My Network: How Scared Should I Be?
How can I stay safe?
The only real solution is abstinence—don’t use the internet, don’t open emails, don’t let people in the building.
Sure, it won’t do much good if you have a business to run, but that doesn’t mean it won’t work. For years, I’ve run a team of engineers that track malicious methods and trends and provide comprehensive penetration testing. Basically, we find the easiest ways to get into a network and provide a map of vulnerability. The only 100% way to be safe is to stay off the internet, off of email entirely.
Okay, if you insist on running a business, having employeees and giving them tools to do their job, I thought it’d be worth knowing—from a veteran pen tester—exactly how paranoid to be about the different channels of malicious access.
We’re doing a webinar next month going over how to pinpoint vulnerability with penetration testing, but I wanted to put up an at-a-glance update on some paranoia grades based on what I’ve been seeing lately. So here, heading into summer of 2017, are grades from one-to-ten of how nervous you should be about some of the ubiquitous tools of business.
Scale of 1-10: How scared should I be?
Looking at recent headline worthy breaches over the past 2-3 years, most began with email phishing that included a link. Common attack vector, really easy to do, high impact and risk.
Email
Now: 9
Is an incoming email from someone in your company? A partner or customer? Hard to tell, since hackers regularly grab info about company structure, partnerships etc. from LinkedIn, Google, or your website and send out emails using friendly or familiar names from seemingly friendly or familiar domains.
How can you tell if it’s legit? You can’t always. Best practices would have all your users carefully reading email addresses, but everyone gets a little numb to care when it comes to email so it may be up to you to institute policy or tools to reduce risk.
Web
Now: 8
Hackers have been building dummy pages and portals in front of your login pages, forms on friendly sites. These things pass the eye test and rely on the fact that most people are so used to typing in their credentials, they’ll do it without thinking.
How do you know you’re not being duped? You can’t always. But tools can be installed that will warn users and single-sign-on solutions will help notify when you’re on an unfamiliar site.
Now, things are changing pretty fast.
The next two aren't as widely targeted today by your run of the mill bad guy. Currently, attacking these inlets is the MO of an advanced attacker or nation-state. But this is changing quickly, the attacks are getting easier, IoT proliferating. Because of that, I added current paranoia level and what people really should start worrying about soon
Hardware
Now: 3
Soon: 5
We’ve gone into shops during a pen test and plugged USB sticks into computers. You can even drop one on the ground and count on someone’s curiosity to give you access. There’s a lot of USB sticks in use at most companies. Most people—even security people—won’t think twice about each USB they see sticking out of a computer.
How can you tell if each one is legit? You can’t always. Ideally, your security staff’s best bomb diffusers could analyze each one, but that’s unlikely. This is another attention and policy matter: create a set of rules about this kind of thing.
The Building
Now: 4
Soon: 6
Yeah, you read that right. There’s a downside to IOT proliferation, to everything from security cameras to door locks interacting with your network. If they get in, now they can really get in. This is a worry that’s still relatively rare, but in our work we’ve been surprised by how much access you can get to building systems in today’s network landscape. Best bet here is compartmentalizing physical controls to the point that even if someone gets in, it won’t be easy for them to take control of the building itself.
Okay, it sounds scary. But don’t be scared. The best response to all this is the mantra we always work to hammer home— keep learning. Don’t assume things won’t keep changing, don’t assume what kept you safe yesterday will work tomorrow. Be ready to adapt, and keep track of the ways in which you need to. Keep learning.
From us, if you have time.
- Dave