The more I speak to people the more I realise that there is an absurd and dangerous focus towards the "outside": security seems to be all about anti-virus and the "wily hacker". At the same time there are more and more signals that the baddies have upped the ante and that proper criminal organisations are moving into this line of business.
My reaction is almost invariably to explain that the moment you bring a criminal organisation into the fold then the issue becomes, like every business with an MBA at their service, one of Return On Investment.
Let us consider the usual preoccupations of the average company: will our firewalls "hold"? is our anti-virus protection up to scratch? do we have a patching schedule in place? What are these questions focusing on? They are focusing on data flow from the Internet to the Intranet, on whether the average script kiddie will get in using a published exploit, whether the latest worm will spread using your systems (note: yes, it will if you are big enough and are an injection point because your signatures are never going to be updated in time).
So let us think about how a criminal organisation goes about its business. For the sake of argument let us decide that we want to get rich very quickly and that selling medication to idiots via spam isn't fast enough. The best alternative is to hit a site which moves money. What are they? Well, a bank is a good start, an even better start is a mediator between banks (for example SWIFT, overnight settlement institutions, VISA processing services, etc.).
Alert readers at this point will jump up and mention that as of 2004 the best ROI must be had with DDoS attacks and I would tend to agree: the DDoS attacks against online betting shops during Euro 2004 were an excellent idea. A quick blackmail phone call and an even faster calculation by the accountants working out how much every minute of punters unable to reach the website cost meant that the criminal organisations probably raked in loads of money. The cost circulating in the underground for a network of DDoS drones is about $3,000 for a lot of 10,000. Make the call for $1M and the ROI is pretty decent.
But let us take the longer term view. DDoS works a few times but risks taking the victims out of business, raketeering is a difficult art to master because if you strangle your victims then your ROI rapidly hits zero. So what is a better alternative? Surely it must be to enter a suitably large money switching organisation and start syphoning money out. You cannot really play the blackmail card as that would only work a few times, you need subtlety and elegance here.
So the plan is simple: get yourself an insider. Why? Obviously because the focus is so strong on the threats from the Internet that most organisations don't even know what their internal traffic looks like. Start by looking at job advertisments and have someone win. No need to be in the IT department as long as they have a PC on their desk. At which point you start "working the inside", that nice soft shell made up of lack of ACLs, lack of IDS, mainframes controlled via plain telnet sessions, etc. which distinguishes most locations, sufficiently starved for IT resources that they can barely watch the perimeter.
Now that we have our trojan horse we can slowly map the network, no need to rush here, remember that we are in for the long run. Then these possible targets can be reported to the controller outside the organisation who has all the time to analyse them and decide the next moves. Notice how the classic steps of a hack are still there: we are doing reconaissance and scanning but internally. What should the reconaissance focus on? The mainframe of course. Have that and you have everything.
This is where it gets even more irritating. Why? Because most mainframe vendors insist that since very few people know their systems they are secure from the occasional hack. Indeed, perhaps from the occasional hack but remember that now we have criminal organisations coming into play. They have the resources to send their people off to training courses perhaps purchase a second-hand entry-level mainframe to perform target practice, etc. etc.
Clearly the financial outlay to the criminal organisation is substantial, well above the $3,000 forked out for the DDoS drones, but the ROI is far more interesting. A few ideas? Clone credit cards by seeing the transactions fly past, access bank accounts of large corporations and move funds by taking the details from their SWIFT transactions, play the age-old idea of "take a penny from every account".
Perhaps it is time that so-called "risk analysis" on the external perimeter started to include an ROI calculation for the hacks which would be possible via that route and then followed by an ROI calculation for the cost of an insider job like the one described above.
Suddenly HIDS and NIDS on the internal network would look a lot cheaper.
Posted by arrigo at October 15, 2004 03:54 PM