3trustwaveIn today‘s multi-channel and multi-device environment with companies trying to keep up with technology and the possibilities of the web, with employees and consumers permanently online and great amounts of data being stored in the cloud, those trying to provide internet security and those trying to breach it are up for the race.

The Trustwave 2013 Global Security Report not only found out that online retailers are especially at risk, but also that mobile malware exploded by about 400% in 2012 and that outsourcing increases risks. The report also states that businesses are much too slow to self-detect intrusion, and that software developers react too slowly with almost three years from initial vulnerability to patch. Although spam volumes sank in 2012, research by Trustwave showed that 10% of spam messages were malicious. Amazingly, the report shows that one of the most frequent issues is password control, and that 50% of all passwords are insufficiently secure.

tacticalthreat

Asian eMarketing met Trustwave‘s Marc Bown in an exclusive interview. Marc first got interested in internet security when his computer was compromised while he was a student at university. Marc is responsible for the Spiderlabs division in Asia Pacific, and he elaborates that „Spiderlabs‘ advanced technical security delivers professional services around penetration testing and application security. We provide incident response and forensics services and security research. The security research theme is actually very unique, ensuring that all products and technology are kept up to date.“

So what is ethical about hacking?

“Ethical hacking is security testing also called a penetration test. You engage someone to actively try to break into your systems. It‘s better to have someone working on your side to break in and tell you how they did it than someone who‘s not working for you to break in. Ethical hacking will use exactly the same techniques as someone with malicious intent.”

What skills should an ethical hacker have?

“First of all they need to be ethical and trustworthy, otherwise gaining access by breaking into systems could be temping for someone without the right moral structure. But they mainly need technological skills, having to understand computers at the very basic level, and understanding the system in question. Every time you do a penetration test you see something new, a technology you‘ve never worked with before. As a hacker you have to entirely understand it, and understand how the person who wrote the system put it together, and figure out what they might not have thought of. It‘s about understanding the controls the person who wrote the system put in, and finding ways to get around those controls. You‘re always learning something new.”

Is securing the client side a challenge?

“Hacks are becoming increasingly client focused, the client side is the softer target and in most cases clients have access to sensitive data and intruders will take advantage of that. It is a big challenge to secure the client side. What makes it challenging is things like mobile workers with laptops who are not within the corporate secure environment. We‘re catching up, but it‘s a slow and tricky process. Attackers tend to be quite agile. It‘s also a numbers game for the attackers, you are as strong as the weakest link. It‘s relatively simple to secure a limited number of servers, but you have a whole lot more of clients. Even a 1% non-compliant rate on the client side could lead to a security compromise. Most attackers are using malware to compromise the client side, by targeting e.g. browser based bugs which allow the installation of malware. Trustwave has a technology called SWG which is specifically designed to capture attackers targeting browser based bugs. It monitors all requests coming out of a computer, and by looking at the response that comes back, it determines whether the response includes malicious code or not. It‘s a very unique technology.“

Are high traffic sites more vulnerable?

“On the one hand attackers are motivated to target high traffic sites, but most of the attacks we see are where the victim is being compromised only because they suffer from a specific vulnerability the attacker understood very well. Attackers scan the entire internet for that vulnerability. They usually just run a tool for that and it doesn‘t cost them anything, so they don‘t care about the traffic the site gets. So even low traffic sites will be compromised, as it doesn‘t cost extra. A high percentage of attacks is automated and based on vulnerability. So the security issue here is making sure you‘re not susceptible to common vulnerabilities for which security patches are available. You need to also follow basic information security good practices. Most are fairly mundane, fairly simple, e.g. making sure your systems have good password controls. Passwords may be the most boring topic in the world but it‘s also the most important. For attractive sites with high traffic, it is important to subject it to the kinds of tests the internet will subject it to, with ethical hacking and penetration testing. As soon as it is online, there will be all those tools running across it, so test it first, before going online.“

How does Cloud Computing affect Security?

“This is something we‘re talking about a lot at the moment. There are a lot of good reasons why people are starting to use cloud services, although there is some initial risk involved. You‘re handing over controls of some important assets of your company, company data or personal data. Again password controls are an important issue. Even if you have great password controls, your cloud provider may have terrible password controls, so make sure you have good contracts in place to ensure that the third party you are trusting has the necessary controls in place. It is also good to check if the provider has actually done everything they promised to do. The impact of cloud based compromises tends to be higher than traditional compromises. A compromise of one site may thus lead to a compromise of many sites without a lot of extra work by the attacker.“

Can Spiderlabs track the attacker?

“We certainly try. Especially in cloud based environments it‘s not always possible to find out how a compromises happen. If the contractual controls aren‘t right, the customer who suffered the compromise, may not have any rights to perform investigation. We then can‘t do forensics because we can‘t get access to the environment. But Spiderlabs offers forensic services. We also help customers recover from security breaches, understanding the processes involved and getting back online after the attack.“

How do you stay up to date on the latest security issues?

“We actually get most news via Twitter, following people on twitter is a great way of staying up to date. You also need to monitor security events and conferences around the world, e.g. hacking the box conference in Kuala Lumpur. We have a research division, whose job it is to keep us up to date.“

One last piece of advice for our readers

“We all tend to be very focused on the latest and greatest, and get distracted and forget about security fundamentals. Attackers often use a ten year old bug, which is very well understood, and there are lots of tools for free. Every single one of our forensic investigation cases regarding payment card compromises in Asia Pacific last year happened because of a bad password. It‘s the most fundamental security control we have. So keep an eye on what‘s new, but focus on the fundamentals.

By Mohamad EL Hallak