Theft by Hacking: Three of the Top Six Threats (Part II)

Security12 minutes readSep 15th, 2011

My last two posts — The Six Biggest Hacking Threats and How to Deal with Them and Theft by Hacking: Three of the Top Six Threats — are part of a series covering the six biggest threats hackers pose to organizations today. I’m exploring how the threats are defined and why they work—including why current security methods are failing, and why your organization might be ripe for an attack.

In doing so, I’m also sharing how new technology, such as Unisys Stealth Solution and our just-announced Unisys Stealth Solution for Secure Virtual Terminal (SSVT) solution, can redefine the threat, and put the advantage back in the hands of IT leaders. Today I’m wrapping up the series with the final three threats in the list:

  1. DDoS (Distributed Denial of Service) Attack
  2. Organization Embarrassment
  3. Hacker Notoriety

Denial of Service Attack

Why this is a threat

A Distributed Denial of Service attack can be extremely damaging to an organization, as it prevents an organization from conducting business over the Internet. Employees, customers, partners, integrated web services—all are effectively shut down. Last December, the web sites of several major card services providers were brought to their knees in a well-coordinated DDoS attack orchestrated by a group that claimed to support WikiLeaks. WikiLeaks had just been cut off by the card service providers, and the hacking group was seeking retribution.

How hackers pull off denial of service attacks

Hackers distribute armies of attack bots that invisibly compromise client and server computers. They create these botnets by either breaking into servers, acquiring admin or superuser rights, and installing them throughout a network; and by using social engineering, malware, drive-by downloads, and many other tricks to insert bots on end-user desktops and laptops.

The compromised computers are referred to as “zombies,” because the bots lay dormant (dead) until reanimated by the hackers from a remote location. Suddenly the targeted organization’s web site and other servers are overwhelmed when zillions of zombie spring to life and attempt to logon, download or upload content, access pages, and so on.

The targeted servers become overwhelmed by the flood of incoming requests (a ping flood is a popular technique). It doesn’t take long for them to slow and, ultimately, tip over. The end result: The targeted organization’s systems can’t respond to legitimate users, because they’re essentially offline. Service denied. Score another one for the hackers.

Why the current IT security model fails

The objective of a DDoS attack is not really to gain access to a network, although that does occur as part of the attack preparation. But the goal is to cripple the network and the organization that depends on it by making its services unavailable to legitimate users. Traditional perimeter security is useless in this case, because the DDoS attack takes place outside the perimeter.

That said, traditional perimeter security does have a role in keeping hackers and their bots out of the internal network. But remember, hackers don’t have to compromise their target’s internal network in order to launch an effective DDoS attack.

All they need is a botnet scattered about the Internet. Also, since most antimalware solutions are based on signature recognition to identify and neutralize known threats, the network remains vulnerable to new, novel, and unrecognized threats.

How you can change the dynamic

There are two aspects to changing the dynamic with DDoS attacks. The first is to ensure that your network OS, hardware, and software are always up to date and properly configured. DDoS attacks take advantage of known configuration and coding flaws that responsible vendors ensure are patched. Ensuring your network is updated, properly configured, and tested to withstand an external attack are crucial steps.

But what about preventing your internal network from becoming assimilated into a botnet? You certainly don’t want your organization’s resources to play a role in taking down a major bank, e-tailer, or, frankly, any other organization’s servers. And you certainly don’t want your network to suffer an internal DDoS attack.

Imagine you had ten business departments in your organization. You can use Unisys Stealth to compartmentalize these departments into ten groups. If an end-user downloads malware and their PC is compromised, the botnet that springs up is effectively quarantined in that group. The result is a 90 percent reduction in the impact of the exploit, and a 90 percent reduction in the botnet’s attack capability. Think of this like a fire line that firefighters establish to fight a brush fire.

Organization Embarrassment

Why this is a threat

Unlike bank robbers, hackers are interested in more than money. Many are out to make a political or social statement. And they can do this by embarrassing any organization that, in their view, represents the enemy.

Hackers can embarrass organizations in many ways, among them:

  • Break into an organization’s network, gain access to sensitive information, and make the information public.
  • DDoS attacks to bring an organization’s network down, and shame the organization in the eyes of customers, partners, and the press.
  • Deface a web site, posting profanity, sexually explicit images, political messages, or other undesirable materials to an organization’s public face on the Internet.

It’s not uncommon for these attacks to be inside jobs or have an operative in the organization—often a disgruntled or terminated employee—working with external hackers. Worse, even the most innocuous information can end up damaging the organization when it is made public. A five-year-old management memo penned by some long-gone executive suddenly becomes a smoking gun.

How hackers pull off organizational embarrassment

For external hackers, they are looking for the usual security holes and opportunities already discussed in this series: social engineering, malware, a default root password, a password that’s easily guessed or broken by a dictionary attack, and so on.

These exploits usually result in direct attacks against a specific organization, but they typically lack the precision planning that marks the advanced persistent threat of intellectual property. Regardless, the culprits will keep trying until they cause significant embarrassment.

The risk from internal personnel (including contractors and partners with access to your network) is actually greater than that of external hackers. Disgruntled or otherwise motivated internal people have the time, knowledge, and often the network access to find and compile massive amounts of sensitive information.

Look no further than WikiLeaks and its progeny, where information nearly always comes from lower echelon soldiers, diplomats, clerks, and political operatives who have access to classified information. They don’t have to hack into any system. They simply log on, download, and pass the information on.

