​When you can't outspend an attacker what do you do?

Organisations cannot thwart every possible attack levelled against devices in their network but they can still contain a threat before it causes serious damage.

When the US National Security Agency (NSA) -- or for that matter any nation’s spy agency -- has the resources to obliterate your defences, what are your choices? Roll over and quit? Hack them back? Or spend more on securing a porous perimeter?

Upstart vulnerability broker Zerodium last month awarded $1 million to an unnamed group who discovered a remote exploit in iOS 9.1 that it will likely sell to clients who want to use it. The company won't report the bug to Apple, which would fix it and thus ruin the asset.

That's not comforting for individuals and organisations since there is security product on the market that can reliably protect against those threats.

“There’s no way that security companies can somehow develop something that protects against everything because attackers have access to vulnerabilities that we don’t even know about,” Mark Schloesser, a security research for Rapid7 told CSO Australia.

“If you’re facing those actors, it’s game over.”

However that doesn’t mean, as Cisco stated in its 2014 annual security report, that every organisation should “assume they’ve been hacked”.

According to Schloesser, a better assumption is that you will eventually be compromised. The question then is what do you do next.

Attacks are measured by impact to the victim and impact is largely shaped by how long it takes to discover a breach has occurred and what the attackers have done in that time. Catch it early and no matter how sophisticated the attack was, the damage can be minimised. A study by security firm FireEye found the average time before a breach was detected in 2014 was 205 days and that was down by 24 days in the previous year.

So, in Schloesser’s view, attackers aren’t necessarily already inside, but they will eventually be and when they are, regardless if its a criminal group of a spy agency, they’ll typically attempt to achieve similar goals.

“After being infected, and [sophisticated attackers] are in your organisation, some of the interaction and lateral movement they do is what normal cybercriminals will do. They will try to expand their access to maybe the more valuable systems and that is something that’s very hard to hide,” he said.

“They can try to hide and do it over months instead of in short time frame but after all they need to do network connections to these particular assets and that’s stuff that’s particularly hard to hide.”

Antivirus and other protective systems are necessary, but he argues it’s impossible to engineer a defence system that will stop every threat.

“We’re not saying protection is useless but there are ways around it.”

Application whitelisting could provide an effective response when limited to high value assets, such as database system or an Active Directory controller. Whitelisting was ranked as a top four mitigation strategy by Australia’s Department of Defence, but Schloesser said the industry has largely abandoned whitelisting because it’s too unwieldy across a large fleet of desktops.

Not so long from now PCs and servers however will be just a few of many more other “things” — such as thermostats, locks, vehicles, white goods, TVs and so on — in the home and enterprise that could be exploited by hackers.

Analyst firm Gartner forecasted there will be 4.9 billion connected things this year and 25 billion by 2020. While there will be more connected consumer devices, the firm predicts huge uptake in business and government too, particularly utilities due to efficiencies offered by smart meters.

Schloesser has also been involved in an ongoing scan of the internet, probing for vulnerabilities in embedded devices. The project, which has run since 2013, searches for everything from remote administration tools for gas pumps and point of sale machines to remote video devices.

“Pretty much everything that we looked at as a device everything fell apart. We didn’t see an embedded device that’s been used in the wild that was completely configured in a good way and didn’t have vulnerabilities. All of it has remotely exploitable vulnerabilities and it’s just nobody has looked at it or just the bad guys have.”

In a business context, the problem securing these devices comes down to features, such as remote management, without any way to enforce security on them. One example is serial port enabled devices that typically connect to a modem.

Administrators that manage computing infrastructure for distributed offices or say, petrol stations or point of sale systems, often prefer to do the job remotely.

Read more: The week in security: Windows servers, iOS, Macs softer targets than you want to believe

“So they put these serial servers to the switch or router and then can access it from home. But the default configuration for those devices are unauthenticated, unprotected and a large proportion of people who use them don’t take the steps to secure it,” said Schloesser.

“We saw so many odd devices that were available on the public internet where there was no authentication because they expect that you are local with physical access. But by connecting to the serial port server it suddenly becomes accessible over the internet,” he added.

While they’re not technically vulnerabilities in the product, manufacturers could require users to set a username and password before the device can be activated.

“Some people would turn it off because it’s a hassle but that would be so much less of a problem than what they have to do now, which is to actively make it secure,” he said.

Join the CSO newsletter!

Error: Please check your email address.

Tags VulnerabilitiesRapid7ciscoMark SchloesserZerodiumiOS 9.1US National Security Agency (NSA)CSO Australiaattacker

More about AppleCiscoCSODepartment of DefenceFireEyeGartnerNational Security AgencyNSARapid7

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place