Jump to content

What Hackers Think of Your Defenses


tao

Recommended Posts

Billions of dollars are spent every year on cyber security products; and yet those products continually fail to protect businesses. Thousands of reports analyze breaches and provide reams of data on what happened; but still the picture worsens. A new study takes a different approach; instead of trying to prevent hacking based on what hacking has achieved, it asks real hackers, how do you do it?

 

The hackers in question are the legal pentesters attending last Summer's DEFCON conference. Seventy were asked about what they do, how they do it, and why they do it -- and the responses are sobering. The resulting report, The Black Report by Nuix, is a fascinating read. It includes sections on the psycho-social origins of cybercrime and a view from law enforcement: but nothing is as valuable as the views from the hackers themselves. These views directly threaten many of the sacred cows of cyber security. They are worth considering: "The only difference between me and a terrorist is a piece of paper [a statement of work] making what I do legal. The attacks, the tools, the methodology; it's all the same."

 

What they do is surprisingly easy and frighteningly successful. Take sacred cow #1: it takes 250-300 days for the average organization to detect a breach, and the earlier it is detected, the less damage will be done. But there is less time than you think. Eighty-eight percent of the pentesters claim that it takes less than 12 hours to compromise a target; and 80% say it then takes less than another 12 hours to find and steal the data. Even though they are employed, and therefore expected, a third claim their presence is not detected by the security teams they attack. "Data breaches take an average of 250-300 days to detect -- if they're detected at all -- but most attackers tell us they can break in and steal the target data within 24 hours," said Chris Pogue, Nuix CISO and a co-author of the Nuix Black Report.

 

"Organizations need to get much better at detecting and remediating breaches using a combination of people and technology."

 

Sacred cow #2 could affect the cyber security skills gap. A recent ISACA survey shows that 70% of employers require a security certification before employing new staff. The people they are defending against, however, place little value in those certifications. "Over 75% did not believe technical certifications were an accurate indicator of ability," notes the report. While 4% of the pentesters hoard certifications like bitcoins with more than 10, 66% have three or less. Clearly, demonstrable ability is more important than paper qualifications -- aptitude testing rather than certificate counting might just close that skills gap.

 

Sacred cow #3 is that anti-virus and a firewall equates to security. Only 10% of the pentesters admitted to being troubled by firewalls, and a mere 2% by anti-virus. Nevertheless, modern endpoint security is the biggest problem for (that is, best defense against) hackers; with 36% saying it is an effective countermeasure.

 

Conversely, this demonstrates that sacred cow #4 remains a sacred cow: "For security decision-makers," says the report, "this result clearly demonstrates the importance of defense in depth rather than relying on any single control. Any individual security control can be defeated by an attacker with enough time and motivation. However, when an organization uses a combination of controls along with security training, education, and processes, the failure of any single control does not automatically lead to data compromise."

 

It's worth adding, however, that nearly a quarter of the hackers boasted "that no security countermeasures could stop them and that a full compromise was only a matter of time."

 

When asked what companies should buy to improve their security posture, 37% suggested intrusion detection/prevention systems. Only 6% suggested perimeter defenses. When asked the opposite question (that is, the least effective spend) data hygiene/information governance at 42% is seen as less effective than perimeter defenses at 21%. Somewhat anomalously, penetration testing is seen as the second most effective spend at 25%, and simultaneously the least effective at 4%.

 

One of the biggest surprises of the survey is that while companies may go to the expense of a penetration test, they will not necessarily act upon the results. "Only 10% of respondents indicated that they saw full remediation of all identified vulnerabilities, and subsequent retesting," notes the report. Indeed, 5% of the respondents saw no remediation whatsoever from their clients -- they were just checking boxes. Seventy-five per cent indicated that there was some remediation, but usually focused on high and critical vulnerabilities.

 

"While 'fix the biggest problems' appears to be a logical approach to remediation, it misrepresents the true nature of vulnerabilities and provides a false sense of security for decision makers," warns the report. "If you only address specific vulnerabilities that you have chosen arbitrarily and devoid of context, it's the cybersecurity equivalent of taking an aspirin for a brain tumor; you are addressing a symptom as opposed to the root cause."

 

Of course, this failure to fully remediate may be a side-effect of compliance. Elsewhere in the survey, 30% of the pentesters felt they were employed for compliance purposes only: "We have to deal with security for compliance reasons, nothing more." This resonates with the suggestion that the companies that did zero remediation were 'just ticking boxes' -- it is the hidden danger within the growing number of penetration testing compliance requirements.

 

The real value of this survey is that it can make security decision makers question what security vendors tell them. The purpose of security software is first and foremost to be sold, and only then to do what it says on the box. By looking at how professional hackers work, security teams are in a better position to plug the gaps effectively rather than just by the latest technicolor product.

 

Ref:  < http://www.securityweek.com/what-hackers-think-your-defenses >

 

 

 

Link to comment
Share on other sites


  • Replies 4
  • Views 587
  • Created
  • Last Reply
1 hour ago, adi said:

It's worth adding, however, that nearly a quarter of the hackers boasted "that no security countermeasures could stop them and that a full compromise was only a matter of time."

 

This is what I think of hackers.

 

This means that nearly a quarter of the hackers are boastful idiots who couldn't hack their way out of a wet paper bag full of holes.  I have never been hacked, never will be, and I will tell you why.  First you need access to the network, or at least to my computer.  Which means you have to have the IP address of my computer.  That IP has never ever been seen on the internet.  I laugh at those silly little web scripts that are added to web sites that say 'Your IP is....  Your ISP is....' because they haven't even been within a thousand miles of my true location.  

 

What some organizations call security is a joke and the average 10 year old could hack into their systems today, no real skill required, just grab a script off the internet.  Most hackers today are script kiddies, pure and simple.  There are so few true hackers that wannabes use programs like the low orbit ion cannon to execute DDOS attacks, because they lack the skills to do it themselves.  That program was made famous in 2010 when 4Chan used it to attack various groups.  They didn't even write it, it was developed by Praetox Technologies to run stress tests and denial of service tests.  

 

It doesn't take a hacker to use a script that takes advantage of a vulnerability that should have been patched but wasn't because the organization never took security seriously and never ran updates on their software systems.  To call these people hackers is an affront to real hackers, yet in the media they are all lumped together.  So let's be clear.  If you write your own code and discover your own vulnerabilities you are a hacker.  If you take someone else's code and run it to gain access then you are a script kiddie.  Real hackers are a pleasure to talk to, talking to a script kiddie is like talking to a rock, it hasn't had an original thought in its entire existence.

Link to comment
Share on other sites


One of the reasons I'm not afraid to stay with Windows XP is because I know real hackers (or even script kiddies) can pwn any version of Windows no matter what it is. The sooner one realizes that newer version of Windows are not "safe", the sooner they should stop whining to me about "upgrade". But by all means interwebz, continue to try and talk me into "upgrade" advice, because I really enjoy ignoring it :)

 

Link to comment
Share on other sites


I have a one that could find your true location and crash your entire network over night stray stop your acting like a internet tough guy and I dont think you are I know some and they have skills you only wish you had.  The people that are real fun to talk to are people with high iq I know alot of them and your obviously not one.  I love intellectually sparring with my high iq friends I hate reading posts about a guy in a forum that steals high iq individuals lines and claims them for his own.

Link to comment
Share on other sites


  • Administrator

Please avoid getting personal here. Not acceptable.

 

The script kiddies part is quite true though. Real hackers actually work and find ways to hack. What we see these days are script kiddies, which one can call hackers by action, not by expertise, using automated tools to hack things.

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...