Security - It's a Scary World Out There

Now there’s a doom mongering headline, eh? Well, it’s true so I make no apology for it. It’s been nearly a year since I last wrote on the subject of security ("How Secure is your data"), but having been to visit our partners Alert Logic recently, I was motivated to jot down a few further thoughts.

What are those aforementioned thoughts?

I travelled to Cardiff last week and spent some time at the Alert Logic UK SOC (Security Operations Centre). I partnered with them in 2014 to ensure Cloudreach were in a position to provide a cloud ready threat management solution to our clients. While in sunny Wales for the day, I met some genuinely fascinating people who got me thinking about how little most people know about the underworld which drives the need for their offering.

Here’s an interesting statement for you:

The average time for detection of a security breach in an enterprise IT environment is 200 days.

You read that right: 200. Well over half a year in fact. Smash and grab attacks are (largely) a thing of the past. Once someone, or a group, is inside your network they’ll spend a lot of time working out how to compromise your data, and taking more and more until they have secured their objective or gotten bored… Take a look at Lockheed Martin’s Cyber Kill Chain diagram for an overview of why someone might hang around that long (there’s a lot more detail online for those interested).

 

That’s not good

Correct, it’s not. A lot of damage can be done in 200 days. I ask this a lot, but "what’s the worst thing that could happen to your business"? I’d argue it’s a major security breach. It could literally destroy your brand, and your company, in minutes of being announced. This isn’t just about losing customer data, you might lose the proprietary IP which is the sole reason you’re able to run your business.

If you’re ever interested in reading up on the general state of security breaches globally, a good read is the Verizon Data Breach report. This one I’ve linked to is nearly a year old, so a new one will be released in the coming months I’m sure.

It is full of fascinating information, including the notable revelation that roughly 99.9% of vulnerability exploits happen over a year after the vulnerability was first reported to the world.  What can we take from this?

 

PATCH! PATCH! PATCH!

Patch all software. And that includes firmware running on hardware – if you think people aren’t trying to hack your Cisco or Juniper devices, you’re mistaken. I’m talking about patching operating systems, applications, browsers, third party plugins. Everything that can be patched, should be patched. Quickly.

My earlier blog post linked above makes reference to other things you can do to try and keep safe, but the key thing to bear in mind is that this is a constant and evolving battle. You need to be permanently on your game.

The only other thing I’ll mention on that topic today is that you *must* understand the shared security model that comes with your cloud solution. If you’re using a serious cloud player, and by that I mean AWS, Azure or Google, you are basically 100% safe up to the hypervisor. Beyond that, it’s up to YOU to secure it. Hunt down the AWS "Shared Responsibility Model" for more information on what you need to think about.

 

Pfffft. I’m not scared

I don’t like pushing a message of fear, but you should be. I’ve previously highlighted "hacking as a service". Well, what about free SQL Injection tools instead? Free. With tutorials on how to use them. Don’t believe me? Google "Havij hacking" for just one of the better known examples which has YouTube videos showing you how to use it to test exposed application code and penetrate databases.

Convinced your development practices prevent this type of relatively simple and well known attack vector? I wonder if TalkTalk were too?

Other tales I won’t expand on here from my day in Cardiff includes evidence of compromised global CDN networks and national defence companies being hacked (including video and audio being recorded and transferred out!) by organised foreign nations seeking a military advantage.

 

Ok, I am scared. Hold my hand.

As I’ve mentioned, we partner with Alert Logic for threat management, and the level of malice they observe against our lovely customers is quite incredible. We also work with Bitdefender (on the anti-malware side), and it never ceases to amaze me how often it will pick up malware on servers within a few minutes of it being installed.

Last year’s Alert Logic Cloud Security report highlighted that close to 1 million security incidents were identified and mitigated by Alert Logic for their clients. Want to place a bet on how many we should expect in the 2016 report? We’ll find out soon.

Think you’re covered for security? I bet you’re not.