Over numerous documented major incidents of illegal access to commercial, government and military systems has been recorded in the last 10 years.
Add to this, the number of undocumented and undiscovered intrusions makes this number the tip of the iceberg.
In this time a billion identities have been stolen.
My question is “How do hackers gain access to supposedly secure systems and steal information?”
Here is a list of conditions that enabled hackers to gain access:
Poor or no password enforcement.
The password for Ashley Madison.com’s VPN was Pass12346.
Using predictable passwords.
The most frequent password in a multimillion user hack was 123456 followed by 12345.
Weak or no protection of critical data.
No or weak encryption of personal information and access credentials. Friend finder and Ashley Madison for example stored passwords in clear text or weak hashes.
Data hosted on a point of sale teller machine running Oracle Micros POS system hack by the Russians was likely in clear text.
Poor management of credentials
Using data stored in cookies to access account profiles (Yahoo)
Lack of forced password change on lockout and failure. Well funded hackers for example who know the list of accounts but not the password will enter the guessed at password such as admin123456 and admin12345. Access fails without lockout. The hacker returns the next month after the lockout period has expired and try again.
The WannaCry ransomware exploited a vulnerability in older Microsoft computers such as Windows XP which are no longer supported. The ransomware exploited a vulnerability was discovered by the US NSA intelligence agency and released into the wild by a contractor. The exploit enabled the remote installation of the virus without security credentials. The NSA failed to notice Microsoft of the defect – likely on purpose.
Robert Snowden, – another NSA contractor, stole classified documents and posted them to Wikileaks
eMails appearing to be legitimate are sent to a user with one of two intents:
Capture of the user’s credentials collected via linking to fraudulent web site that impersonates a legitimate corporate site.
Installation of malware contained in an attachment such in the form of MS Office macros, batch files or executables.
Lack of eMail security processors or poorly configured systems to remove spam, virus and illegal attachments.
Administrative eMail accounts eMail configuration. Should use an alternative account for eMails.
Poor security training
Users should be informed of never to click on attachments from suspicious eMail addresses – only trust known sources and carefully examine the sender’s eMail address before opening. For example, never click on an offer to update critical software such as driver files for Microsoft or system software such as Adobe Acrobat. There is already a synchronization process in place and the request to update Acrobat for example is bogus.
Limit the user’s website browsing to well run commercial websites.
Lack of Quick Action to Patch Vulnerabilities.
An organization needs to continuously monitor vulnerabilities for all Internet facing and internal systems.
The Equifax hack showed that reliance on security systems such as intrusion detection systems can be thwarted. In the Equifax case, the vulnerability enabled skilled hackers to install their own private network within Equifax’s network. This prevented the security systems from detecting the intruders which cloaked their actions .
Organizational Issues Lack of Skills
Companies such as Equifax have a history of major large-scale hacks. In the case of Equifax, the company was unable to attract top people to operate and manage their systems.
It’s Cheaper to Accept the Risk
Not managing risk of intrusion and negative impact to their reputation.
Accepting a risk is perceived to be cheaper than mitigating risk. This is a false assumption.
Equifax’s stock dropped $45 per share from $141 per share and rebounded to $108 per share.
iii. Anthem paid $260M in litigation to absolve them from a hack of 78.8 million health records. This works out to be $3.30 per person or $3.3M per million records stolen.
Poor Release Testing
It is not enough to show that the application is functionally operational. The release must provide that the new system or update introduces no new vulnerabilities.
All code should be scanned prior to release. Test cases should include well known hacks applicable for the application environment.
Critical Internet systems must be protected from Distributed denial of service attacks using a service such as Akami.
Cases such as SQL injection can be detected by using code scanning tools.
Well designed reusable libraries to mitigate risks because of excessive input length.
Platforms hosting new systems should be scanned for misconfiguration.
Phew – keeping ahead of Mr. Wile E Hacker is a full-time job!.