The Question Isn’t Whether You’ll be Hacked, it’s WHEN
Hackers, Black Hats, bots, malware, the Dark Web. It may sound like the story plot of The Force Awakens, but the security battle is all too real. In Part 1 of this two-part discussion on internet security threats, the Five Talent team looks at types of internet security attacks and offers insight into how to protect your business against them. In Part 2, the team digs deeper into Tools and Strategies for Mitigating IT Security Risks and Protecting Sensitive Information.
A War of Escalation
Today, black hat hackers are exploiting internet security vulnerabilities at record levels, affecting every entity with a web accessible address. While companies once faced monthly or weekly breaches, security hacks now take place on a minute-to-minute basis. What’s happening and why?
- Accessibility: Sophisticated attack tools are readily available on the Dark Web and growing exponentially
- Minimal Skills, Big Rewards: Individuals no longer need to know code to pull off complex hacks with huge monetary gains
- Attack Frequency: The level of service needed to respond makes it impossible for businesses to handle security alone
- Jedi Training: White hat security is struggling to secure the resources to keep up or react fast enough
Preston:The fact is, these internet security threats are real and if you have a web address, you’re vulnerable. And if you’re accepting payments online or collecting private confidential information, you are a sensitive target. You will be hacked, it’s just a matter of when.
From the perspective and experience of a custom software developer, we advise clients to look at security as a pathway from source to destination. From the user, to the system within the network, to the network path, and finally to the destination. You can’t just consider your part of that pathway. You need to ask questions of everyone along it to ensure your customers are secure the whole way. It’s incredibly arduous. Standards like HIPAA, SOX, and PCI help but you have to be responsible for your own security measures as well.
The tools hackers are using now create a massive and immediate impact. Name your attack du jour – Target, the IRS, Linode, BBC. Security today is not something you do after your business plan. It has to be in your business plan from the start. How are you going to protect everything? Because if you don’t your business will go under, if not from direct cause then from the after effects of legal costs.
We used to provide hosting as an at-cost service to our clients. We were hosting hundreds of websites, which was a great benefit to them. But when attacks started escalating, hosting sites quickly became a massive cost sink. Now to truly support those websites, we would have to charge 3-5 times that rate just to break even, and it was still going to be an inadequate response to what was happening. We started shifting clients to very large providers who have huge security teams to manage this on a minute-by-minute basis.
Even as a web design company, Five Talent has had our own payment portal attacked. We’ve had hackers create full counterfeits of our website pointing to their own pay portals in an attempt to divert our clients’ payments. We successfully fought these off, but it takes a ton of resources…and we’re professionals at this. We know what we’re doing and it still took valuable time to combat it. Imagine what the average business person, say a dentist in Portland, is faced with and how he’s going to survive these kinds of attacks.
Ryan: The frustrating thing for me is why they do it. Most internet attacks are attempts to gather private information, which puts credit card companies, banks, and any entity holding personal confidential information at serious risk. The other reason is to redirect traffic by breaking the functionality of a website and putting up an ad. These Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks are either stopping your software from doing what it is supposed to be doing, or trying to redirect traffic over to their sites to get pay-per-clicks for ads or to get your private information to sell. All of these cases are financially motivated.
What Motivates Internet Security Attacks?
- Money – The financial incentives for hacking credit card and private personal information are immense. The Dark Web has successfully lured less-skilled individual hackers into a game once played only by sophisticated criminal networks.
- Revenge – Personal or political, these types of attacks may go on indefinitely regardless of difficulty or cost.
- Bragging Rights – Like a graffiti tag, these attacks were once far more common requiring a low level of hacking skills, until security measures got good enough to prevent most of them.
Lorenzo: Just to give you an idea of the scale of some of these attacks, a few weeks ago marked the biggest DDoS attack in history, at 602 Gigabits per second on BBC . The previous record was 334 gigabits per second, so that record almost got doubled.
Ryan: It’s scary. I’ve seen people hack payment portals where you can’t tell it’s hacked at all. It’s just behind the scenes. It can look like the same website with the same “Thank You” page – everything looks exactly the same but the payment page is redirected. It may take clients months to notice they’ve been hacked. Usually it’s a customer service complaint about duplicate charges that makes them aware. Even security monitoring tools may not be able to pick them up.
