The recent “Red October” wave of concerted cyber assaults demonstrates that social engineering is by far the most potent tool in the hacker’s arsenal. These attacks occur nearly every day and are often successful, regardless of technical controls and countermeasures deployed within corporate networks. Peter Bassill, managing director at Hedgehog Security speaks about the attacks and the ways in which businesses can protect their assets.
The Red October malware infected its victims via a targeted spear-phishing email. Thanks to gullible employees downloading the customised Trojan dropper or bringing it into the organisation on infected USBs, the attackers managed to infiltrate organisations across the world.
The illegally harvested data was compiled with the purpose of being re-used for a variety of attacks. Thus, when they needed to figure out a password for another document for instance, this could be easily achieved based on the already harvested information. In addition, 60 domain names and several server hosting locations based in Germany and Russia were created in order to control the infected PCs.
As discovered by the Kaspersky researchers, the malicious code was delivered via e-mail in the form of Microsoft Excel, Word or PDF documents. The attachments contained the exploit code for known security vulnerabilities in these applications. In addition to the Office files, the hackers also used Java exploitation, which maximised the impact of the assault.
From businesses’ point of view however, it is extremely worrying that Red October systems are capable of stealing data from smartphones, enterprise network equipment and removable disk drives, on top of traditional attack targets, such as desktop computers and laptops.
The setup process, which is hidden to the unwitting user, starts communications with the attackers command and control servers, further exploiting a second common area of security neglect: egress controls from the network to the internet. Egress network controls allow the perpetrators to copy information from the infected device without anyone being aware information is being stolen.
This cleverly programmed malware would have not achieved the level of success it has, had it not been for the human factor. Having targeted organisations across the world, from embassies, to nuclear research centres and oil and gas institutes, Red October was successful thanks to the social engineering component in spear-phishing.
In dealing with the 2013 sequel to Red October, business needs to adopt a more comprehensive approach. The fundamental change is recognising that our IT systems only make up ten per cent of data security. The first ninety per cent is our own behaviour and the physical security of our buildings.
IT security can’t really deal with this kind of socially engineered danger. However, a planned, socially led, security programme can help combat the problems an attack could create. Educating staff members needn’t be a complicated and costly affair. Internal procedures and better awareness of cybercrime in general can massively decrease the risks of your company falling victim to spear phishing.
The initial step should be an evaluation of current systems and processes, after which a plan of action for countering IT security risks could be produced. Penetration testing is one of the key ways in which a company can stay safe and protect their data.
Business owners should look for comprehensive penetration testing services that are fully integrated into ISO27001 and ISO9001 security and quality management systems. This provides an extra layer of confidence when it comes to the quality and confidentiality of the process.
Although penetration testing is the most common method of managing data security risks, it isn’t the only way. Large businesses will often appoint a Chief Information Security Officer (CISO) who will provide the knowledge and experience needed to manage the threat in an organised and effective manner.
The catch is that the typical price tag that comes with this kind of appointment is in excess of £120,000 per year. However, more affordable Virtual CISO, or vCISO, programmes, managed by senior level people experienced in the CISO role are also available. If your organisation is large enough to require a security leadership role, but not quite ready to dedicate an internal resource to the task, these tailored CISO programmes can help achieve your objective by working as a member of your senior management team leading security programs and initiatives.
Fully managing the vulnerabilities such as egress controls around communication systems will significantly reduce exposure to cyber threats. However, keeping your data secure calls for more than IT, it requires individuals to reach a certain level of vigilance and act as key holders to the company assets and information.
Hedgehog Security is exhibiting at Infosecurity Europe 2013, the No. 1 industry event in Europe held on 23rd – 25th April 2013 at the prestigious venue of Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk
For further information contact: Peter Bassill, managing director at Hedgehog Security
Address: Sutherland Institute, Lightwood Road, Stoke-on-Trent, ST3 4HY
Telephone: 01782 467900
About Hedgehog Security: With over 100 years’ worth of accumulated information security consulting, gained across a variety of sectors, Hedgehog Security helps businesses to secure people, processes and technology in a continually evolving digital world. The company offers creative information security consulting solutions across the security sphere that can be applied to any business, enabling you to save vital capital, increase your profits and avoid unnecessary regulatory, compliance and legal issues. The company specialises in penetration testing, virtual Chief Information Security Officer (CISO) and My Information Security Officer (MISO).