A new technical vocabulary

I thought that I would focus on two technical terms which have emerged in the last few years.

1) SEO – Search Engine Optimisation – This is basically about how you get your web site further up the rankings of search engines such as Google, E-bay and Yahoo. There are individuals and companies who offer this as a service.

2) Click Farms – These are companies where low paid workers click on web sites for fraudulent purposes. They are usually found in developing countries and they may generate click through revenue for unscrupulous people or try to deplete paid advertising credits ( e.g. Facebook) of client’s competitors.

In summary, one has to be judicious in assessing their page hits and likes in order to determine if a campaign has been successful. Perhaps, you should look at demographic statistic. For example, if you had marketed a US toothpaste and all your hits are from Decca or Cairo then perhaps you should rethink things.

So who hired the hacker?

Picture what would happen if you discovered that you had hired a suspected hacker in your IT department. Here are just a few thoughts to consider:

What can you do?

You might ask yourself a question – Is he a white or black hat? The former is an ethical hacker whilst the latter is non-ethical. What’s the difference?

As per the Wikipedia definition, An ethical hacker is usually employed by an organization who trusts him or her to attempt to penetrate networks and/or computer systems, using the same methods as a hacker for the purpose of finding and fixing computer security vulnerabilities. Unauthorized hacking (i.e., gaining access to computer systems without prior authorization from the owner) is a crime in most countries, but penetration testing done by request of the owner of the victim system(s) or network(s) is not.

A hacker is someone who seeks and exploits weaknesses in a computer system network. Hackers may be motivated by a multitude of reasons, such as profit, protest, challenge or enjoyment.

So what can you do to determine if the employee is exhibiting hacker behaviours

1) Check your that your security controls are working effectively – You might look at your firewall port profile, recent IDS, FIM, log analysis reports, etc. You could as far as undertaking a vulnerability scan of your internal network or external perimeter. The problem with vulnerability scanning is that often leads to false positives and more effort goes into sorting these out than addressing the other vulnerabilities. It usually requires a highly competent individual to undertake this. You might also want to check the employee’s authority levels.

2)  Is the Employee adhering to corporate standards?

Has he or she done something different which they claim is required to undertake security testing etc? Such things include:

– Setting up a “back door” WAN circuit which by-passes corporate perimeter security controls.

– Provision of anonymous access tools to the web and intranets etc – e.g. Tor Browser

– Weakening of security controls – e.g. replacing IMAP with POP3 on smart phones or moving from WPA2 to WEP on corporate wi-fi networks.

– Setting up new domains or networks.

I hope this has been useful.

Who would be an IT Security Officer?

Someone told me that protecting a corporate network is like protecting your land with a plastic fence. Not only is that bad enough, but it is like having your kids compounding things by continually punching holes in the fence. Think about the challenges for the company IT Security guy:

1) He has to ensure that there are controls which are delivered through policies, training and clever technology.

2) There are a lot of clever hackers out there. Take “Anonymous” – They seem to have the ability to take out government sites at will so what chance does our IT Security guy have (let’s call him SG from here on in).

3) SG has lots of enemies.

Who are SG’s enemies

a) The Hackers – obviously enemy number one.

b) Software and Hardware suppliers, particularly those who produce vulnerable software.

c) Employees of his organisation who fall into two broad categories. The first category are the normal users who will inevitably try to install “illegal” software, access dodgy web sites and use personal USBs etc. SG ought to be able to use clever technical controls to prevent this type of behaviour.

The second category, management, is much more difficult for SG to overcome. To illustrate this, let’s think of the steps in an IT security model.

– Risk assess the threat

– Put in place proportionate controls

– Assess if the controls are effective

Take the first stage – Risk Assessment. Quite often, non technical management will decide how IT Security breaches will impact on the organisation. Not being knowledgeable whilst comparing it to other business risks, they will more often than not understate the impact. This is like a bunch of civilians try to wage war against a belligerent enemy. Therefore, SG will probably not be able to put in place proportionate controls.

So SG will have to take a reactive viz-a-viz proactive approach to IT Security Management and there will be breaches. Let’s consider the stages of a breach:

Intrusion

Detection

Remediation

This sounds straight forward. You might think that it will work something like this: Your AV software tells you that you have a possible breach whereupon you just quarantine and remove the whatever it is which is causing the problem.

However, leaders in security incident response management such as Mandiant paint a different picture. Their recent report has some interesting highlights:

Nearly two-thirds of organizations learn they are breached from an external source.

The typical advanced attack goes unnoticed for nearly eight months.

Attackers are increasingly using outsourced service providers as a means to gain access to their victims.

Attackers are using comprehensive network reconnaissance to help them navigate victims’ networks faster and more effectively.

Advanced Persistent Threat (APT) attackers continue to target industries that are strategic to their growth and will return until their mission is complete.

Once a Target, Always a Target

This inevitably has a significant impact in terms of reputation, finance and employee morale. Furthermore, the remediation process will attract a cost circa ten times that of having had preventative measures in the first place.

SG will no doubt remind management of his recommendations but organisations have short memories.