No Jitter is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Hacking Through Back Doors

I love this one: "They came in through the Chinese takeout menu." This is the lead sentence of The New York Times article "Hackers Lurking in Vents and Soda Machines."

Attackers could not breach a company's network directly so they infected the Chinese restaurant menu of a popular take out restaurant and used that site to download code they could then use to access the network. That's a new one for a security attack. Hackers have used thermostats, refrigerators, video conferencing systems, and even printers ("Traveling Light in a Time of Digital Thievery") to enable attacks. It could happen to your network.

The Chinese menu is an obscure security attack. So was Heartbleed until recently. Heartbleed creates a vulnerability that is a design problem in OpenSSL, which is a widely used security protocol that encrypts Internet traffic for a huge number of websites, causing a major disruption to many websites that must be modified to defeat Heartbleed. Heartbleed can not only affect the security of user information, but it may also be able to compromise network routers and switches, as well as VPNs.

Hacking Conditions Change for the Worse
You worry about these kinds of backdoors to your network. You implement security procedures and software filters at many points in your network and data center. As your network is used to access outside services, and the Internet of Things (IoT) grows, you will find that there is an ever increasing number of vulnerabilities and hacking techniques for breaching networks. The recent Target payment card breach was facilitated by gaining access to Target's heating and cooling systems on the same network that connected to the card reading devices.

As third parties support businesses that choose to use outside services, then billing, expense, and HR management systems, data analytics services, healthcare providers, as well as the innocent vending machines are vulnerable. Don't forget the environmental services such as heating, cooling, and ventilation. You may even have your utility companies monitoring your energy usage so you can reduce your energy bills. All are candidates for breaching networks and database systems.

The Ponemon Study
The Ponemon Institute conducted a study to discover the facts about weak threat intelligence experienced by businesses. The study revealed the financial damage that slow, outdated, and insufficient threat intelligence is inflicting on businesses.

The study, published last year, "Ponemon 2013 Live Threat Intelligence Impact Report,"produced some interesting statistics as shown in the charts below.

portable

The conclusion of this first chart is that speed of intelligence delivery is paramount. You cannot afford to discover months later that an attack has occurred, such as was the case with Target, and as may yet prove to be the case with Heartbleed, which, according to Bloomberg, the NSA knew about for at least 2 years before its existence was widely reported earlier this month.

portable

The chart above demonstrates that attacks could not be stopped because nearly 2/3 of the time, security intelligence was either late in delivery or outdated.

portable

The importance of this chart is that there are many different types of attackers who also may generate many forms of attacks. They can each have different motives for the attack, so one attack prevention technique may not work in stopping other attackers.

Speed is Very Important
As the above data shows, a major issue with thwarting attacks or at least reducing the cost and liabilities of attacks is the speed at which security personnel and security mitigation systems are alerted to an attack. Security intelligence becomes less useful as it ages. Rapidly delivered security intelligence (hopefully in seconds, not minutes or hours) and useful, actionable reporting improves a business's ability to stop attacks or at least reduce their effects.

The Ponemon study defined seven critical attributes that a good security reporting system should have:

• Reports that are short and to-the-point, promoting rapid focused actions
• Predetermined risk priorities that define the delivery of intelligence or level of compromise
• Integrated Security Information and Event Management (SIEM) and network monitoring systems
• Reporting systems that expedite the intelligence alert/alarm when the business is attacked
• Reports that do not create disruptions to the business processes or IT operations
• Information on trends as well as events such as the speed and frequency of attacks
• A means of applying data analytics to the information collected

Recommendations
As you add IoT devices to your network, you are adding devices that you have little or no experience supporting. Because your business has security policies and procedures, you need to ask, "Are the IoT devices compliant with the required security policies and procedures?" If not, connect them to a cloud service over separate network access to ensure that the IoT devices do not share resources with your internal network. Also:

• Don't connect IoT devices to the same network that contains databases. It can be expensive to set up a second network for IoT, but the espense of a breach, especially one as bad as the Target breach, will cost more in money, sales, reputation, and profits.

• Don't assume that the vending machines and environmental control devices have the same security measures as the rest of your network.

• Investigate the security measures of any third party that can access your network, looking for weaknesses that should be resolved before connection is allowed.

• Look at the liabilities that third parties will accept. They may accept limited or no liability for security breaches.

• Find out how third parties will inform you of an attack on their network, how it will be described, and how quickly you will you be notified.

Conclusions
The creative techniques of hackers and attackers are becoming quite imaginative. So then those who protect network assets and databases must become even more imaginative to thwart the attacks. Attacks will come again and again. There will not be any ultimate cure against security threats. The security personnel must continually update the risk profiles and improve their response efforts.

As more breaches occur, you can expect that there will be more government regulations with associated penalties coming. Security problems and their mitigation will continue to be a growth industry.