Security rule No. 1: Assume you're hacked

Accept that your company's IT system have been compromised

-- then get to work defending them

Roger Grimes

A recent Forbes magazine article advised readers to assume that their

companies have been hacked. Some readers have asked me to weigh in, and

here's my assessment: The article is slightly hyperbolic, but all in all, it's a pretty

accurate assessment. Most companies are actively hacked, and their sensitive

data is being stolen and leaked to outsiders.

Many readers might find such statements inaccurate and unsupported,

and they may wonder where is the documented evidence to back up these

gross claims. True, there is no survey data to prove the conclusion. Surveys

and interviews can only measure known hacking incidents; it's hard to measure

the known unknowns. But in this case, there is strong anecdotal evidence.

I'm not certain precisely when it happened, but during the past two or

three years, I found that all the companies I worked with were being hacked. It's

more than my own personal experience. Ask any computer security consultant

who works in the field across a large number of clients and they will tell you the

same thing: "Yes, every company is hacked!"

Now, the level of hacking may differ among the different-size companies.

Every company is hacked in a sense that they probably have one or computers

that have a remotely controllable Trojan/bot/zombie malware program installed.

If the company is of sufficient size or in an industry with extremely valuable data

(for example, one that competes against foreign companies, law firms, or the

defense industry), it's likely a malicious hacker has installed various backdoor

programs and has sent volumes of sensitive data to other locations. In the large

companies I visit, the hackers set up programs that automatically look for new

files and directories and send only the changed information to the remote site.

Little do those companies know that they have a free offsite backup service.

Every company I've dealt with has had dozens of big security

vulnerabilities. The IT employees that I interview admit that their company's

defenses are unevenly applied and that they know of many more major security

holes that I haven't found in my limited review. Rarely are these security issues

new; most are several years old and well known by IT management.

There's a chance that your company is not hacked, but in today's uber-

active crimeware environment, it's unlikely. If you aren't hacked, you're either

extremely good (with full management support and resources) or lucky.

So how should that change your behavior and tactics? First, as strange

as it sounds, it's probably not a bad thing to communicate to IT senior

management, if you haven't already done so. If they react in a bad way, pull out

this column (or the Forbes story), and list all the major security issues that have

remained unfixed for years in the company.

Second, the best way to prevent hacking is to lock down workstations

and servers and to allow only pre-approved software run on them. Most IT

departments have no idea about what is and isn't running on all the computers

under their control. Use a software inventory or an application control program

to learn what is running, review each active program, approve what is needed,

and prevent the rest from running. If you can't take this step, then it's probably a

losing battle -- but there are other lesser successful mitigations.

Key among those techniques is to actively monitor network traffic and

research large amounts of data headed out to unknown destinations or between

computers that should not be communicating. Hackers often copy data

internally to a centralized computer before compressing and shipping it off to an

external site. There are many tools, as well as data leak detection and

prevention products, that can assist with these types of measurements and

alerting.

As always, I'm a big fan of honeypot computers, which simply sit there

not doing anything, waiting to alert you when someone attempts to log on.

Hackers may be good, but I've yet to meet one that could hack without at least

attempting to log on.

Some companies insert "red herring" data elements around their network

that can help in alerting them to data that has been leaked to the outside.

Sometimes it's as simple as creating a few fake email addresses that are never

used legitimately. Other red herring schemes go so far as to make entire fake

records, fake projects, and even fake companies.

One enterprise I consulted for sold fish for a living. Their internal

databases contained a fully documented, non-existent buyer. The fake

company was given an unused phone number (registered to the parent

company, in the parent company's name) and mailing address that belonged to

accounting subsidiary. But none of this information existed outside of the

company's internal databases.

One day out of the blue, the sham company received emails and phone

calls from a competitor. During the ensuring investigation, they found a

sophisticated, custom-written Trojan program that had been installed on their

main database server. The program had been around for so long that the IT

folks had accidentally made it part of their "gold image" for creating database

servers. Now they have strong change control and a list of every program

running on every server and workstation.

Even if you're not really hacked, you should act as if

you were and decide what you would do differently in your

company to stop the hackers. Really, that's what we all

should be doing every day anyway.

Fonte: http://www.infoworld.com/d/security-central/security-rule-no-1-assume-

youre-hacked-005?page=0,0 – Acesso em 11 de agosto de 2010