Security Watch | Matt Hines » The good and bad with real world attacks

September 10, 2007 | Comments: (0)

The good and bad with real world attacks

TAGS: Security

Get ready for some bold claims.

IT security technology and services provider Global Security Management sent CTO Paul Williams here to the ongoing Security Standard Conference in Chicago where he had some truly intriguing stories to tell about recent attacks that the firm has investigated.

The CTO, whose company specializes in training security and government workers to break into IT systems, among other things, offered a step-by-step walk-through of an insider job for which the company was hired to perform after-the-fact forensics. The tale highlighted the manner in which insiders can truly wreak havoc on their companies' operations -- and be paid to do so by outsiders.

According to Williams, a software developer at an unnamed U.S. banking applications specialist was busted through the investigation for planting a logic bomb in his employer's applications support systems that took the firm's services down three days after he left the company on good terms.

After interviewing the perpetrator, GSM investigators and law enforcement officials deduced that he had been paid $3 million to do so by his employer's no. 1 rival.

The CTO claims that GSM was able to identify the individual responsible for the attack based on an examination of his original resume filed with the firm -- a tactic Williams said can be used to smoke out insider attackers with great degree of success. Williams said that software developers in particular often leave explicit clues about their style of work in their resumes that can prove useful for future forensics purposes. (so hold onto those resumes HR types)

GSM figured out that it was an insider threat by setting up a clean computer and rolling its clock back to before the time that the assault was first launched and took down the affected company's systems. By recreating the scenario investigators could tell easily that the threat had not come from outside the company's walls, he said.

Williams estimates that one-third of the insider attacks his company investigates center around disgruntled software developers, including a fair amount who have been flipped by criminal groups.

In many cases the people involved are even well thought-of by their employers, making it even harder to figure out who and why a company is bring attacked, he said.

Companies make it easy for such scams to be carried out based on a lack of internal controls, according to the expert.

"Many small problems lead to attacks on this level," Willaims said. "It may appear to be secure in your company but it's probably not, we see the same things everywhere we go, including inside large companies."

Among the hallmark mistakes the banking software firm made were the implementation of poor source code controls, a lack of separation of duties, no peer review of code, and poor product image security.

"You have to consider that you're just one disgruntled employee away from going out of business," Williams said.

The CTO also recounted how many times GSM has seen data theft scams pulled off using equipment hidden in IT systems, including a number of schemes that employed cameras and microphones hidden in ubiquitous electrical power strips, such as those made by APC.

He also highlighted the fact that many government entities source IT products in their own names and have them mailed to their real addresses, making it easy for organized criminals to intercept the materials, corrupt them, and then send them along to their recipients.

Williams essentially said that today's organized criminals are getting almost impossible to stop from infiltrating companies they want to target in one manner or another.

On the flip side, the CTO said that most companies could improve their existing security standing by simply re-addressing settings of their existing network hardware and anti-malware tools. Many companies leave default settings in place, or use very predictable configurations for such equipment, making it easier for hackers to break in.

He said that the best thing a company can do to improve its security strategy is to begin attacking itself in new and unusual ways in an attempt to stay ahead of the next wave of innovative attacks.

"Before you learn how to defend a network, you have to take a walk on the wild side and see how you can break in yourself," said Williams. "However, you can improve security by up to 90 percent for almost no money; any network can be made more secure by simply mastering the guts of your infrastructure."

Posted by Matt Hines on September 10, 2007 02:32 PM

RATE THIS ARTICLE: