security rule nº1: assume you're hacked
DESCRIPTION
Disponível em: http://www.infoworld.com/d/security-central/security-rule-no-1-assume-youre-hacked-005?page=0,0TRANSCRIPT
![Page 1: Security Rule Nº1: Assume you're Hacked](https://reader036.vdocuments.us/reader036/viewer/2022082808/555144aab4c905c6268b4c74/html5/thumbnails/1.jpg)
Security rule No. 1: Assume you're hacked
Accept that your company's IT system have been compromised
-- then get to work defending them
Roger Grimes
A recent Forbes magazine article advised readers to assume that their
companies have been hacked. Some readers have asked me to weigh in, and
here's my assessment: The article is slightly hyperbolic, but all in all, it's a pretty
accurate assessment. Most companies are actively hacked, and their sensitive
data is being stolen and leaked to outsiders.
Many readers might find such statements inaccurate and unsupported,
and they may wonder where is the documented evidence to back up these
gross claims. True, there is no survey data to prove the conclusion. Surveys
and interviews can only measure known hacking incidents; it's hard to measure
the known unknowns. But in this case, there is strong anecdotal evidence.
I'm not certain precisely when it happened, but during the past two or
three years, I found that all the companies I worked with were being hacked. It's
more than my own personal experience. Ask any computer security consultant
who works in the field across a large number of clients and they will tell you the
same thing: "Yes, every company is hacked!"
Now, the level of hacking may differ among the different-size companies.
Every company is hacked in a sense that they probably have one or computers
that have a remotely controllable Trojan/bot/zombie malware program installed.
If the company is of sufficient size or in an industry with extremely valuable data
(for example, one that competes against foreign companies, law firms, or the
defense industry), it's likely a malicious hacker has installed various backdoor
programs and has sent volumes of sensitive data to other locations. In the large
companies I visit, the hackers set up programs that automatically look for new
files and directories and send only the changed information to the remote site.
Little do those companies know that they have a free offsite backup service.
![Page 2: Security Rule Nº1: Assume you're Hacked](https://reader036.vdocuments.us/reader036/viewer/2022082808/555144aab4c905c6268b4c74/html5/thumbnails/2.jpg)
Every company I've dealt with has had dozens of big security
vulnerabilities. The IT employees that I interview admit that their company's
defenses are unevenly applied and that they know of many more major security
holes that I haven't found in my limited review. Rarely are these security issues
new; most are several years old and well known by IT management.
There's a chance that your company is not hacked, but in today's uber-
active crimeware environment, it's unlikely. If you aren't hacked, you're either
extremely good (with full management support and resources) or lucky.
So how should that change your behavior and tactics? First, as strange
as it sounds, it's probably not a bad thing to communicate to IT senior
management, if you haven't already done so. If they react in a bad way, pull out
this column (or the Forbes story), and list all the major security issues that have
remained unfixed for years in the company.
Second, the best way to prevent hacking is to lock down workstations
and servers and to allow only pre-approved software run on them. Most IT
departments have no idea about what is and isn't running on all the computers
under their control. Use a software inventory or an application control program
to learn what is running, review each active program, approve what is needed,
and prevent the rest from running. If you can't take this step, then it's probably a
losing battle -- but there are other lesser successful mitigations.
Key among those techniques is to actively monitor network traffic and
research large amounts of data headed out to unknown destinations or between
computers that should not be communicating. Hackers often copy data
internally to a centralized computer before compressing and shipping it off to an
external site. There are many tools, as well as data leak detection and
prevention products, that can assist with these types of measurements and
alerting.
As always, I'm a big fan of honeypot computers, which simply sit there
not doing anything, waiting to alert you when someone attempts to log on.
![Page 3: Security Rule Nº1: Assume you're Hacked](https://reader036.vdocuments.us/reader036/viewer/2022082808/555144aab4c905c6268b4c74/html5/thumbnails/3.jpg)
Hackers may be good, but I've yet to meet one that could hack without at least
attempting to log on.
Some companies insert "red herring" data elements around their network
that can help in alerting them to data that has been leaked to the outside.
Sometimes it's as simple as creating a few fake email addresses that are never
used legitimately. Other red herring schemes go so far as to make entire fake
records, fake projects, and even fake companies.
One enterprise I consulted for sold fish for a living. Their internal
databases contained a fully documented, non-existent buyer. The fake
company was given an unused phone number (registered to the parent
company, in the parent company's name) and mailing address that belonged to
accounting subsidiary. But none of this information existed outside of the
company's internal databases.
One day out of the blue, the sham company received emails and phone
calls from a competitor. During the ensuring investigation, they found a
sophisticated, custom-written Trojan program that had been installed on their
main database server. The program had been around for so long that the IT
folks had accidentally made it part of their "gold image" for creating database
servers. Now they have strong change control and a list of every program
running on every server and workstation.
Even if you're not really hacked, you should act as if
you were and decide what you would do differently in your
company to stop the hackers. Really, that's what we all
should be doing every day anyway.
Fonte: http://www.infoworld.com/d/security-central/security-rule-no-1-assume-
youre-hacked-005?page=0,0 – Acesso em 11 de agosto de 2010