After Two Security Assessments I Must Be Secure, Right?
Imagine you are the CIO of a national financial institution and you've recently deployed a state of the art online transaction service for your customers. To make sure your company's network perimeter is secure, you executed two external security assessments and penetration tests. When the final report came in, your company was given a clean bill of health. At first, you felt relieved, and confident in your security measures. Shortly thereafter, your relief turned to concern. "Is it really possible that we are completely secure?" Given you're skepticism, you decide to get one more opinion.
The day of the penetration test report delivery is now at hand. Based on the previous assessments, you expect to receive nothing but positive information....
The Results Were Less Than Pleasing
During this penetration test, there were several interesting findings, but we are going to focus on one that would knock the wind out of anyone responsible for the security of online systems. Particularly if you are in the business of money.
Most people are familiar with the term "Phishing". Dictionary.com defines the word Phishing as "the practice of luring unsuspecting Internet users to a fake Web site by using authentic-looking email with the real organization's logo, in an attempt to steal passwords, financial or personal information, or introduce a virus attack; the creation of a Web site replica for fooling unsuspecting Internet users into submitting personal or financial information or passwords". Although SPAM / unsolicited e-mail and direct web server compromise are the most common methods of Phishing. There are other ways to accomplish this fraudulent activity.
Internet Router Compromise Makes For A Bad Day
In this case, the Internet router was compromised by using a well-known CISCO vulnerability. Once this was accomplished, the sky was the limit as far as what could be done to impact the organization. Even though the company's web server was secure, and the Firewall that was protecting the web server was configured adequately, what took place next made these defense systems irrelevant.
Instead of setting up a duplicate login site on an external system, then sending out SPAM in order to entice a customer to give up their user ID, password, and account numbers, another approach, a much more nefarious approach was taken.
Phishing For Personal Or Financial Information
You remember that router that was compromised? For proof of concept purposes, the router configuration was altered to forward all Internet traffic bound for the legitimate web server, to another web server where user ID, password, and account information could be collected. The first time this information was entered, the customer would receive an ambiguous error. The second time the page loaded, the fake web server redirected the customer to the real site. When the user re-entered the requested information, everything worked just fine.
No one, not the customer, nor the company had any idea that something nefarious was going on. No bells or whistle went off, no one questioned the error. Why would they, they could have put the wrong password in, or it was likely a typical error on a web page that everyone deals with from time to time.
At this point, you can let your imagination take over. The attacker may not move forward and use the information collected right away. It could be days or weeks before it is used. Any trace of what actually took place to collect the information would most likely be history.
What Do You Really Get Out Of Security Assessments
I can't tell you how many times I've been presented with security assessment reports that are pretty much information output from an off-the-shelf or open source automated security analyzer. Although an attacker may use the same or similar tools during an attack, they do not solely rely on this information to reach their goal. An effective penetration test or security assessment must be performed by someone who understands not only "security vulnerabilities" and how to run off-the-shelf tools. The person executing the assessment must do so armed with the tools and experience that meets or exceeds those a potential attacker would have.
Conclusion
Whether you are a small, medium, are large company, you must be very careful about who you decide is most qualified to perform a review of your company's security defense systems, or security profile. Just because an organization presents you with credentials, such as consultants with their CISSP..., it does not mean these people have any real-world experience. All the certifications in the world cannot assure you the results you receive from engaging in a security assessment are thorough / complete. Getting a second opinion is appropriate given what may be at stake. If you were not feeling well, and knew that something was wrong with you, would you settle for just one Doctor's opinion?
Quite frankly, I've never met a hacker (I know I will get slammed for using this term, I always do), that has a certification stating that they know what they are doing. They know what they are doing because they've done it, over and over again, and have a complete understanding of network systems and software. On top of that, the one thing they have that no class or certification can teach you is, imagination.
About The Author
Darren Miller is an Information Security Consultant with over sixteen years experience. He has written many technology & security articles, some of which have been published in nationally circulated magazines & periodicals. If you would like to contact Darren you can e-mail him at Darren.Miller@ParaLogic.Net or try team@defendingthenet.com If you would like to know more about computer security please visit us at http://www.defendingthenet.com.
