Foreword
Come on, what did we really think was going to happen?
For well over a decade as network defenders we have relied upon the same failed defenses; Signature-based AV, IDP/IPS along with Port Centric Firewalls. We have placed all of our emphasis on “Holy Grail” security products at the network gateway to the public Internet and we have completely disregarded our endpoints. Further, we have neglected two of the most fundamental requirements of network security that historically have always proven to reduce the threat envelope—server hardening and flaw remediation. Lastly, over time we have developed an acceptance of meeting technical security challenges with our written policies without any technical enforcement.
Our adversaries have been paying careful attention, regularly adjusting their attack methodologies to easily take full advantage. Today we find ourselves in a position where our outdated defenses regularly fall prey to the simplest “Low Tech” hacking techniques. It seems that every headline-grabbing intrusion we hear of today first proclaims that it was the result of some new advanced hacking technique but more often than not, it is later revealed that the root cause of the breach was embarrassingly simple:
• Google—spear phishing email provided initial entry
• RSA—spear phishing email provided initial entry
• Sony—social engineering facilitated initial website attacks
• HBGary—a 16 year old girl's social engineering skills provided initial entry
• Stuxnet—malware laden USB sticks handed out for free at a conference provided the initial entry
• Epsilon—spear phishing emails provided initial entry
After nearly every breach we hear the same old excuses:
• We were compliant with all regulatory requirements and therefore not responsible
• We are doing the very same things to protect our information that everyone else is doing and therefore not responsible
• Users did not follow written policy and therefore we are not responsible
Another “trap” we seem to have fallen into: Today we regularly neglect doing our own due diligence and instead choose to pay advisory services to guide us in making the decision on which vendors security products/methodologies we should be using to secure our environments. While at the same time “they” are charging those vendors advisory fees to craft marketing messages that will allow the vendor to gain a greater market share from the advisory services clients. The guidance we seek is actually contained within the various Internet Crime Reports that are freely available on the Internet. They annually report on security incidents and just as importantly on what those organizations were using for defense at the time of the incident. Reading the reports from that perspective can be eye opening:
• If the vast majority of the reports, survey respondents were using Anti-Virus yet the majority still reported issues with malware. Perhaps it is time to reconsider dependence on traditional Anti-Virus products.
• If the vast majority of the reports, survey respondents were using Firewalls yet reported issues with network intrusions. Perhaps it is time to reconsider dependence on traditional Firewall products.
• If the vast majority of the reports, survey respondents were using strong password policies yet reported issues with unauthorized access. Perhaps it is time to reconsider dependence on traditional authentication efforts.
I would advise anyone reading this book to use it as a wakeup call to his or her management. These are not theoretical attack methodologies, they are practical attacks occurring regularly today that have been enabled due to a decade of neglect of our defenses. Every attack noted in this book can be effectively countered with the proper application of user-awareness training, policy, and technical safeguards.
Paul A. Henry
vNet Security LLC
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.