Opportunistic attacks, whereby an attacker finds a weakness that can be exploited, still account for the majority of cyber attacks, at 75% of all attacks, according to Verizon in its 2013 Data Breach Investigations Report. However, their growth is waning, as their results are uncertain to be successful for the attacker. Rather, criminals are turning their attention to targeted attacks that are specifically directed at particular organizations or individuals that are deemed to be of high value and hence likely to provide a higher reward. According to a recent report by the Ponemon Institute, 48% of respondents are seeing an increase or even a rapid increase in targeted attacks, whereas 67% say that there has been no rise in opportunistic attacks over the past 12 months.
Targeted attacks almost always start with detailed reconnaissance of the individual or organization being targeted. Criminals will spend time researching the online presence of their target, trawling through information and posts available online. Social networking sites provide rich pickings these days, and search engines and other sources offer information such as organizational structures so that individuals can be selected for further research.
However, there are many other aspects of an organization’s online presence over and above information regarding its personnel that can be gleaned from its online presence, including details related to its IT infrastructure and technology used, such as software applications and their versions.
Professional services firm KPMG recently undertook a survey of FTSE 350 organizations that it published in 2013 to ascertain what vulnerabilities such organizations were exposing through their online presence. It found that, while such organizations are increasingly aware of the dangers to which their online presence exposed them, many are not doing nearly enough to limit that exposure, thus increasing their likelihood of being the victim of a potentially very damaging security incident.
By examining the corporate websites of these organizations, KPMG discovered that 53% of websites were supported by potentially vulnerable web servers, owing to missing security patches or outdated software. It also found a large number of development servers on which new applications and services are being developed connected directly to the Internet, potentially exposing valuable internal data to hackers. Of particular concern is that some of the most often targeted and highly regulated industries—including telcos, aerospace and defense, utilities, financial services, and oil equipment and services—were among the worst offenders.
KPMG also found that FTSE 350 organizations are publishing unnecessary information by failing to check and remove metadata—so-called data about data—from their webpages and documents that they publish online. Such metadata can expose sensitive information related to network users that can be used to launch targeted attacks or that can point to internal network locations where files are stored. The researchers were able to obtain an average of 41 internal user names and 44 email addresses per company by examining the metadata traces left, as well as five sensitive internal file locations per company. Again, some of the worst offenders were highly regulated companies and those that are seen as valuable targets. For example, an average of 212 email addresses per company were found among those in the aerospace and defense sector.
Far too many organizations are clearly leaving their doors wide open. Technology controls are available to protect organizations from the dangers of hidden information, such as tools that strip the metadata from information before it is published. All Internet-facing servers should be regularly updated and patches installed as soon as possible after they are made available. Development, testing, and production environments should be separated, and only production servers should be accessible over the Internet. Permissions and privileges for accessing services on such servers should be severely restricted.
However, organizations should look beyond the use of technology alone. Where employees have access to particularly sensitive, even vital, corporate information, they should be made aware of the risks of posting too much information online, and trained to check that sensitive information is not contained within documents before they are published. CEOs and boards should also be encouraged to take a more active interest not only in the threats that they face, but also in the countermeasures that are available. KPMG recommends that they should actively question how robust their defenses are and how regularly they are tested. Security is too important to be seen merely as an IT issue. By engaging the board in security decisions and procedures, it is more likely to be seen as a vital element of the organization’s overall risk management program.