In the previous post I wrote about the interesting questions raised due to the hacking of IT security firm HBGary. What should we learn from this incident?

So, going back to HBGary – why were they apparently so easy to hack?

It is not because they have no clue about security, but rather because they underestimated the risks. When:

  • you are a IT security company
  • your customers are governmental institutions or huge enterprises that are very sensitive to bad press
  • you start a war with hackers

… you need to drastically raise your security level.

Ok, but how high?

If they would have not been vulnerable to that SQL injection, and used only highly secure passwords and had their systems fully patched, would that have been enough? The answer is yes for most companies, but probably not for HBGary.

Why is that? Because (judging by their actions) the Anonymous seemed to have had both the desire and the resources to raise the bar to a much higher level too. Probably it would have been harder for them, but when they were able to combine social engineering with SQL injection, with password cracking and exploits of missing security updates, I don’t see any reason why they would not have been capable of subtle social engineering or detection and usage of 0-day exploits.

A lot of companies would not be able to successfully defend against such an attack, but the truth is that the risk of facing such aggressive actions is minimal for the large majority of companies.

HBGary got in trouble because they started a war with an enemy that proved to be much stronger than they thought. But what are the chances for an average company to be targeted?  A common mistake that leads to the underestimation of risks is to think that you are too small or too unimportant to get attention and become a target. Again, the key is the balance between security enforcement and the potential damage a security breach will cause.

Of course, companies like Amazon or Apple have much more valuable data than a small local shop. But they also have more powerful security systems. Breaking them is extremely difficult, requires a lot of resources and the risk of being caught is high. If the security of the local shop is almost nonexistent, then it is probably a more attractive target than these big companies are. This is because hackers will get decent earnings with low efforts and low risks. If the local shop raises their security a bit higher, it will probably reach the point where hackers decide it is not profitable for them to waste time and resources to attack it.

What are the critical points to consider when building your defense?

You are as secure are your weakest point, so it is crucial to concentrate on all aspects of security:

  • Restrict physical access
  • Build the security software infrastructure
  • Create and enforce security policies
  • Train your people on how to apply these policies and how to avoid being tricked through social engineering.

People are an important part of the equation and probably the most difficult to deal with. Even if your security policies are ok, and they are correctly applied by all employees, it is virtually impossible to know and control what happens when your employees are at home. Nobody can stop them from publishing data on social networks which could compromise your security; nobody stops people from reusing the super secure passwords they use at work on a dubious site that can be very easy to hack.

To maximize correct usage and acceptance of security policies people need to clearly understand why the policies are necessary and policies need to be designed to interfere minimally with the normal working flow. Keeping the balance between security and usability is very important. Unnatural, hard to apply security policies are among the worst things that can happen to a company from a security point of view. This is because they are giving a false sense of security, while in reality people will find ways to bypass them.

Companies want their employees to use secure passwords, but very few of them are teaching people techniques to generate secure passwords that are easy to remember. So they may end up having an environment vulnerable to social engineering simply because administrators are used to and will not react when they are asked for dubious password resets.

Other risks that are hard to foresee and control are the vulnerabilities from the applications used in the business environment. The most secure approach around this is to isolate the computers from the rest of the world by restricting online access; however, this is not always possible. To mitigate the risks you need to be selective on what applications are allowed in the business environment and make sure they are fully patched.