Who would have thought that to fight for the little guy you have to protect the corporate giants.
As these corporates digitize their services, the security of their entire digital perimeter must be secured to thwart hackers breaching applications and databases and taking your data.
So a big problem defenders have is that security controls are limited by available resource and budget. Choices have to be made regarding the priority of implementing patches, hardening and other security controls.
However attackers understand that in order to obtain the information they want any asset is worth controlling regardless of whether the asset itself is sensitive or holds sensitive information.
Let’s take an example based on a real world breach:
1. Use Shodan to find a brochureware / marketing site for the bank (the website) with a vulnerability.
2. Use the vulnerability to gain access to the webserver.
3. Use Maltego / the Harvester / recon-ng to compile a list of bank employees email addresses.
4. Create a new page on the brochureware site with pictures and bios of the employees on the list.
5. Send spoofed emails to the bank employees on the list asking them to visit the (trusted) website’s new page and approve their bio. The link is valid and points to the ‘trusted’ asset.
6. Wait for employees to visit the page and when they do exploit their browser and workstation to gain access to the bank’s internal network.
7. From the foothold on the internal network discover and gain access to the bank’s core network that controls ATM machines.
In this case a marketing website with no access to the bank’s network was leveraged by an attacker as a ‘trusted’ asset. This is not a phishing site so is not flagged as such. All the security focus was on the bank’s network perimeter however your perimeter is not simply your physical or logical network. Your true perimeter is defined by your network of trust.
To effectively defend you must have no weak links. All your perimeter devices must be secure regardless of what information they hold or access they provide. Any trusted system that is compromised will undermine all your security assumptions.
As Sun Tzu says:
•You can be sure of succeeding in your attacks if you only attack places which are undefended.
•You can ensure the safety of your defence if you only hold positions that cannot be attacked.
With RedShield we continually monitor your perimeter looking for weaknesses and rapidly either remediate or mitigate. Our systems uniquely delivers web application security fixes previously considered only possible with software development, plus also includes advanced management of threat defenses required to stop bot and human attacks.
Our service is the choice of governments, banks, insurers, healthcare providers, retailers, manufacturers and utilities companies alike. By adding a community of defense to your perimeter we protect both corporations and citizens data as innovatively and relentlessly as the bad guys.