Targets of Opportunity
I cannot keep track of the number of times I have been with customers who discuss their network and its security only to hear the following:
“We are a <Non-IT business> and there is nothing on our network that a hacker would want. Why should we be worried about making sure our network is secure?”
Wow! What a statement. It astounds me every time I hear it. There are many ways to reply to such a statement—some of which are politically correct, and some of which are not. Usually the person making this statement is a customer, so the focus here should be on the politically correct response.
This statement epitomizes an attitude known as Security Through Obscurity. In this book, you will see that when it comes to security, relying on obscurity is dangerous, regardless of the company’s size or business, and it is rarely if ever effective. Just because you haven’t been p0wned yet does not mean it won’t happen to you or your corporation. Even if you have sophisticated monitoring, detection, and threat remediation tools and processes in place, how could you be sure the threats and exploits have not evolved past your current controls and countermeasures?
Perhaps the company in question might not be a financial institution, but its network certainly contains servers, hard drive space, bandwidth to the Internet, and personal employee information. Now, with the shift to private and public clouds, there could even be more of a challenge. Believing that this information is unimportant to a hacker can be fatal. An asset valuation and classification program is essential to categorize and identify what information your corporation has and associate an appropriate protection level. Consider what a hacker could do with such information:
• Servers: Hack a server, and you get a slave device that could potentially be used remotely to attack other, more important targets. Can you envision getting a call from men in dark suits that have no sense of humor regarding what your server might be doing? How does the shift to server virtualization and hypervisor or host change how you need to consider security controls? (I personally have assisted companies in ridding themselves of devices in their network that have become part of a botnet, which is using them for nefarious purposes.)
• Hard drive space: Every network has PCs with unused disk space. What if you were hacked and files of a questionable or perhaps even illegal nature were placed on them? Consider what the lawyers enforcing copyright laws or law enforcement might do if the files were to contain illegal types of pornography or terrorist material. In addition, most PC hard drives today are of the multihundred gigabyte variety or larger, the capacity of which is attractive to someone who needs to park a recently bootlegged movie or child pornography for a few hours or even days. If this happens in your network, would you know? If data were removed from these drives by a USB key, CD, DVD, or another method, how would you track data loss and have a viable digital or network forensic process in place to recover that data?
• Bandwidth and bots: A hacker can always use extra bandwidth and an alternative means of connecting to other companies to hack into them. If they gain access to your network, it is the PCs they want to control and make part of their botnet. A botnet is a collection of computers running malicious software (at Layer 4) enabling them to be controlled and used without the users’ knowledge. Layer 4 botnet traffic visibility at the Web or firewall is critical to remediating these threats and visibility into the infected hosts in your network.
• Personal employee information: Armed with all the information an employer might need to verify employment and even pay its employees, a hacker could engage in identity theft. Consider the way in which corporate credit cards, Social Security numbers, addresses, and payroll information are stored—juicy information for a hacker.
These hacker activities could place IT personnel, management, or even the entire company in danger with legal or criminal ramifications, not to mention the bad press associated with being hacked to this degree. Consider a company’s brand or reputation being destroyed and having to rebuild from there.
The more important question is not “Why (when) would someone hack us?” but “Am I vulnerable enough to be selected as a target?”
Targets of opportunity are clearly the easiest for a hacker to penetrate because something has happened, or not happened, that enables a hacker to easily identify and gain access to a corporate network that has nothing valuable, except all the PCs or virtual hosts.
Are You a Target of Opportunity?
In many cases, hackers prowl and crawl the Internet using a variety of tools (covered in Chapter 12, “Tools of the Trade”) and usually have an agenda in mind when they discover a potential target. In addition to hackers, there are a variety of individuals known as script kiddies.
Note
A script kiddie (sometimes spelled “kiddy”) is a derogative term, originated by the more sophisticated hackers of computer security systems for the less skilled and not necessarily younger, but unfortunately often just as dangerous, exploiter of Internet security lapses. The typical script kiddie uses existing and frequently well-known and easy-to-find techniques and programs or scripts to search for and exploit weaknesses in other computers on the Internet—often randomly and with little regard or perhaps even understanding of the potentially harmful consequences. Hackers view script kiddies with alarm and contempt because they do nothing to advance the “art” of hacking, except sometimes unleashing the wrath of authority on the entire hacker community.
Although a hacker takes pride in the quality of an attack—leaving minimal to no trace of an intrusion, for example—a script kiddie might aim at quantity, seeing the number of attacks that can be mounted as a means of obtaining attention and notoriety. Script kiddies usually hack for the challenge and not for financial gain; although that can be a motivator. As novices, script kiddies often do not know what they are doing and can inadvertently cause a Denial of Service (DoS) attack. The word is that, in most cases, expert hackers were script kiddies at one time—makes sense because everyone has to start somewhere.
Determining whether you are a target of opportunity depends on your security infrastructure. A good rule is that if you do not have a firewall in place or your firewall has not been updated in a while, you are likely to be a target of opportunity. Because hackers employ automated tools that look for vulnerabilities in your security, script kiddies are the most common threats to networks that are targets of opportunities. One of the easiest ways to ensure that you do not become a target of opportunity is to update your infrastructure (firewalls, IPS/IDS, secure routers, switches, servers, and PCs) with the latest patches. Do not get lulled into a false sense of security by patching only a server or two. A formal test and patch management process should be in place.
Remember that if you and your buddy are being chased by a hungry bear, you do not have to be faster than the bear, just faster than your buddy! You can easily protect yourself such that you might not be a target of opportunity because hackers will see easier targets elsewhere. If you are a target of a hacker, however, you’re going to be thankful for taking action—hopefully, if you have not, this book can help you understand the importance of security.