We continue our interview with Chained Exploits: Advanced Hacking Attacks from Start to Finish co-author Keatron Evans.
Bright Hub: Why are some businesses so slow to adapt to new threats?
Keatron Evans: Part I answered in the first question; the patching situation. Some additional reasons include the inability to quickly replace legacy equipment, which runs legacy systems that haven't or cannot be efficiently replaced. We know that Windows NT is vulnerable to many things, however, there are some companies who are in a position to have to run critical applications that only run on Windows NT for example. The reasons for this are many, but often times it's the fact that these legacy systems have to read, parse, or manipulate old legacy based historical data. And quiet frankly, the COST to mitigate or eliminate the threats inherent in these old systems and operating systems out rank the THREAT of someone exploiting these vulnerabilities. While we in security know the importance of adapting to new threats, we have to remember that there is a business side as well. With the economy not always being as solid as it has been in the past, threat mitigation is often put on the back burners. With security getting all the media attention it's gotten over the last three years, it still falls in line behind functional innovation, and user friendliness when it comes to priority. Most business need or want to get more things done faster, and with less people. This is a natural enemy of security. Also, it has to be pointed out that businesses so often to depend on vendors who sell them the products they use to run their businesses to aid in adapting to new threats. For example, if someone creates a new exploit that takes advantage of a flaw in a router vendors operating system, then the business is somewhat limited as to how much they can do to adapt to this threat. Often times the people in charge of adapting companies to new threats lack the basic understanding of the protocols and systems being exploited in these new threats. How can you physically secure all the doors to a building if you don't even know how the doors open and close? And with the same thought in mind, how can you mitigate a new exploit that takes advantage of a flaw in the Microsoft DCOM service, if you don't even know how the service works or what it's used for. But referencing what I said to question number 1, this should improve as staff are being allowed to be slightly more focused, in general.
Bright Hub: What advice would you offer to small or enterprise business that has multiple offices and has a regular flow of data between offices?
Keatron Evans: 1. Make an honest determination as to how much of this data actually needs to be flowing between these offices. 2. Encrypt it. 3. Don't assume that just because it's an office to office communication, that access control should be relaxed. A hacker gaining access to one office, shouldn't automatically have access to other offices. 4. Address at the policy level what data should be flowing and how it should be flowing. This creates the opportunity for considerable involvement from upper management. There's always the security 101 recommendations such as use site to site vpn's, invoke logging between sites, and lastly, make sure you persuade your carrier (the ISP, or Teleco providing the connectivity), to provide some statement as to a security posture. If their statement is we don't do security, then get it in writing.