Traditional scanning of operating systems, ports and basic services is no longer adequate. Attackers have moved upstream in their attacks and now often exploit applications that are running on these systems. For example, for a financial institution, rather than compromising the Microsoft 2007 server, or the IIS version 6.0 Web software, they may attack the online banking software. The trick for criminals is that there are a limited number of operating systems and common services, but applications are plentiful. Many applications have not gone through serious (if any) code review or security analysis and often have common programming flaws that can be exploited. The attackers then use Google or another search to find other companies that use the same or similar flawed software that they can compromise.
Extensive application testing usually requires more than your standard external or internal vulnerability assessment. This should be consulting engagements where more sophisticated software is used along with limited access granted to systems so thorough testing may be performed.
Today’s threat landscape offers attackers a much larger selection of attack points in the form of open firewall ports for business traffic, Web or other servers behind the firewall, along with all applications running internally on the network, including PCs and servers. This gives the bad guys a wealth of attack methods to find vulnerabilities in your network. Attackers even have applications that take all the difficulty out of hacking into your network. These programs can be used to run high-speed automated attacks that were unthinkable a few years ago.
External threats are now the minority attack method. Attacks targeting internal systems are more lucrative financially and more effective than external attacks. Spam, phishing, social engineering, malware, Trojans, portable media devices, and other methods are commonly used to compromise systems while completely subverting traditional security solutions such as firewalls, intrusion detection systems, and even previous external vulnerability scans.
Bottom line: It is easy to be a hacker, and hard to stay ahead of them. One silver lining is that many of these attack methods rely on the system being vulnerable in some way. A lot of attacks are looking for weaknesses or misconfigurations in browser and Web applications. Malicious websites, whether used in conjunction with spam, phishing, search engine manipulation or any of several other attack types, often require a vulnerable system in order for the hackers to be successful. Identifying and remediating these vulnerabilities becomes one of the methods we can use to stay ahead of criminals.
Here, Perimeter Chief Architect Kevin Prince offers up eight steps you should take to protect your organization.