The increasing reality is that some of the most dangerous hackers don’t have to get through your firewall because they’re already inside your organisation, biding their time before they unleash their pent-up fury. But what can you do about it?
When news of a persistent and deeply penetrating attack against government agencies makes headlines, speculation often prompts widespread panic. A case in point is the public response to the recently revealed activities of the Operation Shady Remote Access Trojan (RAT). Primed by the summer’s latest conspiracy thriller, alarmed audiences consider governments and their allies to be the main target.
As they ponder the implications of compromised, top-secret diplomatic correspondence and military secrets they concede: well, better them than me. But the Shady RAT hackers seemed equally interested in stealing intellectual property and customer data from the businesses as well, which means the problem extends into the private sector too.
Firewalls, antivirus software and intrusion detection tools may work to keep out stealthy attackers, but what is to be done about rogue insiders? The reality is that the bad buys are already in—working from the inside of your organisation.
Dmitri Alperovitch—McAfee Vice President, Threat Research and author of the report on Operation Shady RAT—divides all Global 2000 companies into two camps: Those who have been compromised and know it, and those who simply don’t know it yet.
Knowing that it is no longer a question of if your company will become a target but when, let’s take a moment to evaluate the current security landscape. You may very well have everything in place to keep bad guys out. But what’s to be done about those bad guys working from within? Not worried? According to Gartner, you should be. A recent Gartner survey found that insiders typically cause far more damage because they know where to find sensitive corporate personal, financial account and other information.
All Data is Valuable
Some might wonder why hackers would set their sights on stealing their companies’ relatively humble data. It’s not rocket science, right? Of course, everyone understands the intrinsic value of some information, such as the highly regulated customer account data most organizations already protect with strong authentication and encryption.
But those responsible for Operation Shady RAT, whoever they were, drew very different information into their net – and much more of it – than strings of credit card numbers. And they’re not the only ones.
Organised crime has hijacked hacking from those comparatively benign groups of exploit-vying coders a long time ago. Now less-overtly criminal organisations and self-interested, nation states are also realising the value of data theft. Targeting information opportunistically, they search for anything that is cheaper to steal than it is to buy or develop on their own.
In other words, what one company pays its employees to do—develop a new drug, program a new application, design a car battery—another company pays a hacker far less to steal. And those hackers may already be inside your company—ostensibly working for you. Though their motivations may differ, financial or sometimes moral, the outcome is the same. Valuable data is compromised.
All Data is at Risk
As was the case with Operation Shady RAT, hackers collect data from the inside, infiltrating systems by sending a phishing email with a link that installs malware on an internal machine. At that point, the protection of
firewalls and perimeter-based devices evaporates. Thus IT security professionals must operate under the assumption that there is every possibility and a good probability that an unauthorised user will access critical company data and—if the data is in plaintext—exploit it.
Step #1 to Protecting Your Organisation: Encrypt Everything
The natural first step, then, is to encrypt the data—yes, all of it. As most companies already encrypt the data they consider most critical, they simply need to expand the protective umbrella, so that it covers encryption assets to all data wherever it moves or resides. For instance:
- Symmetric keys should be leveraged to encrypt stored data on all systems, including server and end-user platforms and remote storage devices.
- Digital certificates, asymmetric and SSH encryption keys should be used to encrypt all data flowing between users and applications as well as that data moving between applications. In the last few years, the latter type of communication has become increasingly important as cloud computing has turned up the volume on server-to-server transmissions, authentication and processing.
- Given its clear benefits, cloud services have attracted significant attention—from both security professionals and criminal organisations as more valuable data moves in this direction. IT security professionals must not neglect resources that reside in a public cloud, which require the security of encryption as much or even more than internal systems do.
Step #2 to Protecting Your Organisation: Manage Those Encryption Assets
Too many make the mistake of relying solely on encryption alone to protect them, but fail to protect the keys. Encryption stymies cracking efforts. But people crack encryption algorithms at security conferences to earn the accolades of their peers on a regular basis. What was once sacrosanct is yesterday’s hacker’s lunch (think, RSA SecureID tokens). Much more rarely do they attempt to do so in the real world where exposure is the objective.
When data is protected by securing it with an encryption key, the key becomes the data. Thus it is now the key that must be protected. If the key is not well managed, the risk of data loss or theft increases significantly.
Take an analogy from the physical world. Increasing the size of the lock on your door or business may make you feel more secure. But the reality is that if the key—no matter its size or strength—is left on the transom, under the mat, or distributed willy-nilly out in the open, it doesn’t matter how large or strong the lock is. The data can be easily accessed.
In fact, Shady RAT’s malware had no sooner installed itself than it went in search of encryption keys, which it found, no doubt, in the myriad locations where people routinely leave them exposed.
As is almost always the case, the individuals or admins who install the encryption to protect the data typically have unfettered access to the keys. This means that the keys and certificates can be copied, used maliciously, or given to a third party to do so. The keys that protect the data are often accessible to multiple administrators with no audit or access controls, no separation of duties, and are often distributed widely and insecurely within organisations.
However, most organisations do not implement best practices—as Venafi, industry-leader in Enterprise Key and Certificate Management (EKCM), and Echelon One, IT security research firm, discovered in a recent assessment of more than 420 companies. Instead, an FTP password takes the hacker to a site where admins have posted several server private keys.
A keystore password opens every keystore on every system, unearthing a treasure trove of encryption keys. An SSH key tunnels a hacker into the root of several remote systems, including ones with access to still more systems—and the SSH key never changes. The hacker can use it five years later with the same success and the same ability to collect more keys.
In other words, a single compromised system might provide nearly unlimited access to the company’s data.
To limit access and ensure the security of sensitive data and critical company information, organisations must take the initiative to implement the following best practices.
- Minimize encryption keys’ exposure to admins at all points in their lifetime from enrollment (in the case of a certificate’s private key) to deployment, and even on to ongoing management.
- Implement strict controls that provide audit trails for access to encryption keys.
- Use different passwords to secure different keystores, and rotate those passwords.
All Data Can be Protected
Digital information has transformed into one of the most crucial business assets an organisation owns. As a result, protecting critical information and its availability is now a strategic business imperative. Encryption is the most pervasive technology employed today for protecting data.
In fact, while encryption was once used almost exclusively to protect information using SSL certificates and symmetric and asymmetric keys to scramble data, now it is also used in authentication mechanisms to confirm the identity of a user or a device, and for digital signing to ensure the integrity, authenticity and non-repudiation of data.
The ever–growing use of encryption is creating new challenges to manage increased complexity. Companies can’t force morals on greedy competitors who see hacking as an alternative to development. Nor can they afford to give those invention and intellectual property parasites free access to their work.
They can only make their data less interesting to the unscrupulous by locking the data with encryption and securing the encryption with proper key and certificate management. Attacks like Operation Shady RAT present the most convincing argument for why you need to encrypt data and manage keys—invest in taking precautions or give the world access to your million-dollar-baby for free.