Security: How Can You Patch People?

Continued from page 1

Gathering that intelligence is now easier than ever before. With social networks and other online tools providing unprecedented insight into an organisation and the people they employ, hackers can quickly build up a comprehensive picture of their target.

• Corporate websites and the information posted in job adverts can provide hackers with a better understanding of an organisation’s security landscape, allowing attackers to refine the tools employed to launch an attack and increasing the likelihood of success.
• LinkedIn can help hackers to identify potential targets, with new employees and contractors being the most susceptible.
• Facebook and Twitter are a goldmine of information that can help hackers develop more plausible attacks, offering insight into a person’s hobbies and interests
• Location-based services, like Foursquare, can be used to follow potential targets, allowing hackers to exploit a laptop while it is logged on to a public network.

Armed with the information harvested from these sources would-be attackers have everything they need to breach an organisation’s network security. It’s that simple.

Threats today

Having identified a target within a company, we now look at some of the most common means used by hackers to penetrate deeper into your corporate network. Understanding the methods used is critical to raise awareness and educate employees.

• Malicious attachments are perhaps one of the most common attack vectors employed and are booby trapped as part of a spear phishing attack to deliver their load once opened. Typical file extensions are Microsoft documents and PDFs.
• Drive-by-downloads occur when a malicious website, or a genuine site which has been compromised, includes code that exploits security flaws in a visitor’s browser to install malware without the user’s knowledge.
• Zero-day attacks take advantage of previously unknown software vulnerabilities. Exploiting more than one of these, as Stuxnet did when it exploited four unknown vulnerabilities in Windows, improves the likelihood that targeted devices will be largely defenceless against an attack.

The above scenarios are not exhaustive, but a combination of these and others can be used to circumvent a network’s external security perimeter, leaving a clear path to the top of your business.

Climbing the tree

Typically attacks are motivated by one of three reasons; financial gain, competitive advantage or revenge. Having established a foothold into your corporate network, hackers can then focus on gaining access to their intended target, usually a c-level executive.

The most common means of achieving that is taking a clean document from your initial target’s computer, infecting it with a remote access terminal, and sending it back with instructions to forward on. Having received the attachment from a trusted source, the document is opened, installing its infected load on the intended target’s computer, creating a backdoor.

Having compromised the primary target, the hacker can access and download information held on the endpoint device, and no one is the wiser.

The human factor can’t be patched

An organisation’s employees are a critical part of the security process as they can be misled by criminals or make errors that lead to malware infections or unintentional data loss. Far too many businesses do not pay enough attention to the involvement of users, when they should be the first line of defence.

To achieve the level of protection needed in today’s IT environment, security needs to grow beyond a collection of disparate technologies and, instead, be considered a business process with users at its core.

On-going training, coupled with a clearly defined security policy that’s well communicated, is critical to the education process.

Regular engagement with users will help raise awareness and create a more vigilant workforce. Increasing the knowledge about threats such as spear phishing will empower staff, enabling them to prevent and remediate security incidents in real

Terry Greer-King is UK managing director of Check Point.