[BreachExchange] What most companies forget when fighting off cyberattacks
Destry Winant
destry at riskbasedsecurity.com
Tue Aug 21 00:38:23 EDT 2018
https://www.itproportal.com/features/what-most-companies-forget-when-fighting-off-cyberattacks/
Never underestimate the ingenuity and effort that burglars will put
into their work. If a team of committed criminals knows that there are
untold of riches lying in a bank vault, they won’t be put off by a
six-inch steel door, alarms and CCTV systems – they’ll find a way
through somehow. Even if it means drilling through several feet of
concrete over a Bank Holiday weekend.
There’s a lesson here for businesses, even if they don’t hold a hoard
of gold and precious gems on their premises. Cybercriminals are just
as skilled and determined as their colleagues in the offline world; if
they know that there’s valuable data to steal, they will use the most
devious and ingenious methods to steal it.
Organisations can spend millions of dollars protecting their networks
with best-of-breed security software and systems, but while these can
defeat most determined ‘head-on’ attacks, they also force hackers to
be more creative in the way that they probe their targets for
weaknesses that they can exploit.
This is an approach that has contributed to an unprecedented rise in
cybercrime, which cost businesses $388 billion in 2016. And as
businesses wise up to more traditional methods such as brute force
attacks, malware and social engineering, criminals are diversifying
their tactics.
The next battle in the ongoing war for security will be focused on
devices which, thanks to the Internet of Things, are proliferating at
an astonishing rate. But there’s one device that sits on almost every
(physical) desktop – one that we rarely think of as a security threat:
the humble telephone.
We tend not to think of telephony as a realistic attack vector for
hackers, and that’s largely because we forget that they aren’t the
analogue devices of our youth. An IP-based phone is a sophisticated
computing device in their own right; it has software and network
connectivity that can provide an easy way in for hackers who are
searching for the perfect vulnerability.
If this sounds alarmist, consider the research by F5 Networks into the
string of cyberattacks that hit organisations in Singapore in June
this year. The analysts found that almost 90 per cent of the malicious
traffic (which originated in Russia) was specifically targeted at VoIP
phones – coinciding with the Trump-Kim summit. By hacking into these
phones – the type typically found in hotels where high-status
delegates might be staying – the hackers would be able to eavesdrop on
some of the most sensitive conversations imaginable.
The average businesses deploying VoIP phones might shrug their
shoulders and wonder why the Cold War tactics of state-sponsored
hackers should concern them. The answer is that hackers cut their
teeth by targeting the most high-value people and organisations. Once
a technology or technique has been proven against ‘valuable’ victims –
such as diplomats or financial services firms – hackers can either
roll it out to other businesses, or sell the knowledge and tools they
have developed on the Dark Web.
So, while telephony isn’t yet a major attack vector for today’s
cybercriminals, it would be foolish to imagine that IP telephony
doesn’t represent a vulnerability that will be targeted and exploited
sooner rather than later.
Any business that conducts sensitive conversation over the phone needs
to protect inbound and outbound calls from snoopers who are just
waiting to steal anything of value – from trade secrets to customer
card numbers. The solution is surprisingly simple, and focuses on
removing the key vulnerability that hackers exploit – the connection
between a wireless headset and its base station.
These last few inches are easy to neglect, which is why they provide
such a tempting target for cybercriminals. If hackers can access this
connection, they can listen to every secret or piece of sensitive
information relayed over the phone.
That’s why organisations that are serious about security should choose
telephony hardware that features secure encryption, authentication and
secure pairing between device / headset and the base unit. This means
that a non-paired unit (such as one deployed by a hacker within a few
dozen feet of the office) can’t access the link and so eavesdrop on
the conversation.
Pairing between base station and device is nothing new, but the latest
standard is ‘physical assisted pairing’. This occurs when the headset
is docked in the base unit, when a secret link-key is created to
connect them. Similarly, authentication has been around for some time,
but security standards can vary enormously; that’s why
security-conscious organizations should look for headset / base unit.
authentication based on the most secure 128-bit level technology,
rather than the old standard of 64-bit.
Of course, security is only as good as the standard of encryption
itself. Many DECT headsets feature some form of authentication and
encryption, but often of a very limited standard. Basic encryption may
put off the casual attacker, but to be fully secure an organisation
needs the highest standard – ideally, military-grade technology such
as AES 256-bit encryption, which gives a line of defence that goes
beyond that of DECT Security Level C.
Unlike so many security technologies, secure telephony isn’t difficult
to find or to deploy. It requires little or no ongoing management –
all it needs is an awareness of the threat and a willingness to
upgrade to a secure solution when upgrading your telephony
infrastructure.
Of course, secure telephony won’t stop hackers testing other parts of
your cyber defences. It will, however, close an open door that’s an
invitation to the growing army of clever and determined hackers around
the world.
More information about the BreachExchange
mailing list