Ethical hacking expert highlights social engineering as potentially the most dangerous growing threat
Can anyone keep hackers out of business? You probably will have an answer personal to you after you have read the findings of this survey. But one thing is certain; hackers do behave like the eyes of a crab. Press down an eye of that sea creature called ‘crab’, and you will find it lifting the other!
The recent launch of the 2011 Data Breach Investigations Report (DBIR) seems to confirm this analogy as it shows a shift in web hacking towards smaller targets, multipath attacks and social engineering in the view of Dave Shackleford, a highly respected ethical hacker, security expert and SANS Certified Instructor.
Vigilance learnt that the DBIR, an annual study conducted by the Verizon RISK Team with co-operation from the U.S. Secret Service and the Dutch High Tech Crime Unit, found that within its representative sample the number of records stolen had fallen from 361 million in 2008 to just 4 million in 2010.
“The numbers are a reflection of fewer massive breaches that were notable in previous years,” said Shackleford who is also a technical director at GIAC. Instead he points to a rise in “smaller and more vulnerable organisations seen as easier targets,” for hackers.
According to the survey findings malware was involved in 49% of breaches and 79% of record thefts with the most common infection pathway through installation or injection by a remote attacker. This covers scenarios where an attacker breaches a system and then deploys malware or injects code via SQL injection or other web application input functionality.
These web attacks accounted for almost four-fifths of the malware infections in the 2010 caseload, up
from around half in last year’s study. “The blended nature of many of the attacks is also evident, “comments Shackleford, “If you look at the raw data, you see many more attacks that had a social engineering element and the problem is growing.”
Although Shackleford believes that security professionals are better informed about dangers of social engineering, there still seems to be a lack of communication to end users. “The data suggests that more needs to be done to educate the users who unwittingly open the door to attackers and that requires better education,” he added.
As part of the upcoming SANS SECURITY 542: Web App Penetration Testing and Ethical Hacking course that Shackleford will teach in London this June, he stresses the need to understand how to use multiple attack techniques in concert. “Competent IT security professionals need to know the methods used by attackers to become good defenders,” he explains, “Increasingly that means a much wider remit than just say cross site scripting and SQL injection – these are complimented by areas like reconnaissance and mapping, username harvesting and cookie exploitation amongst others.”
Our Info Security Team gathered the 6-day course has proved popular in the past and this years' event has had strong pre-registration. “The brand consequences of a breach, for example the recent Playstation Network, have spooked organisations that have typically been reticent around ethical hacking and penetration testing,” explains Shackleford, “We are also seeing the rise of groups that are perpetrating attacks for ideological reasons that pick targets based on visibility and less on potential commercial gain. I personally think this 'hacktivism' will increase and that is a worrying trend.”