Editor's note

Recommendations

Info

Persistent Within Information Security Community, and mainly amongst hacking techniques experts, there is a belief that no matter how many protective measures you implement, targets will always be potentially vulnerable if there is enough time and motivation. Unfortunately this has proven to be true in most cases. In fact, when we say that these attacks are persistent we mean that they focus in a given target, using different techniques until reaching their goal. Usually when computer attacks are addressed from a business standpoint, it is very common to say that it has to do with a large scale businesses; in other words that the ultimate goal is to launch a massive threat that will only hit on a restricted number of victims, though this is more than enough to have a return on investment and profit. Threat Use of different techniques and coordination of multiple resources to achieve a goal, tell us about a very strong motivation: APT attacks share a feature in common; all individuals involved in the attack are determined to accomplish their objective. A threat is the possibility of materializing a risk; if we think about a group of organized people, with resources at hand, the necessary skills to use those resources and the determination to insist on the attack, it is clear that the hacking maxim mentioned before gains a renewed meaning! What Is Hidden In The Name: If All The Aforesaid Had Not Worried You … It’s important to bear in mind that this kind of attacks are also based on unknown techniques, i.e. vulnerabilities or exploits non massively diffused or announced, since perpetrators of these attacks have the necessary time and skills to develop them. This is a key reason why these kinds of attacks are different from the rest. While traditional attacks pursue simple targets (based on a cost-effective ratio between their efforts to vulnerate and the financial gain), APT attackers are willing to do everything just for accomplishing their goal, even if it implies the development of some new kind of threat. Use of unknown threats and new kinds of attacks bring value added for APTs, something attackers are really looking for; this makes their early detection more difficult! Like we said, these attacks are characterized by their sneakiness; the purpose here is to keep threat inactive or acting undetectably, steeling information. For example, by enhancing effectiveness time; the longer these techniques (used to permeate information and starterkit 02/2011(2) SOCIAL FRAUD make use of the threat) remain anonymous, the better for attackers. Digital Identity And Brand… Weren’t They “Intangible”? If there is something Advanced Performance Threats have made possible, is the fact that they have turned some kind of assets usually referred to as intangibles into something concrete. Of course, the Marketing & Finance Areas have always known quite well the (monetary) value of a brand (both for a company and for a line of specific products). Nonetheless many IT Departments have not handled the same business parameters to value and protect these assets. However, from the attack that infringed security of a renowned consumers good brand and modified the contents of a recipe where those those products were used, up to more complex issues where very expensive Intellectual Property infringements took place, the threats referred to in this whitepaper show the high exposure degree to which a company’s most significant assets are exposed (in fact many authors agree that brand is the most valuable asset). Technology and Security Areas Managers should pay much attention on this issue. If their objective is to add value to the business and become strategic business areas for the organization, the fact of the company investing lots of money in advertising and social action campaigns to raise the value of a brand, and then having this value affected because of computer attacks, would not only jeopardize the organization’s confidence on these areas, it might as well be seen as a weakness. Conclusion We shall review next some key items at the time of evaluating our protection against APT attacks; once again do not consider this as a thorough list, since we may find many other information sources with different and highly useful recommendations. Though I do strongly recommend considering all these aspects and analyzing how each one applies to the organization. Risk Analysis: Imminent Realization! In general, the best way to understand what proactive measures are required to reduce exposure degree, and therefore threatening risks for organizations is to perform a risk analysis. However, please <strong>note</strong> that I am referring to quantitative risk analyses, made in a wide awake and thorough manner, including all organization’s information assets, i.e. the kind of interdisciplinary Page 32 http://pentestmag.com
