Earlier this week, I wrote about a Forrester study that found that SMBs intend to increase spending on network security. I took it as a positive sign that small and medium businesses are becoming aware of the need to protect their business against cyber attacks. As small and medium businesses assign more funds toward security, however, there would surely be some confusion on the specific areas in which they can invest.
Security experts will tell you that the best way to defend your organization would be to employ a strategy of defense-in-depth. As you can imagine, it is foolhardy for an SMB to invest its entire budget -- or the additional spending -- into a single "cure all" device or software. Hint: They don't exist.
As I was thinking of a way to better represent the various facets of security, I thought of the recent furor over the "Google hack," also known as Operation Aurora. In an uncharacteristic move, Google has admitted that it was the victim of a black hat hacking operation that resulted in theft of its intellectual property. Implying government-level involvement, Google called the intrusions "sophisticated" and "coordinated." Remember, this is coming from a company with more PhDs than the total number of staffers at many mid-sized companies.
Referring to Operation Aurora, the vice president of threat research for McAfee was quoted as saying:
"We have never ever, outside of the defense industry, seen commercial industrial companies come under that level of sophisticated attack."
So what better way to highlight a modern cyber attack than to examine the various attack phrases in Operation Aurora? A better understanding of how such attacks are perpetrated -- perhaps by your competitor -- will allow us to better understand the minimum standards required to defend against them.
Selection of Malware
The first step of a cyber attack likely will involve assembling the requisite malware to be delivered to the targeted company. As explained previously, it is not really that difficult to create malware that can circumvent conventional definition-based antivirus scanners. In fact, you might be interested to know that there are online services that will help hackers test their malware packages against dozens of antivirus tools -- all running the latest definitions and with configurable heuristic settings.
The goal of an attacker is simple: to load his or her malware of choice onto PCs or laptops owned by the corporation. Modern malware often is designed to give attackers complete control of the workstation. To make matters worse, additional tools or other software typically also can be loaded on the fly by the remote attackers.
As you can imagine, a compromised computer can be said to effectively be under the complete control of the attackers.
A malware attack needs to be successfully delivered onto a target system to work. Due to increased user awareness, and the fact that most e-mail servers now block executable files anyway, direct approaches by sending infected malware is proving to be less common. However, things are far easier if the objective is to get users to either open a specially crafted document file, or visit a specific site.
Hackers are likely to be much more successful if they are able to spoof an e-mail as coming from the boss or a colleague. This is where social engineering kicks in. It is possible for a small team of skilled callers to extract details of the various departments and staffers, as well as their interrelationships. Every detail that is gained can be used to generate additional trust. Eventually, it becomes possible to spoof e-mail with a certain degree of authenticity; or at least to lower the victim's guard enough for them to click on a link or open a document.
In my next blog, I'll highlight the final three steps involved in the execution of a cyber attack.