Lorenzo: As an example, Linode, a cloud service provider, has been under attack for several weeks now. To respond, they’ve brought in third party consulting companies, they’re working with providers directly, and they’re adding more bandwidth. Even so, it’s still happening.
IoT Security: Hitting Home
The explosive growth of IoT and the proliferation of devices connected to the Cloud brings internet security threats to an intimate level. Beyond bank accounts and business websites, attacks are now infiltrating personal safety.
Lorenzo: Companies working on IoT in Silicon Valley and elsewhere are under pressure to build for speed and fast investment returns. There is so much money going into the Cloud, they just aren’t giving much consideration to security. That is a disaster waiting to happen.
Preston: Exactly. There was a demonstration recently of a car hack for a production model that was validated several times. People don’t think of their cars as being vulnerable, but they are. And manufacturers aren’t addressing the risks collaboratively enough with vendors. There’s an attitude of passing the proverbial buck.
Ryan: You can even be vulnerable using devices like video monitors simply because you forgot to change the default password. There’s a website showing 50,000+ Foscam video monitors where the passwords were never changed from the manufacturer. The manufacturer was lazy enough to just put “admin” and “password” as the defaults, which means hackers can go on this site, get in and access people’s baby cams or camera inside their homes.
Preston: So where are we? I’d say we’re at Defcon 5 when it comes to internet security. We’re in a pitched battle with the hackers, and they have the first-mover advantage. This means they issue a new attack vector or scheme using some new exploit and we then react to combat it. However, innovation is occurring, giving us new security methodologies that provide higher hurdles for the hackers to jump (ex. IPSec) and there is the promise of Machine Learning’s potential for predicting new attack vectors and closing those holes before hackers can exploit them.
What Can You Do?
The current state of affairs may look bleak, but there are steps you can take to prevent 80% of attacks. By understanding your responsibilities regarding security and those of your providers, partners and customers, you can increase your ability to prevent and respond to attacks.
Ryan: Improving password management is one of the simplest things you can do to improve security. Change any default passwords you have, and create a password policy that requires passwords to change every 90 days. It’s also smart to use password tools like KeePass, RoboForm, or LastPass that generate random passwords, encrypt them, and keep them in one place (not on a sticky note on your computer). Adopting multi-factor authentication for sensitive data also blocks password-based attack vectors.
HIRE SECURITY PROFESSIONALS
Preston: We urge clients to be proactive early on and put as many roadblocks in place as possible so that they aren’t just low-hanging fruit for attacks. Companies like Redhawk Security have the capabilities and tools to handle the onslaught and are worth the investment, particularly if you’re doing e-commerce or dealing with private information.
KEEP SOFTWARE UPDATED
Ryan: If you use popular open source content management systems like Joomla, Drupal, WordPress, or Magento – hackers know those systems inside and out and know how to exploit their weaknesses. Keeping those updated and upgraded to the latest versions goes a long way to protecting you. That goes for applications like Internet Explorer and others you use everyday. Don’t just assume they are automatically updated.
FOLLOW INDUSTRY STANDARDS
Preston: HIPAA, SOX and/or PCI compliance ensures that companies are following required security standards in terms of what measures to put into place. Know whether your providers and partners are in compliance.
THINK LIKE A HACKER
Ryan: When we work with our clients, we’re not just simply developing a functionality. We also have to approach solutions with the mind of a computer hacker. We have to evaluate where the security holes are, figure out how to patch them, decide how we can prevent an attack, and analyze how fast we can respond if it does happen. That can take over 20% of a project budget.
At Five Talent, our expertise is with data in transit: Is the source it’s coming from authorized, unauthorized or anonymous? Once data gets to the system, how is it being communicated within our applications? And when it actually goes to sit somewhere, whether it’s a database or file system – how is it encrypted? Who can access it and how?
These are the questions we ask on any project during development to ensure we are addressing security. That is our responsibility as a developer. We advise our clients to consider everything they can do internally as well, and that collaboration pays off when it comes to keeping information secure.
From our Five Talent Team to yours, may the Force be with you.
Stay tuned for a deeper look at technical aspects of security and protection in Part 2: INTERNET SECURITY THREATS PART 2.