analysis that should not be made by the IT area alone, where all organization’s areas should be necessarily involved. These kinds of analyses typically require of an external vendor’s assistance with a team of experts who contribute with their skills, experience and qualified human resources to accelerate information gathering and classification. I believe every organization should implement this kind of analysis, and at least should update them on a yearly basis. This is something stated by several international standards for many years now (ISO 17779, ISO 27001, BS 7799) as well as for the methodologies that support this task (MAGERIT, COBIT). Lack of analyses to assess an organization’s assets and exposure risks has several impacts on IT and Information Security strategic planning, though it hits as well everyday matters, i.e. investment rationale! Ghosts do Exist I have tried to reinforce the secret characteristic of APT attacks. This is something that should make us think that chances of having our organization’s components infected are very high (or are on their way to being infected). In fact, many experts go a bit further and propose working based on a specific assumption; that their organization has already been infected. So they suggest working as from there. I must confess that I agree with this approach! Assuming that company has been infected by some kind of silent threat does not mean to check that you have the latest antivirus version in place or review the list of open ports at the firewall; this is an indepth insight and self-awareness process where all technological aspects, processes and human resources of the organization should be involved. Controlling Is Not The Same Than Prohibiting Many organizations have decided to limit (or directly prohibit) access to social networks, messaging, and a growing number of websites and applications to their employees; in most cases this is the plain result of categorizing these sites as dangerous, and in the best case scenario reveals a deep unawareness of how social networks and individuals work. It’s been widely proven that any ban triggers a countermeasure; if users want to access a forbidden site they will certainly find their way to do it, and most likely while trying to do so new problems will arise. Some organizations, further to a risk analysis make a quantitative decision to prohibit one or several applications based on a tangible business risk. Well, those organizations are in the right pathway; however starterkit 02/2011(2) they represent a minimal amount out of the aggregate; and those who have really made it usually opt to forbid the least possible number of sites. Before prohibiting, organizations should first evaluate what the benefits are of controlling use of these potentially hazardous applications; social networks are growing sources for revenue generation, in addition to relatively low-cost and widespread promotion sources! Many companies have people devoted to managing promotion and sales channels in social networks. If companies are going to increasingly use this kind of communications channels as an alternative to the traditional ones, maybe the wisest thing to do would be recognizing those potential benefits and opportunities of encouraging a controlled use to minimize risks, rather than trying to prohibit something that sooner or later, in one way or another we will have to allow, without the skill and experience we would have gained if we had cleared it from the very beginning. On the other hand, the fact of prohibiting something makes us feel we don’t have to worry for that anymore, something that may turn into a double-edged sword! Although Devices Are Not Company-owned, They Still May Have Company’s Information Some years ago it was very easy to draw an imaginary line between the organization and the outer world (perimeter), and focus our protection efforts in safeguarding the traffic through this line. The regulating principle for this approach was that everything inside the line belonged to the company and therefore had to be protected, while everything on the other side of the line belonged to the outer world and it was the source of any threat. Even though we should have quit that myth several years ago due to some statistics showing that above 70% of attacks perpetrated against an organization had their source on the intranet (i.e. the inner side of the perimeter); over the last years we have seen that line blur at a high-speed pace; first due to timework expansion, followed by Business to Business interconnections; and more recently the Coup de grậce (finishing blow) fostered by the increasing adoption of Cloud Computing. Well then, in addition to everything known and mentioned in this paper, a new kind of threat is knocking on our doors; and we’d better take it into account; let’s welcome Smartphones, PDAs, tablets and alike! These devices, that in most cases are not property of the organization, usually have access to email and other systems, and possess organization’s critical information that not only are outside organization boundaries, but travelling directly who knows where, without any kind of security control whatsoever. Page 33 http://pentestmag.com
Page 3 and 4: EDITOR’S NOTE Starter Kit 02/2011
Page 5 and 6: SOCIAL FRAUD 24 Social Engineering
Page 7 and 8: QRjacking A malicious sticker can b
Page 9 and 10: Figure 4. Botnet operator screen on
Page 11 and 12: Figure 6. Citadel consulting web si
Page 13 and 14: understanding why testing mobile ap
Page 15 and 16: AndroidManifest.xml file. This cent
Page 17 and 18: you need to get stuck in at the tec
Page 19 and 20: password and then end up having to
Page 21 and 22: user has an increased opportunity o
Page 23 and 24: WHAT IS A GOOD FUZZING TOOL? Fuzz t
Page 25 and 26: people into breaking normal securit
Page 27 and 28: that not only are easier, but yield
Page 29 and 30: Preventing deer -in-headlights Get
Page 31: who are responsible for IT service
Page 35 and 36: If we have made an in-depth risk an
Page 37 and 38: several security standards in wides
Page 39 and 40: Resource • http://www.iso.org/iso
Page 41 and 42: etc., and create mayhem. And all of
Page 43 and 44: your business managers do not appro

Editor's note

Create successful ePaper yourself

Delete template?

Save as template?