18 infosec fails that let crims win

Today's complex, targeted attacks succeed because companies fail to cover information security basics, according to senior Kaspersky Lab analysts.

Today's complex, targeted attacks succeed because companies fail to cover information security basics, according to senior Kaspersky Lab analysts.

"Everybody is aware of these things, but now is the time for starting to [pay] attention," said Evgeny ("Eugene") Aseev, head of the Kaspersky's China antivirus lab.

The Operation Aurora attacks against Google, Adobe, Rackspace, Juniper Networks and others revealed in early 2010, for example, involved 12 distinct steps. Nine of them were actions that could have been detected or prevented by more comprehensive defences. If any one of these steps had failed, the attack would have failed.

In one step, victims were sent links to malicious websites via email. "The links inside the emails should have been checked by some antivirus or gateways or anything else," Aseev said.

The attack against HBGary Federal by Anonymous earlier this year and the attack against RSA that compromised its SecurID token system also succeeded because the basics had been forgotten.

Both the chief executive officer and chief operating officer of HBGary had used simple passwords consisting of just six letters and two numbers, for instance, and they made matters worse by using the same passwords on their Google accounts for Gmail as well as the company's internal systems.

ZDNet Australia has compiled this checklist for companies to follow in order to avoid such easy breaches, based on Aseev's presentation to Kaspersky's partners and media in Kuala Lumpur. To avoid hackers' delight, companies should:

  • Identify, encrypt and protect valuable information assets. Attackers could be looking for program source code, executive emails, information on future products, customer lists, log-in credentials for production systems or third-party data you host.
  • Monitor all email into and out of the organisation for malicious links and other suspicious content.
  • Monitor instant messaging and social networks.
  • Conduct web browsing within virtualisation to prevent an attack moving beyond the browser.
  • Monitor network connections for signs of communication to malware command and control servers.
  • Limit user privileges, especially accounts with administrator access.
  • Monitor application activity.
  • Monitor local network behaviour.
  • Use off-the-shelf software, where many eyes are checking for security holes. The HBGary attack succeeded because a content management system developed in-house wasn't secure.
  • Test for really obvious security holes, such as code that might allow SQL injection attacks.
  • Patch all systems regularly.
  • Store passwords securely. MD5 hashes are still commonly used in web applications, for example, but are no longer adequate.
  • Force users to create complex passwords.
  • Do not re-use passwords.
  • Educate users against social engineering attacks and in email security.
  • Ensure the effectiveness of the firewall and perimeter security through penetration testing.
  • Ensure that data leak prevention (DLP) technology is in place and effective.
  • Ensure that malware detection and reporting systems are in place and that employees know how to use them.

Stilgherrian travelled to Kuala Lumpur as a guest of Kaspersky Lab.