crowmoor.se

The average time to spot a breach is 210 days. That is a terrible high number as the damage to an organisation probably is a lot higher. A hacker having 210 days to walk around inside the digital vaults in any company surely opens up for tremendous losses of information and assets. One of the main reasons that admins don´t identify a breach is the logging. Some companies have complex log gathering systems that collect logs from all servers but still fail to identify a breach.

Why is that?

Most commonly this is due to two major reasons: No risk analysis based logging and lack of secure coding practise.

Collecting all logs and not knowing what to look for means that you spend a lot of time chasing red herrings while the hacker walks around undisturbed. Once in my career I penetrated a company, registered myself as a trusted visitor, took my laptop including my tools, walked to the CIOs office and said: ‘Let´s see if the security staffs are alert!’ I fired away a large scanning and after a minute the CSO was on the phone more or less yelling: ‘We have a hacker in our network!’ ‘The CIO calmly replied: Yes, he breached us a week ago, printed a pass and is currently in my office making fun of you.’ Needless to say there where huge changes in how the approached security after that.

Lack of secure coding practices means that not only are you opening up for direct attacks; you also have no clue what is happening inside your application as nothing is logged.

One of the first rules of security is to have knowledge of what is happening.