Why the current IT security model fails

While there is always value to keeping the bad guys out, the real problem is that once someone is in, they might have unfettered access to an array of information, most if not all of which is not encrypted. But traditional perimeter security can’t stop an insider. The enemy is drinking coffee in your break room, and your sensitive documents are on a USB flash drive in their pocket.

How you can change the dynamic

There are several requirements to consider here. One is the need for stronger access control on internal systems and data. Another is the need to control data as it moves around our networks. Lastly, there’s the need to encrypt data at rest and data in motion, regardless of whether the end-user is physically on the local network, coming in from the outside via remote, or using a borrowed PC.

Unisys Stealth (and, by extension, the SSVT USB stick) addresses these requirements by segmenting both the network and information into separate communities of interest, and by encrypting data access. Separate network communities can (and should) be created for admins, executives, managers, clerks, departments, the credit card database, etc. The information in each community of interest is invisible to those who aren’t members of it, whether they are outside the organization or working in the office down the hall.

If a user’s PC is compromised by malware that’s designed to grant network access to an external hacker, the communities of interest maintained by Unisys Stealth means the vast majority of the network won’t be visible, with data cryptographically hidden as well. On a network not protected with Stealth, virtually all of the networks information is available to the intruder once they gain access.

This applies to internal breaches as well. Someone in customer service with an axe to grind won’t be able to poke around until they find the organization’s HR or accounting files, for example. Their view is limited only to data they need to know and network resources they need to tap.

Hacker Notoriety

Why this is a threat

The last of the big six hacker threats is hacker notoriety. Here the hack is purely for the thrill or infamy of having done it. With this threat, an organization’s good reputation and global brand can work against you, as the Internet buzz is greatest when a major company, service, or site is exploited.

Imagine the headlines if Google were taken down or their home page defaced. It’s nothing more than digital vandalism, and can be benign in the end. But it can just as easily be vicious and financially damaging, from reputation and service interruption perspectives.

How hackers pull off hacker notoriety

Hackers will use a wide variety of methods here, including the established techniques previously described. But they’ll principally look for major networks that will give them “street cred” by virtue of the perceived difficulty of the hack, or the brand profile of the hacked site.

For instance, there’s immense street cred in hacking a vendor of security products or technologies. Likewise, they might be motivated by the thrill of the chase in going after the web site of a big-name brand, as well as the media splash such an exploit would cause among press and bloggers.

Indeed, just last month hundreds of web sites were taken down—including a major newspaper’s site—through a technique known as a DNS redirect. Hackers break into DNS servers and redirect DNS requests for one site (say, to their own server.

The hackers admitted that the goal of the hack was to have fun. No political or social agenda. No financial gain. Just notoriety, which they got. What’s notable about this hack is that they didn’t touch the servers or breach the networks of the companies affected. They targeted the DNS servers that reside on the Internet itself.

Why the current IT security model fails

Hacking used to require expertise. Today all it requires are motivation and tools—and the tools are readily available on the Internet. If you can Google “free hacking tools,” you too can be a hacker. These tools exploit known weaknesses in operating systems, servers, network software, and network hardware (including wireless).

Anyone can now sit outside a house, hotel, or store, and watch as people enter their names and passwords to gain access to supposedly secure networks. It’s time we assume that hackers can penetrate our networks at will. And that means we must be looking for ways to secure resources, applications, and data directly.

How you can change the dynamic

This is another area that Unisys Stealth helps, because it makes a network far more difficult to hack. Many hackers—especially those using free tools on the hunt for fun and fame—are looking for the soft targets. They want fast and efficient hacks they can show off to friends and tout to bloggers.

Hackers that encounter a network protected with the Unisys Stealth Solution for Network will not be able to compromise it using known techniques. That’s because Stealth deals with security differently, by protecting data, not the datacenter; by using certified encryption and bit–splitting; and by supporting multiple communities of interest.

This is nothing that casual hackers have ever encountered before. And the more unexpected barriers in their way, the sooner they move to softer targets that their free tools are designed to attack. They want notoriety, not hard work. If they can’t quickly find a way in using known exploits, they’re on the hunt for another sucker network.

Unisys Stealth can also be used to support a honeypot, a server specifically designated to attract hackers and keep them busy. Stealth can cordon off a section of the network where hackers can come and play. They think they’ve broken in, but in truth, they’re being trapped. You can now watch what they do and see the techniques they use, and take appropriate measures to ensure the network remains protected.

Today Perimeter Security Is Just A Step

The first three threats showed us that hackers are getting more sophisticated and goal-directed in their attacks. It is, after all, their business to hack into your network and steal your secrets. And the three threats I covered today demonstrate how and why the hacking threat is growing.

Hacking will continue to be a threat. And the threat level rises in organizations that rely on traditional perimeter security. This only protects the borders of our networks, and it’s getting easier by the day for hackers to penetrate the perimeter.

Today we need security that extends beyond the perimeter and the data center. Encryption is a good step, but even encryption has vulnerabilities. Unisys Stealth takes encryption to a higher level, making the data and even the network invisible to anyone who doesn’t have access rights.

And with the new Unisys SSVT, announced last week, organizations can eliminate or dramatically reduce the risk of the six most common hacking threats today.

Tags-   Denial of service Hackers Stealth