A maxim in security is that if they want you, they will get you. The only question is: do they want you?
Well, at Christmas the answer is probably yes. Christmas is the busiest sales time of the year with more and more businesses are selling online. For the first time, UK consumers are expected to spend £10bn online this Yuletide.
Since criminals follow the money, they too will concentrate online this Christmas. With consumers going online in their droves, there are rich pickings for hackers as buyers submit invaluable personal details.
In short, unless online businesses protect themselves, they are in danger of being hacked this Christmas.
Ironically, part of the reason for vulnerable websites – indirectly – is the use of IT security products. Businesses buy anti-virus software and firewalls to guard their perimeters; and intrusion detection and log management software to patrol their internal networks. These products make them feel secure.
The difficulty is not in having these defences, but in relying upon them; because they simply cannot prevent all hacks. Anti-virus software cannot stop all viruses, and will never do so. Firewalls must provide through traffic to the internet or we would have no internet.
Log management needs to be interpreted and is generally historical; and malware has become expert at going undetected by intrusion detection. The result is that companies get hacked – as we read every day in the news.
By using these defences companies develop a false sense of security. Because they believe that this armoury will protect their websites, the owners do nothing else to defend themselves. And because they do nothing else, they are eminently hackable.
The question is, if security products alone cannot provide security, what can? One approach could be to borrow physical crime prevention principles and apply them to the cyber world.
There is a concept known as crime prevention through environmental design (CPTED), where if you design an environment specifically to make crime difficult, the burglar will simply move on to a more convenient target.
CPTED design principles include main doors that are strongly locked and well-lit (handled by traditional security products), but also the dark corners and obscure entrances (not handled by traditional security) – where burglars can lurk and break in without being seen. In the cyber world, these dark corners are where the hackers often get in.
The principle is good; but the problem is that the cyber world was never designed with CPTED in mind. Your IT guy is probably unaware of the existence or location of those hidden vulnerable entrances – so while the main door is watched and guarded, the hacker simply breaks in through one of the unguarded, unwatched and unknown hidden windows.
The secret to security, both at this festive Christmas season and indeed at any time of the year, is to find those unknown weaknesses and shut them off before they are found by cybercriminals and exploited. This shouts ‘security audit’; but the traditional security audit tends to be paper-based tick-box exercise checking off the known problems.
What is needed to find these hidden entrance points is a different type of security audit – one that probes for weaknesses. To find those hidden entrance points, such as the most common XSS (cross-site scripting) and SQL injection vulnerabilities, businesses need to think like a hacker. They need to probe their own website in exactly the same way that hackers probe websites.
Frankly, this inevitably means calling in outsiders. In-house security experts are steeped in the theory of defence, not attack. But there is a category of security expert known as penetration testers, or ethical hackers.
Very often they are the same security experts who find and report software vulnerabilities. And they are the people most likely to be able to find those hidden and obscure weaknesses in company networks, because they think, act and operate like a hacker – but without doing any damage.
The growth of ethical hacking is such that it can now even be done remotely and automatically, and need not be as expensive as it sounds.
Using a “good” hacker to defend your business from a “bad” hacker is certainly one way of beating them at their own game. And if you don’t find those vulnerabilities before the hackers do, you’re quite likely to be left the kind of Christmas present you really do not want.
Igor Khromov of High-Tech Bridge.
Share this story