Predicting the future is a tricky but necessary part of any kind of strategic planning. Unfortunately the security landscape can move so quickly that even short term planning can feel like it requires a crystal ball.
If you’re lucky, things are a little slower in the summer season. This can be a good time to regroup and consider your plans for autumn.
To help give you some ideas let’s start by taking the long (in IT terms at least) view on vulnerabilities.
If you think back to the early 2000s and before, server-side vulnerabilities were the norm. Worms like Code Red and Slammer wreaked havoc.
Running a public website on Microsoft IIS was a terrifying prospect. The bad guys didn’t need to spend much time anywhere else – chances were, if they tried, they could get straight onto one of your critical servers.
Luckily things got better. Zero-day exploits in common internet-facing services are a merciful rarity nowadays and we tend to do a better job of firewalling everything else.
Unfortunately the bad guys had plenty of other options. Clients soon proved to be a massive weak point. Browser vulnerabilities came to the fore in the late 2000s. Gaining access was simply a case of luring a user to a malformed web page and IE6 would quite happily install any malware you asked it to, usually without giving the user any warning.
Again, we got our act together. Now browsers compete on speed and security rather than fancy features. Every feature is a potential entry point, so – very sensibly – modern browsers have a lot less turned on by default.
Thanks to improved defence-in-depth, even if an attacker finds a way in he’ll likely need to batter down a few more doors before getting to the juicy stuff.
Browser plugins are the current battleground. Flash, Java, Adobe Reader and others provide a great way for an attacker to sidestep all the hard work put into browser security.
The tide might just be turning in our favour though. Adobe has been doing some great work improving the sandboxing and auto-updating features in Reader and Flash.
Even Oracle are promising to finally address some of the underlying problems with Java. I wouldn’t wait for that though – disabling Java altogether or using click-to-play is a far more reliable and immediate solution.
So what’s next?
Moving swiftly from observation to speculation, here are a few possibly-emerging issues to consider.
Put yourself in an attacker’s shoes. You’ve scanned your target’s perimeter services and it’s all looking quite tight. You then tried a phishing attack to lure them to a web page with a drive-by-download exploit but they’ve got a well-patched browser with no vulnerable plugins. So where next?
Social engineering perhaps? A few trends are making this easier and more effective.
Firstly, in the rush to the cloud we’ve forgotten some of the basics. When everything was protected by a VPN most companies enforced some form of two-factor authentication. A password alone was not of huge value to an attacker. But nowadays, the majority of cloud services rely on nothing more than that and if you can persuade a user to divulge their password it’s likely all you need.
The persuasion part is easier than ever. Due to cloud services, users are regularly used to providing passwords to external websites, so it would follow that they might be reasonably easily persuaded into doing the same for a site they don’t know.
Secondly, social networking makes target reconnaissance much easier. After a quick browse of someone’s LinkedIn profile it’s not hard to come up with an attention grabbing subject for your attack.
Thirdly, although highly exposed software – such as internet-facing services and web browsers – is getting quite tricky to attack, the rest of your applications are unlikely to be quite so robust.
Few people patch their CAD software as regularly as their browser. A job title from LinkedIn is all that’s required to take some educated guesses about exactly what software someone is likely to be running. Even a user wary of email-based attachments might let their guard down when receiving a file via cloud storage/collaboration tools such as Dropbox.
There are quite a few signs that this advanced targeted phishing is already well underway on an industrial scale, and it’s certainly not just a concern for defence contractors.
Just recently GCHQ, part of the UK intelligence services, advised that it intercepts around 70 attacks against UK companies a month. Targeted phishing appears to be the weapon of choice in these attacks. This is only likely to escalate as techniques filter down from intelligence services to the criminal underworld.
So what can you do?
It’s up to you to assess the trends and how they apply to your business, but here’s a few sensible steps to think about.
Firstly, single-sign-on and strong authentication gateways are not just nice-to-haves! My previous post on handling smartphones in the workplace covers this area in a little more detail, including implementing two-factor authentication for cloud services.
Secondly, investment in defence-in-depth will always pay off. Maintaining well-patched systems everywhere, rather than just for the exposed stuff, will become more important. If you don’t already, extending your vulnerability scanning to cover internal systems may help you assess internal exposure.
Firewalling your servers correctly can also really help limit your exposure to a malicious intruder who already has a foothold in your network.
Lastly, education is becoming even more important. Cloud services have made it harder than ever before for users to spot the difference between valid and malicious emails and websites. So educate your users on threats, and make sure they’re clued up on how to avoid falling for them.
Images of stop sign and social network chat courtesy of Shutterstock.
4 comments on “Practical IT: How to plan against threats to your business”
Ross – I do not understand one of your last statements:
Cloud services have made it harder than ever before for users to spot the difference between valid and malicious emails and websites.
Could you give me some examples?
The problem is that it was relatively easy, or at least easier, to make internal applications single-sign-on. You could then educate users with a fairly simple rule: only ever type your password into your systems initial login dialogue box. Even if you had internal non-SSO web applications you could still say "only type in your password if the address ends in ".mycompany.com". Likewise you could say, ignore any emails asking for your password that dont come from @mycompany.com.
Now the rules are way more complicated. You need loads of different passwords for different sites (so people re-use passwords). It's also very confusing to know which sites are officially sanctioned "safe" sites and which ones aren't – most companies don't even know themselves! Likewise those websites each send their own password-rest or provisioning emails, again making education a whole lot harder.
Hope this helps.
Good web filtering is essential to stopping malware these days. Knowing what is good and bad on the web is not something an IT organization is capable of knowing itself. Fortunately, there are lots of community projects and businesses that can provide that service. Even something as simple as installing Web of Trust and AdBlock extensions in user's browsers will go along way to reducing malware in the organization. A good website filter that works automagically (to the user) is even better.
He's right that you have to consider the environment of the company you are working in. My previous job was lucky enough to have sophos and have some extra staffing for security. But in other places, they can't have the optimum setup. They run the software they can (cases for new implementation go via approving by corporate and you know how that ends) and try to get the most out of it. Which sucks.