yARN: Big new threats make for great job security
- 24 November, 2011 11:54
Imagine the scene. MegaCorp’s supposedly impenetrable cyber defences have been breached and the crown jewels have appeared on PasteBin.
By “crown jewels”, we might mean all customer names, email addresses, account names and passwords, and credit card numbers (expiry dates and CVV codes are of course an optional extra).
Alternately, perhaps they didn’t appear on PasteBin, but instead a small random selection was sent anonymously to the Chairman of the Board, along with a request for a significant 'donation'. Let’s assume for the argument that the Chairman actually understands what he has been presented with.
This could only be described as an unmitigated disaster!
It doesn’t much matter which of these scenarios we take on (or even whether it was any of a dozen of other possibilities), either way the company has a problem.
Cut to the Chief Security Officer who at this point is quaking in his boots and desperately trying to figure out who to blame. He asks his team to drop everything and to try and figure out what happened – after-all he will have to tell the Chairman something in the next few minutes.
The team can find nothing. As far as they can see, there’s nothing unusual in the access logs, no excessive login failures nothing at all to identify how it happened.
The CSO can feel his well-paid job slipping away.
He starts to think about the attack – if his team can find no obvious means of intrusion, it must be pretty advanced, and with no evidence in the logs it must have been a slow persistent attack; and there you have it, clearly MegaCorp has been the victim of an Advanced Persistent Threat (APT). After-all, if that kind of attack has succeeded at Google and RSA, what chance does MegaCorp have?
His (career-saving) memo to the board will spell all this out, the so-called ‘hackers’ were experts – we had no chance against them. The cushy job continues.
The pity is of course that in this particular scenario, there was nothing special about the intrusion – all it took was a simple SQL injection against a database with all the information stored in plain text. It was neither ‘advanced’ nor ‘persistent;’ it was barely a ‘threat.’ And the minimal logging in place would never have detected it in the first place.
Yet again, incompetence is saved by technology and shrill media reportage. Which leaves us with just one threat – that those inept ‘experts’ who were the real cause of the hack still remain in charge of the crown jewels, unblackened by the mud of incompetence.