It seems almost every week we hear about another hack affecting a large retailer or online service. Why are these happening more and more often, even with the heightened focus on security we should be seeing? It turns out there are a number of causes, and not all are under our control. This is a short introduction to the world of online attack and defense for the uninitiated.
Follow the Money
The primary reason online crime exists is — of course — money. Organized crime syndicates around the world have discovered that not only is cybercrime very profitable, but it is also much easier and less risky than running the standard drug and prostitution trades. You can pay a handful of young, bright individuals a lot of money to find ways to attack online businesses and still come out far ahead compared to the cost of running traditional rackets.
In addition, there are no geographical limitations. There are a large number of very sharp but unemployed computer science engineers in Eastern Europe or Southeast Asia, and they are typically underpaid compared to a lot of the Western world. All one has to do is recruit a number of these people, pay them fabulously (by local standards) to ease any ethical hesitation on their part, and go to work.
Once attacks have been created and planned, you need servers to work from. Unfortunately, it is trivial to find server hosting firms willing to look the other way in countries with little or no Internet regulation or oversight. Now, the world is your oyster. No matter where the attacks originate, they can reach anywhere in the world.
The Attacker Always Has the Advantage
Software is complex, and there are billions of lines of code running the world’s computers, networks and infrastructure. Statistically speaking, this means there are more bugs and vulnerabilities then you can imagine hidden in the software you and your vendors and e-commerce sites and credit card processors (and so on) are using every day. The attackers are typically not on any hard time schedule; they can take all the time they need to find the next major bug that you or your software vendor has yet to discover.
There are tools called fuzzers that send hundreds of thousands of different malformed input into applications looking for an unhandled error or evidence of a new vulnerability and password crackers that can try millions of combinations every second.
Even if you patch regularly, use Microsoft/Apple/Red Hat update, run antivirus, use firewalls and detectors, somewhere there will always be another vulnerability that no one has planned for. That’s not to say that these measures are useless – like locks on the door, they will at least keep the casual criminal at bay. But like the locks, they only decrease risk, they do not eliminate it.
Many recent big compromises have come from perhaps unexpected angles – an electronic cash register running Windows XP, or a network login used by the HVAC vendor to check the status of the AC system.
Successful attackers are creative, and like the thief, do not usually attack via the front door. As a defender, it is difficult or impossible to think of every possible avenue of attack. Even if these weaknesses are known, it may not be possible to update software provided by a third-party vendor and it is not realistic to cut off all access to the world.
Speaking of Money
Companies can and should implement a defense in depth strategy, implementing an aggressive update and patching policy, deploying network and application firewalls, reviewing code from a security as well as functional point of view during the development process, and ensure that security testing is performed on external and internal websites and networks. However, like everything else, this costs money.
Security is not sexy, and does not in and of itself attract customers. When budget dollars are being allocated, it is always tempting to spend money developing the next release or feature. These days, money is always tight, and security (hardware, software, and personnel) is always a tempting target for benign neglect. In one recent hack, the internal sensors deployed had been alarming for weeks, but no one was paying attention! In certain large corporations, data hacks are just another form of business and reputational risk, and are sorted and prioritized along with everything else.
What Can One Do?
We are all at the mercy of companies we have no control over and no visibility into. Businesses such as large banks and online retailers have a high reputational risk and tend to be conscientious about their security. Smaller sites and businesses are largely an unknown. In addition, many large businesses do not do their own credit card processing, but rather delegate it to a third party processor that you know nothing about.
1. As a consumer, deal with large, reputable companies online whenever possible. Visible third party payment services such as PayPal are generally safe to use even from small business sites.
Use a credit card for online transactions – do not use a debit card as these have weaker consumer protections in the case of fraud. Check your credit card statement regularly and carefully. Fortunately, credit card companies are amazingly good at detecting fraud and will usually contact you if they notice anything funny.
2. As a smaller online presence, update, update, update! This includes server processors such as PHP and blogging or other software you may use. Regularly monitor the server logs for any sign of unusual or unexpected activity.
3. As a company with a website see (B) above. Deploy firewalls and network sensors to detect suspicious activity (or ensure your hosting vendor does). Make sure your website gets audited and tested regularly for security issues by a firm that specializes in this.
After Being Hacked
Computer forensics is a deep and complicated subject, and next steps depend on the systems involved and the nature of the hack. For all but trivial installations, it is best to contract the services of specialists for this. The only 100% safe solution is to wipe out everything and reinstall from the operating system on up, but this will not reveal how the attackers got in in the first place. You may well still be vulnerable.
The Internet is a gateway to the world, and to all the good and evil in it. If one is going to be on the Internet, one has to expect bad things may happen. Unlike a geographical “bad neighborhood,” any address on the Internet is easily reachable from any other place, so your Internet site is always just around the corner from bad actors. Just like a business in a bad neighborhood, if one is going to do a business in this environment, one has to erect reasonable defenses, knowing full well that these defenses are not impregnable. However, the store with no bars and a glass door will certainly get broken into a lot quicker than the one next store that is properly defended.
Make your best efforts at digital defense in depth, patch as often as possible, monitor continuously. Get audited by professionals and implement their recommendations. These steps will not make you bulletproof, but will minimize the chances of successful attack, and will ensure any attack that does get through will be detected as soon as possible.
Mark Huss is a Senior Consultant with SystemExperts and is based near Philadelphia, Pennsylvania. Mark has been working in Information Security since 2005, performing security reviews, conducting penetration testing, and educating development staff. He has worked extensively with web-based, client-server, and mobile applications. His expertise covers both Linux and Windows environments.