-" is from the Greek root for "steersman" (kybernetikos). Norbert Wiener coined the term "cybernetics" for anything which used feedback to correct things, in the way that you continually steer to left or right to correct the direction of a bicycle or a car. So "cybernetics" really refers to control linkages, the way things are connected to control things.

Because he was writing in the nineteen-forties, and all of this was new, Wiener believed that computers would be principally used for control linkages-- which is if course one area of their use.

But the term "cybernetics" has caused hopeless confusion, as it was used by the uninformed to refer to every area of computers. And people would coin silly words beginning with "cyber-" to expand ideas they did not understand. Words like "cyberware", "cyberculture", "cyberlife" hardly mean anything. In general, then, words beginning with "cyber-" mean "either I do not know what I am talking about, or I am trying to fool and confuse you" (as in my suggested cybercrud).

Article says to do it in-house?

[Meshach]

From the FA:

If your company has the resources and the expertise, consider developing your own specialized tools to help thwart attacks.

Unless your company is a security or firewall provider I find it hard to believe that anything developed in-house will be better than a commercially available product.

Re:Article says to do it in-house?

[shaitand]

Yes it will. Hackers/Hacking organizations have limited resources just like companies do. They spend their time finding and educating themselves on exploits in the most popular commercially available products because it yields the most bang for the buck.

In fact, many of these attacks begin with a scan to seek out vulnerable software.

Oh noes!

[countSudoku()]

The packets are coming from INSIDE YOUR NETWORK!!1! GET OUT FAST!!1!

Seriously, just fire up nmap and start scanning your internal work networks and some key systems. If the security and network admins don't show up in your cube within 30 minutes, you might have a problem that no amount of products from CA/Symantec could ever hope to solve. Yet, they WILL sell them to you nonetheless.

Knowledge beats paranoia
Spock smashes Scissors and vaporizes Rock

Your mileage may vary.

Thought of this sort of thing in 2004

[StCredZero]

I thought of this sort of thing in 2004 with some coworkers. The scenario we came up with would be for a disgruntled employee to query trading app databases (unencrypted) and export the data in dribs and drabs using FTP. Outgoing FTP was wide open. The place where we were working (major petroleum multinational) the information could have been used by competitors to make a killing doing commodity trading, possibly even corner a market.

The problem's not the technology. There's always security holes. It's relatively easy to get your hands on something illegally. It's safely making money off of it which is the problem. No way I'd want the kind of heat a major petroleum multinational could hire going after my ass!

Re:Wait what?

[shaitand]

These days I work for a network security monitoring company. We have only fortune 500 customers and a number of large state organizations.

All I can say is ROFL. That made my day, really, it did it made my day.

State is even worse than corporate and corporate is bad enough. They have so many ridiculous security policies mandated while leaving gaping holes the size of Texas open. It's all about keeping the illusion of security really.

We have live security staff monitoring their systems and we do it. We monitor and in some cases manage firewalls and have IDS/IDP systems in place and we monitor those as well. Additionally, we sell security and some enterprise grade network gear.

So here is how it goes. An IDS at undisclosed location flags a SQL attack sequence in the form on a major website. We get the alert, determine a complex SQL sequence in network traffic is pretty distinct and not usually a false positive.

So I put down my putting iron and run to the phone to notify the customer during the 15 minute SLA.

Joe "This is Joe, help desk, may I have your name?"

Me "Hey Joe, this is lord vader at company x. We have detected an attack in your network stream. Our automated systems detected and blocked this attack but we highly recommend having the appropriate admins check your web/SQL servers and firewall logs for any suspicious activity."

Joe "I'm not really sure what all that means but I'll submit a ticket."

24 hours later I get a notification that Joe closed his ticket, there are no updates from any admins.

It's a joke, most companies think that having 'enterprise' AV means they don't have viruses/malware and having IDS means they are safe from network attack. They think having overzealous security policy means they are secure.

The reality is no automated system replaces attentive personal and any security policy that interferes with day to day business will be bypassed in some fashion or worked around at any opportunity.

Another example from back when I did service work. We had a bank call us. They were just inspected and the security inspector told them they had to have a firewall with intrusion detection. They called us because they had to be in compliance. They basically had NO security and no a single firewall in the shop. They even had remote access setup on systems with modems on the banking network!

So we prepare a proposal that would get them a solid firewall and an intrusion detection system and lock down the glaring security holes.

They turn us down. Instead they bought one copy of Norton Internet Security and installed it on a system. Technically, they had a firewall that lists intrusion detection as a feature now and this brought them into compliance.

Re:Windows is more secure than ever!

[causality]

Did you notice the story is about targeted attacks? OS doesn't have much to do with those. In fact since these are companies internal networks and servers and not workstations, I suspect they actually run some UNIX variant.

On that one you are absolutely correct and it is good that someone pointed this out. What Unix and Unix-like systems and their users tend to be highly resistant to are the automated attacks to which Windows systems and users are often vulnerable. These include trojans, self-propogating worms and viruses, and items of that nature. In the case of an automated attack, one system (the malware) is being pitted against another system (Windows, Unix, etc). Unix and Unix-like systems and their users generally do not experience automated viruses infecting machines in the wild today. After the Morris worm they tend to have learned not to repeat the mistakes that make such things feasible.

However, a targeted attack conducted by a determined adversary is an entirely different scenario. This is not one system pitted against another system. This is an attacker using any system pitted against a defender using any system. In that sense it's more like a game of chess. There is a very real chance of the attacker prevailing. In some ways, the deck is stacked against the defender because the defender must correctly deal with all practical methods of compromise while the attacker only needs to find the one thing that was overlooked. That might be a technical attack or it might be a low-tech social engineering attack, or both.

For automated attacks you only need to be secure enough to raise the bar beyond the capabilities that can be expected from a scripted program. Since we do not have true artificial intelligence, this is feasible. For a knowledgable and truly determined adversary, what you really want is perfect security but this is not possible. The best you can do is to be so difficult to compromise that the cost of doing so is higher than anything the attacker would gain from succeeding. Even then there may be a personal vendetta that makes the attacker irrationally persist at any cost. It's an entirely different threat model.