Tuesday, November 28, 2017

You Don't Have to Outrun the (Fancy) Bear

   Two hikers are walking through the woods.  They come around a bend in the trail into a clearing where they can take a break, when suddenly a bear steps out of the woods and roars.  One hiker quickly bends down to tighten his boot laces.  The other hiker says, "what are you doing? You can't outrun a bear!".  The first hiker says, "I don't have to outrun the bear, I only have to outrun you!".

   One of the biggest changes in information security over the past two decades has been with the attackers.  Rather than the old stereotype of a hoodie-wearing loner in the basements with Mountain Dew, Twinkies and old computers, today's attacker is typically trained, smart and well-funded.  Instead of defacing websites for fun and notoriety, attacks today are a business.

   It's a simple risk/reward equation.  There is a cost to any attack.  Email-based attacks are very inexpensive to launch.  Developing sophisticated malware is expensive.  And the more expensive an attack is pull off, the higher the potential gains need to be to make a profit.

   Information security is very complex.  It's as much an art as it is a science.  There are basic things that everyone should do, like patching systems and using strong, long passwords.  And then there are complex solutions to complex problems that need to be artfully implemented to compliment the way people do their work.

   There are so many high profile breaches in the news.  Some of these are the result of highly skilled and motivated attackers going after a specific target.  But many more are "crimes of opportunity".

   As I see it, there are basically three kinds of online attacks:
  1. Random attacks - these are the most cost effective to pull off.   Attackers scan the internet for unpatched systems, old vulnerabilities or send out mass emails either asking for userid's and passwords, or with malicious links or attachments.  There's minimal cost to pull off these attacks.  The potential prizes?... login credentials to all kinds of companies and individuals, personally-identifiable information, credit card and financial data, and other information they can sell or use for profit.
  2. Simple targeted attacks - these might use some of the same basic attack methods of the random attacks, but are directed toward specific target organizations or customers of those organizations, for example Equifax customers after the Equifax breach.  The attackers use freely available or reconnaissance information to focus their efforts.  There is more work up front, but the success may be greater than the random attacks.
  3. Complex/Expert targeted attacks - these pair a skilled attacker and a high-value target.  The skilled attacker may still use a basic attack method initially but will escalate to more advanced methods if needed.  In these cases, the attacker typically has a specific objective in mind and expects that the value of that objective will offset the higher cost and time involved in the attack.
   Of course, I've conveniently not talked about hacktivism or state-sponsored attacks.  I'll over-simplify and say that these are basically simple or complex targeted attacks with the notable exception that the goal is not to make money but to disrupt operations or otherwise embarrass the target.

   How can we protect ourselves and our organizations from these kinds of attacks?  I've written abouttips for organizations and tips for individuals.  It boils down to the same basics:
this many times in the past, with
  1. Patch your stuff - try to install only the apps you actually need and use, both on your computers and mobile devices... and keep them up to date!  At home, always choose automatic updates.
  2. Use good password hygiene - that means long random passwords, unique for each site, and all organized in a password vault. I've written about this topic so many times I've lost count!
  3. Use care with emails, links and attachments.
   What additional tips do you have?

   What's your favorite bad joke that can be re-purposed to make an information security point?!?

No comments:

Post a Comment