A week or so ago, I received an inquiry from... Read More
Glieder (Win32.Glieder.AK), Fantibag (Win32.Fantibag.A) and Mitglieder (Win32.Mitglieder.CT) are not names... Read More
If you use emails actively in your communication, you must... Read More
I am the victim of an internet scam. It is... Read More
The most frustrating part of having Spyware on your computer... Read More
There is no doubt that "how-to articles" have become a... Read More
Threats we ordinary Web users face online leave us no... Read More
Airport Menace: The Wireless Peeping Tom As a network... Read More
WHAT IS HACKING?Hacking, sometimes known as "computer crime" has only... Read More
By browsing a web page, you could infect your computer... Read More
May. 16th 2005 - MicroWorld has reported the discovery of... Read More
As soon as almost all computer users already got used... Read More
Adware. Spyware. Pesky pop up ads. Internet congestion. Computer malfunctions... Read More
First off I should explain what phishing is. Phishing is... Read More
Every day millions of people go online to find information,... Read More
Spyware, viruses and worms... oh my!If you are connected to... Read More
Is your enterprise following the rules?The bulk of financial information... Read More
If you are a parent, you have probably wondered at... Read More
Fishing on the Internet has come a long way. However,... Read More
1. Importance of a Virus Scanner: A Antivirus program can... Read More
Geek SuperheroGeek Superhero watches your computer for changes, immediately notifying... Read More
Today,on most internet user's computers, we have the ability to... Read More
Have you ever had to call Symantec or McAfee to... Read More
There are ways to insure security though. You can get... Read More
Scams involving email continue to plague consumers across America, indeed... Read More
When we think of adware, what comes to mind are... Read More
Blaster, Welchia, Sobig, W32, Backdoor, Trojan, Melissa, Klez, Worm, Loveletter,... Read More
Spyware/adware is a new major concern for PC users everywhere.... Read More
Let us take the example of scrambling an egg. First,... Read More
So you want to know who your kids are chatting... Read More
The Message Must Get Through The year is 300A.D.,... Read More
I got a virus the other day, Thursday I believe... Read More
Nobody wants to pay to remove spyware. At the very... Read More
No longer are viruses the only threat on the internet.... Read More
The Internet is a vast International Network of people and... Read More
Many of us have run into an annoying and time-consuming... Read More
As soon as almost all computer users already got used... Read More
The menacing campaigns that drive the corporate spyware and adware... Read More
A new variation of the Nigerian Scam theme ... Read More
Whether we like it or not, we are all living... Read More
A couple of years back, I paid my dues the... Read More
Phishing: (fish'ing) (n.)This is when someone sends you an email... Read More
Spyware SolutionProbably Today's Biggest Computer Problem. You Suffer Without Knowing... Read More
No, this article isn't about some new, lose-20-pounds-in-a-week, certified-by-some-tan-Southern-California-doctor diet.... Read More
Since its birth, the Internet has grown and expanded to... Read More
Internet is the ocean of knowledge. In this ocean you... Read More
What is computer security? Computer security is the process of... Read More
Millions of people make purchases online, but many people are... Read More
The top five online scams on the Internet hit nearly... Read More
These six ways to prevent identity theft offer you valuable... Read More
In a word, no - an email message has always... Read More
Phishing in its "classic" variant is relatively well-known. Actually, 43.4... Read More
Never before with Instant Messaging (IM) has a more vital... Read More
Spyware and adware are becoming major problems for online surfers... Read More
There are several basic concepts to keep in mind when... Read More
Do you know what "phishing" is?No, it doesn't mean you... Read More
After Two Security Assessments I Must Be Secure, Right? ... Read More
If spyware were a person and he set himself up... Read More
I'm in the Anti-Spyware business, and I'm doing a lot... Read More
A firewall is a system or gateway that prevents unauthorized... Read More
Paypal is a great site and is used by many... Read More
Identity theft rates one of the fastest growing crimes in... Read More
Well, if that would have been said to me by... Read More
There has not been a time in the history of... Read More
Spyware protection software is the easiest way of removing spyware... Read More
Microsoft routinely releases new security updates, many of which are... Read More
Internet Security |