I almost feel like we need to just keep a running list of sites and companies that have been hacked on a weekly basis. In the past week we have had two fairly sizable compromises come to light.
Or, you can visit and donate to DatalossDB.
First up, mysql.com has been compromised. You'd think they would know better, right? I think it really shows that security is not about knowledge, but about practice. And I'm not talking about going out into the woods and kicking a tree, I mean you have a training schedule that is 6 days a week, and incorporates diet, cardio, internal, and external styles. But that is doing what we know is good for us. Diet and exercise do not sell well because they are free.
Second, Epsilon was compromised. Why do you care? Do you have an account with Best Buy, TiVo, Walgreens, Dell, JPMorgan or Chase? There is a good chance that your email address was compromised if you do.
I just want to do a quick run through of some of the data breaches over the past few months:
Google, Adobe, Dow Chemical, GE, HBGary, Gawker, mysql.com, RSA, Epsilon....
Folks, we need to stop looking at these as stories where we can simply say they should have known better. These are large organizations with security budgets and regular audits falling flat on their faces when confronted with a targeted attack.
These are not simple point events that we can use as cautionary tales whose punch line is consistently, "don't make that mistake." No, this is a trend. We have been talking about this on the show for the past few weeks now. These are not a simple series of compromises. This is proving to us all that:
- We are preparing our networks for the type of automated malware we saw five years ago. Why? Because the managers making the purchasing decisions today were cutting their teeth in the trenches five years ago.
- Traditional security technologies (i.e. AV, IDS, Firewalls) have failure points.
- Our staffs are most likely not trained to deal or even recognize the kind of threats we are facing.t
- Most penetration testing does not model the attacks we are seeing in the wild.
- We have job security for a little while longer....
- Heavy drinking can help!
It is time to focus on trying to know your network and core applications. It is time to play a game. The steps are easy. Step one, put up a network map on your wall at work. Step two, get drunk. Not just slightly drunk, but Charlie Sheen "rush-me-to-the-hospital" drunk. This is an important step. Anything less than this and your tests may be biased. It all has to be very scientific. Step three, stop hitting on the intern. Step four, throw darts at your network map for about an hour or two. Step five, try to go to sleep for a while. At this point it is probably okay to resume hitting on the intern. The job of throwing darts at a network map is over and accuracy is not as critical. When you wake up, most likely dejected and alone, go back to the map. For every dart hole that landed on a server or network device in your network ask yourself what you would do if it was compromised. Would your entire security support structure collapse? What is the normal path users and applications use to access or pass through the device or application? Do we baseline that traffic? Do we have any idea beyond a simple Nessus scan what is on that server or device?
It is time to get to know our networks. It is time to stop looking for a series of security products that are bulletproof.
Originally discussed during episode 237
John Strand will be teaching SANS 660 Advanced Network Penetration Testing and Metasploit for Penetration testers This April in Reston, VA April 15 - 23.