Penetrating the impenetrable

Opinion by Dan Raywood

With high profile targets hit in recent times, Paul Vlissidis, technical director at NGS Secure, part of NCC Group, looks at recent incidents and what lessons can be learned.

With high profile targets hit in recent times, Paul Vlissidis, technical director at NGS Secure, part of NCC Group looks at recent incidents and what lessons can be learned.

When it comes to protecting information, nowhere should be more secure than our financial institutions and our governments, but recent events have proved that nowhere can be 100 per cent safe. NASDAQ OMX's Directors Desk web app was compromised by hackers at the end of last year; the websites of South Korea's presidential office and other major public bodies were shut down by a distributed denial-of-service (DDoS) attack at the beginning of March; and the French Ministry of Finance was targeted by a hack aimed at documents outlining French and G20 economic planning.

There is no doubt that these organisations will have the protection of some of the most sophisticated security systems available, and tested by expert developers. Where many have fallen down is by putting all their trust in software and ignoring the risk of human error, something that is becoming more and more likely with the changing ways in which people interact with technology.

NASDAQ's Directors Desk app looks like a classic case in point. This is an example of what can happen when an organisation that has traditionally been very secure and locked down has gradually started to offer more innovative ways to connect with its customers.

If the potential security implications have not been thought through thoroughly, or if the application was only tested by the developers rather than from a user's perspective, the probability of a vulnerability occurring is dramatically increased.

The inexorable migration to mobile devices and the attendant unforeseen risks is currently the next big accident waiting to happen. How many corporate issue tablets and smartphones are communicating across unencrypted, untrusted networks at any given time? How many have installed untrusted apps? There is a real need to put more emphasis on application scanning and not only of web apps, but also of mobile ones.

However, the vulnerability no company can patch is the people. This means that today's big security issue will be those within the organisation, particularly when huge numbers of employees have so many channels through which they can communicate on behalf of the company or even simply reveal their association with it.

Serious attackers will always identify and target this weakest link, which means that for the foreseeable future, social engineering will be one big reason we are losing the security arms race. It is well nigh impossible to get people not to open an email, or not to click on a link if they have no concept of the potential consequences.

We conducted an experiment a few years ago in which 42 per cent of FTSE 500 finance directors plugged in a memory stick we sent to them anonymously. I am not convinced if we ran it again that we wouldn't get an even higher proportion.

Unfortunately, there is no technological silver bullet for the issues we are facing today. Properly applied, most modern security technology will go some way towards mitigating the risk. One area that may be overlooked is the desktop, a significant number of malware infections occur as a result of ordinary users simply browsing the internet.

It is of paramount importance that the desktop is effectively locked down and updated, going further than simply the OS and looking at all the software to make sure it is fully secure. Deployment of host intrusion prevention can help to mitigate risks but many of the new advanced persistent threat attacks can bypass standard endpoint security.

Most companies already restrict internet usage, particularly if they are sophisticated finance houses or government departments, but people will still happily paddle into unknown corners of the internet without a second thought. The situation we now find ourselves in is an indictment of security awareness and training that has been far too techno-centric and inaccessible, to the extent that most people don't understand why the internet is such a dangerous place.

Just as we rightly expect all car drivers to understand the Highway Code so must all users of internet-connected devices have a better understanding of how to behave in a less risky manner. Only then do we stand a chance against hackers, threats to corporate information and national security mean we cannot afford for them to stay one step ahead any longer.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events