Feed on

During a visit to a client today we discussed AST (Application Security Testing) and that it would have been an interesting concept to add to their security. During the visit I was tasked with investigating what the cost would be. I have to say that I was somewhat baffled by the prices for licenses when you looked at enterprise levels.

Isn´t there anyone offering AST as a service?

During the last months I have looked into breach detection. There are several numbers on the web from different reports and of course there is no exact figure but an estimate is somewhere around 263 days give or take 50. In any case it is still a way to large a number.
During a presentation recently I was asked how I would explain this for top management in a way that they could understand. I came up with the following description:
Imagine that someone enters your house, eats your food, pets your dog, talk to your neighbours and sits in your favourite chair without you ever noticing. Can you imagine what damage they could have done? When you realise that someone been there you find traces everywhere and you find that you need to replace everything you have and many things are lost forever.

263 days…

I have a long track record with business down situations. When everything fails, no one manage to get the systems up and running again my phone used to ring and I was expected to come and solve the situation and…I always did. After a while you have seen it all and know where to tackle a specific problem. One thing that was very common then, and sadly still is, is the lack of incident response plans. In at least 40% of the cases a simple incident response plan would have stopped a problem in it´s tracks and returned it to a simple backup restore solution. Today in 2014 only two-third of the companies have incident response plans. In any business down situation those plans are worth their weight in gold. Anyone that has had a visit by me knows that.

Finding hard facts about breaches and statistics is quite often a cumbersome process. For this reason I have added a new key word Security metrics to tag post where I have identified valuable security metrics.

This is a report from UK with some interesting facts. 81% of large organisations had a breach during 2013 and the average cost was estimated to £600k – £1.5M for the worst breaches. The median of breaches for large organisations was 16. Even if the cost for a small breach was substantially lower it still put the cost of breaches for a company at a very high figure.

Something to think about when you ask for the budget next year.

Running a small business with an unknown brand is not protection enough anymore or attacks. As soon as you have a web presence you will be scanned and possible hacked. The reason that small business are in scope for attacks now is that they quite often have lower defences and simply are easier to breach. As companies tends to integrate with each other a foothold at a minor company that integrates with a bigger target could prove to be a great way to get hold of the riches in the otherwise hard to crack large corporation. So investing in cyber security will be important even for smaller companies if they want to conduct business with larger more secure companies. Read some more insights about small companies here.

Military attacks are quite often interesting from the viewpoint that they will sooner or later find its way into the attacks geared towards different civil companies. I doubt that there is a possible gain to target civil nuclear centrifuges but of course there are other possibilities. Reading this article you get a bit of an insight of how Stuxnet where initially deployed and the first type of attack that was launched. It turned out that a vector of attack was highly specialised contractors that are lousy at cyber security.

With the trend of outsourcing everything and acquiring systems where you depend on a contractor to manage the system you need you are possibly giving an attacker a possible foothold.

If you ever been to Sweden you now that the third Friday in June is Midsummer Eve and all of Sweden goes to celebrate that summer has finally arrived. I´m not an exception here so just a short post today.

If a credit card costs as much as $40 and is resold for $20, $10$, $2, $1, $0.1 making it a grand total of $73.1 how much money is there in a hack rendering you a total of 300 000 credit cards with CVV code? Simple enough $21 930 000. Any one still thinks that credit card theft is a declining business?

There is way too much money in it still.

If you decided to start working with security you have understood by now that you need to read, read and read a lot more that you originally thought. Not everything is about that happy moment when you manage to open up a DOS-prompt and get full root access to a server. Most of the time you try to understand the complexity of an environment and understand where the vulnerabilities are.

One paradigm that has been around for quite a while is the belief that you could protect everything and that you could manage to build a hackproof system. This has finally changed into the notion that you WILL be hacked and that you should focus on protecting what has a value instead of trying to protect everything. Otherwise the cost for security will be too high making it impossible to do business. In conjunction with this every manager should include costs for managing breaches as part of the cost of conducting business on the web. At least for now.

Currently the situation resembles that of trying to conduct business during a war. In any given time enemy troops could come running in through your door and either shoot you or loot your store. Sadly we need to focus on resilience of our business rather than protecting it making sure that it could withstand at least being partly hacked.

One of the more interesting malware I encountered is CryptoLocker. As most of you are aware of it exploits peoples inability to take aand manage backups of their files. When it manages to install itself on a user´s computer it encrypts a number of different file types and demands money from the user to decrypt the files again.

Cryptolocker uses an algorithm for creating new domains on a daily basis for the command and control servers. When BitDefender managed to break the algorithm and registered the domains before CryptoLocker did they found that about 12 000 computers where infected by CrytpoLocker and that the most part where in US.

For some reason the culprits behind this infection have decided to target only US computers and infected computers outside of US are mostly collateral damage.

So if you are not living in US you are most possible safe from any infection for now but this will change when the pay-out rate goes down. Others will create similar malware like CryptoLocker and start targeting on a bigger scale.

If you havn´t taken a backup yet now is a very good time to do it. ?

Not all my clients are big international companies with subsidiaries all over the world, on the contrary quite a number are small to medium companies with a lot less budget to manage security and hence a lot of my assignments are focused on minimising cost while giving them as much security as possible.

As very few of them has ever experienced a major security incident (hopefully due to my work) they tend to underestimate the risks of ever experiencing a breach. No matter the numbers I produce I´m typically met with the belief that ‘We are too small to be of interest and have nothing that is valuable.’

Quite often that is seldom the case. Even small companies have valuables in one way or another. Most of the times they have some kind of intellectual property that should be protected but at the very least they have infrastructure that an attacker possibly would like to user for their own interest, either as Bit-Coin miners or as a jump station to launch attacks at others, and during the pass time check for credit cards, commit some minor fraud with ordering phones to another address and utilise the affected company´s accounts for hardware purchases.

Older Posts »