OK there have been a lot of reported cyber attacks lately, from the Google attacks last year to Stuxnet to all of the energy and oil companies to governments and defense contractors like Lockheed Martin and Sony being attacked this last few days. I get a lot of questions like, how do you know you were hacked and how do you tell what was taken.
The answers to these questions comes down to logs. All server software and much other software write log files. These are files that detail what has been happening, like who is trying to log in and if it was successful, where they logged in from, and things like if they connected out again and what they did while logged in. Even Windows does a lot of this type of logging and you can see the results in various tools built into the operating system.
So if all this logging is being done how come companies get hacked? Well a lot of people think this is someone else’s problem and they never even look at the logs. A lot of companies seem to work on this principle, we would notice and we would stop it. But they only notice when the title of this post is put on their web site, probably the last thing the attackers do and most times we see this now it’s there as a ruse to try to make the attack look like it was done by some kids out for luls. Not a lot of kids doing that anymore, kids smart enough to do this are not stupid enough to try to do this very often. Nope the attacks aren’t done that often by kids but by thieves and criminals who are smart enough to get tools to do this but not smart enough to clean up afterward in some cases and in others smart enough to do it and leave ‘plausible deny-ability’ if they work for a state or state-like player.
These attacks have mostly fallen into a pattern, attack an external website, get into it and then collect enough data to then get from it into the companies main network. Once in there get more info to get into the most secure parts of the network, then scoop and run. T get into the first part the web world of a company you start by getting in as far as they will let you, then look for a way further. probing, searching, trying stuff. Then use ‘social engineering’ to get the companies own employees to either give you the info you need or let you in.
Once in put some malware on the system to mine it for passwords and info to get from there into the secure company network. SO say an admin logs into the web server. If it’s rooted (the attackers have gotten the root password or administrator privileges) they can read the logs, have a key logger running, copy off the password file for brute strength attacks and since people use the same login and password in more than one spot eventually they get a user password that lets them get into the main network. Then stir well and repeat on the main network. This not a how-to-hack post so no more detail, just if you keep poking long enough and no-one stops you you will get in.
At the heart of all these attacks are three main things, social engineering, unpatched systems with holes and companies detecting the attacks too late because they aren’t using the right intrusion detection tools or processes. So how do you stop being attacked and cracked? Well first accept the fact someone is trying to do this and if what you do is good enough to make you money someone else could make money by taking your info. So first thing be alert. Second, update everything all the time and then assume you haven’t updated enough. Third do everything you can to stop phishing and social engineering attacks, starting with educating everyone who works for you. It’s your best weapon, use it and push it ruthlessly. And finally intrusion detection, read your logs, have computers read your logs and then keep an eye on your logs.
And then do boundary checks, checks on data going out on to the network, use honey-pots, false data, and multiple layers of protection, defense in depth; anything to let you know something is happening before you lose the data you need to protect. Encrypt everything and only decrypt it in the case you really need to have it. Stop people from having their own copies, track all copies and make sure that they are destroyed when not needed.
Continual testing, checking your perimeter against current attacks and trends and hopefully you can stay ahead of the attackers. You may be able to show you don’t need all of these for all of your data but apply all of them you can and still be able to do what you need. Remember it’s the life of your business at stake, protected it or die.