While your eyes are on the data-centre, you're losing data from the desktops

One of the core products in our service catalogue is a fully managed, real time threat detection service capable of determining attacks as they happen within your business. Sounds pretty cool right? Yes it is; it is actually very cool. Essentially, it’s like putting a guard dog on the network, if someone comes snooping the dog barks, and if they keep on snooping, it bites, in the form of one of my security analysts defending your business against the attack in progress.

While this all sounds quite, “government grade”, “science fiction” or “just for the big boys” the reality is the service is for everyone, from the smallest SME through to the global brand, and the reasons for this are simple.

Once upon a time, defending your business from a hacker or cyber-attack was quite easy. Everything was internal and you had a firewall between you and the scary internet. This approach meant that you could focus all your security efforts in one place, essentially between your data-centre, i.e. where all the data lives on the servers, and the internet, i.e. the single point of likely entry for bad guys wanting to steal you’re data.

Unfortunately, that isn’t how it works anymore, and in fact it hasn’t for quite some time.

For many years now the IT and Security industries have been throwing around the term “eroding boundaries” which, in short, describes the effect that consumerisation, and the explosion of the internet over the last decade has had on traditional IT. Essentially, business now relies on the free flow of data between organisation and individuals through the internet, and the internet has become part of our individual lives in a social and business context. This erosion of the demarcation between internal and external data is where the game has changed. What has happened is that the actual barrier between your business data and the attackers on the internet is now the desktop/laptop or mobile device, the actual point at which data is consumed by the business users.

This marked change in the technology landscape has led to a marked change in the way cyber-attacks are perpetrated. Now, there is no point going after the data-centre as over the years IT have become wise to that and have focussed the majority of their budgets for security on ensuring that area is safe, however, with the exception of anti-virus, some content filtering and perhaps the odd personal firewall, the desktops are still largely unprotected and unmonitored. What compounds this problem is that business users can/will and do use the internet to perform their daily jobs, whether it be check a travel plan, book a trip, purchase a resource, check a data-source or other simple task, chances are the user will be making use of the internet and their humble web browser in order to perform their daily duties.

This is where the problem comes…

The problem in short is best known and described as “client side attacks”. This category of attacks is, as it sounds, focussed on the client side of the server/client relationship and takes advantage of a few basic truths:

When a user goes to a website and gets content, that site serves up whatever is in its cache to serve to that user;
The user makes an OUTBOUND request to that site to SOLICIT the data.
Most organisations allow HTTP/HTTPS (Web Traffic) to flow freely OUT of the business and come back IN freely as long as it was asked for as per points 1&2.
Client side software such as Java, Shockwave, Acrobat, Office, Internet Explorer etc is unpatched and excluded from core patching programmes.
Users are not as security savvy as we would like and even if they are vigilant, around 30% of them can/will be tricked into clicking on something they shouldn’t if it’s compelling to do so.
Those five points pretty much guarantee success for an attacker.

Let me show you how:

Example 1:

An attacker manages to hack into and breach the security of a low level website that has financial information about the credit rating of businesses. Rather than deface the site or bring it down, they add some JavaScript to the header of the page that is invisible to anyone reading the page. The JavaScript runs a known unpatched exploit within internet explorer that allows the attacker to install software silently onto the victim’s computer. The attacker makes use of this to deploy a small Trojan horse program he wrote that is not detected by any anti-virus programs. This small Trojan horse program first establishes a connection back to a server on the internet over HTTPS so it looks to the network and all security devices like the user is just accessing a normal secure website. The attacker then uses this connected session to remotely control the users desktop as if they were sat at the desk, and from there, they are able to scan the internal network for further areas of attack, and access any data the user could access.

Example 2:

An attacker creates a well-crafted email to a victims organisation through the use of intelligence gathered from LinkedIn and Facebook. The attacker explains in the email that the users have been selected, as “model employees trusted for their value and opinion” to have a sneak preview of some new corporate branding options. Attached to the email is a PowerPoint file with some new colour schemes and logo’s etc. for the users to peruse. Once the users open the PowerPoint, in the background, making use of normal office functionality, PowerPoint executes a program that installs the small custom Trojan horse program into the users desktop. The rest of this example is just like the first example.

Already I can hear the cries from the IT experts about “deep packet inspection”, “state-full firewalls” and “content-filtering”, but the reality of this attack is that it looks just like normal user traffic as far as any of those devices are concerned. As for Anti-Virus solutions, don’t get me started! Anti-Virus is historical by design. What I mean is that all an AV program can do is check what is running against a list of malicious programs it has (definitions) and checks to see if it matches. More advanced solutions can also look for similar programs and block certain types of activity, but it’s a 99.99% likelihood that something new won’t get detected until its discovered, sent to the “labs” and been evaluated manually by a technician. AV is useful, don’t get me wrong, but it’s not reliable as a single point of control.

So what is the answer?

Well, there is no one answer that solves this one as it takes many different controls all layered together as well as education programmes and quite a large budget, but, what IS very useful to detect and stop breaches that occur as a result of this is “Threat Detection”. As I said at the start of this, if you have a guard dog on your network sniffing around, it will see that “the user has a secure connection open to that random internet server and that their desktop is running scanning traffic across the network” and at that point, although the client side has been compromised in an attack, you can respond immediately by closing the connections on the firewall temporarily suspending that users access and disconnecting the desktop from the network, thus stopping the attack in its tracks.

Alternatively, you could just sit back, rely on all that money you spent protecting your data centre, and wait to read about your data breach in tomorrow’s papers. Its your call.

If you would like to know more about Advanced Security Consulting’s Threat Detection Service, or its broader end to end Threat Management Solution, please get in contact with one of our sales team at