Lock Your Doors
Author: Frank Gifford
Early reports of the Sony hack had hinted at North Korea's involvement, and this had caused derisive comments throughout the web. Well, the US government is pointing the finger at North Korea after all— and you should take notice.
Traditional war involves physical contact with the enemy, and an ever increasing array of weapons that are expensive to create. These weapons are not in the hands of average people. But in the world of the Internet, it's just an Internet connection, knowledge, and time.
North Korea has about 25 Million people  and a GDP of about $14 Billion . It has about 2% of the population of China and about 0.2% of China's GDP. It's true that the average citizen in North Korea has no ability to check email, let alone launch a DDoS attack against you. But the government, or whomever they may pay, has no such restriction.
Unlike the regular media, I won't bother with explaining the attack against Sony. The bigger point is that security is difficult and if there is a determined attacker, you should have a plan to limit the damage. Emails getting out may be an embarrassment, but social security numbers and personal details can lead to massive theft. Computers are used for monitoring and controlling machines, and any compromise of those can be a nightmare.
I've always equated security on the Internet to security for your house. It's true that a determined burglar can find a way in your house. Even so, you are still being reasonable in locking your doors and windows as a minimum first step. While that may be completely obvious, you may be shocked at the bad choices of passwords that your company uses. There is a password that comes up over and over in penetration testing companies. I won't show it here, but it follows the "rules" of a password that has lower case letters, upper case letters, non-letters and can be changed every three months. Ask your penetration testing company when you interview them. They will tell it to you as they laugh.
I can go on your website and search google as well as LinkedIn to find the people in your company. With actual names, it's easy to figure out user names. Then, I can try logging in as each person with this password. Since I would only use one or two passwords per person, there are no alarm bells for login attempts. Once logged in as anyone, I can then look for a program that's running as a privileged user. Maybe I'll be lucky and find a file lying around with passwords in it.
This scenario happens more that you might think. Here are some takeaways:
- Perhaps your firewall should scream if someone is exporting massive amounts of data that is inconsistent for their role.
- Your security device has logging, it needs to be monitored for possible probing by outsiders.
- You should ensure that passwords are not easily broken. Perhaps take your company's hashes and try breaking them on a machine.
- Stay up to date on patches and backups. Our bi-weekly Strikepacs contain updates that will help identify weaknesses in your environment.
- Identify critical items in your company and ask yourself: what if that item was in control of an attacker. How would you detect an attempt to probe or control that?