Assume that you’ve been hacked…

That’s the title of this recent Forbes.com article. Many, especially management, would ask “where is the hard evidence that our company is hacked? Why should I implement all this security if I’m not being hacked?”. The problem with today’s security landscape is that such hard evidence is difficult to provide before actual security systems are in place. Previously malware was mainly written for the fame, recognition and the sense of accomplishment that it gave to the author. In order to achieve these goals the malware itself was easy to detect, or left obvious traces on compromised systems. After all, what’s the use of writing malware for recognition if nobody is going to see it? That changed in the past few years, because now malware is being written to specifically target gathering financial, personal and sensitive data, leading of course to increasing profit margins for the authors. This means that the malware’s profitability is increased by staying hidden, and so we see malware that is introducing counter-measures to security systems, randomising ports, obfuscating traffic and so on.

So most incidents go unreported, especially targeted malware attacks, leading to the lack of hard evidence.

That being said, I doubt any big enterprises or any sensitive data handling companies are naive enough to think they’re not being attacked. I would assume the above mentality is more prevalent in SMBs, and maybe overtaxed government departments. However any malware attack could be costly for these organizations also.

Considering most SMBs have a tight budget, or see a very low ROI if they invest in a strong security system, I would recommend a continuous security system upgrade/monitoring approach. Granted, every company should be doing this, but in particular for these SMBs which need a “seeing is believing approach” I would ask them to seriously considering starting very small and very low budget (read: almost free, linux and open source) and upscaling to larger, more expensive systems (read: proprietary, but effective)

Security researchers always point out that the proliferation of malware has been aided by the fact that while the malware becomes more and more sophisticated, the technical knowledge needed to deploy and operate is becoming less and less… Very true… but the same can be said of open source systems based on linux. Various very effective free tools enable an SMB to deploy these systems on hardware they have running around. If they monitor these systems and notice that they are under attack, and are in need of more protection, they can research and upgrade to other (maybe proprietary) systems. Some of my favourites in the free department would be:

Firewalls : smoothwall, untangle, endian, pfsense

Intrusion Detection System and security monitoring : Snort, OSSIM

Intrusion Prevention : snort_inline, HLBR

Proxy/caching : squid

There are loads others, these are just the ones I’ve deployed successfully and had good experience with. For any SMB considering using these I would advise a minimum of a firewall and an IDS. Monitoring these system’s logs will give you a good indication of whether to upgrade or approach a vendor. Most of the free and open source systems out there can be setup to run in less than a day and they have sane default settings.

I don’t particularly think that having a proprietary system automatically makes it more effective, actually I doubt that. But I do think that SMBs will not have the budget or will to maintain such systems and support these systems with only community support. The main advantage I see with a proprietary system is that generally these systems would be easier to administer and more non-geek friendly, making them appealing to SMBs without a dedicated security team. You also usually have at least a basic support from the vendor (though the level of support varies widely) and you can be relatively sure of regular updates, new features and so on.

So to those that say “I need to see evidence of attacks and malware before i’ll invest in this”, I say implement an opensource solution at almost no cost. With enough care this will be enough in itself, or if you’re struggling, then invest the bucks into the security system with an appropriate vendor.

This raises another discussion. “Even if we implement these open source systems, how can we detect attacks when even bigger companies with complex security systems get caught with their pants down?” This is where the work comes in. Regular checks, keeping on top of your security logs… all can seem daunting but they are unfortunately necessary. I also think that honeypot systems and “red herring data” are very much underrated. I would ask any company to keep one well guarded and monitored system open to attack to firstly confirm that attacks occur and secondly to see why / how they are occurring… that would be your honeypot.

“Red Herring data” is another way to go. It’s a reactive method rather than a preventive method, but better know you’ve been hacked than be oblivious to it. Create data which isn’t really of any value, such as fake emails, fake account numbers and fake documents / files, etc. Don’t share this bogus data with anyone, just leave it on a secure, production server. Then, deploy countermeasures like writing rules and signatures to scan for this particular bogus data, or monitor your “fake” email accounts for activity, monitor the MD5 checksums of the bogs files, setup a fake telephone number.

Since this data is not supposed to have been seen by anyone, or used by anyone, then seeing any rules triggered by this data, any activity on the email accounts should start ringing alarm bells. It should be easier to scan your network traffic for these bogus data files since you can include data that will almost certainly not be seen in normal traffic data, and if anyone starts using your fake email accounts or starts billing your unused telephone line… you know you’ve been successfully attacked and mitigation measures should be triggered