Step One - Become an Insider
When I was boarding this morning on the train towards the office, I saw a smart dressed guy sitting in First Class, staring on his brand new Samsung ultra slick Q35 Red Core 2 Duo notebook, and checking his Facebook account. This guy, apparently a big corporate shot by the look of it, was on Facebook. Then it hit me!
I know that this will sound very funny but this was the first time when I realized something I knew all along. Social Networks are bad, bad, bad! I've been talking about social networks for quite some time and I did mention how bad they could get but I have never realized their potentials for maliciousness until today. I found an empty table where I could put my cup of coffee and started thinking about my sudden reality wakeup call.
The night before that I had a conversation with ap about the types of malicious hacking incidents we knew about so far. I think he will put down with his thoughts on the subject soon, but what we have concluded is that the insider threat is probably the biggest problem. This conclusion came after not only looking at some of the stats but also from personal experience with penetrating various corporate networks while working as "ethical hackers" (penetration tester sounds funny) for security assessment companies. So, ignoring all accidental and hobbyist hacks and omitting all the attacks which target individual users for their bank account details, etc, the most and by far the worst scenario will be when a dedicated attacker becomes an insider.
This does not necessarily means that the attacker needs to go and start working for the organization they want to penetrate. This is an option, it is true, but having someone to do all the dirty stuff (the proxy) simply sounds a lot better. In the case of the guy on the train, well..., what would have happened if someone specifically have targeted this individual through his Facebook account? Wouldn't that be the perfect way to become an insider? I think so! Compromising this guy's laptop sounds a lot more trivial then knocking on the front doors. Moreover, having a Facebook account is almost like pointing a static DNS entry towards your machine. It is obvious that the victim will visit their account with their work or home computers or mobile phones.
The insider threat is the biggest and the most complicated to resolve. Most, if not all, security consultants try to protect the perimeter but we all know that all networks are rotten from inside. And this my friends means that once the attacker obtains internal access it is GAME OVER for the organization in question. Whether that will be through the means of a proxy, the guy with the slick laptop, or by physically attending the organization's building, it is simply a matter of choice and personal preferences, maybe also a bit of strategy.
I will stop this discussion right here and leave it open-ended since I have more ideas and things to talk about on this matter but not that much dedicated time. Though, for all of you who still think that bugs in software are the best thing since sliced bread, well, you might find yourself that you have been fooled. Bugs are just means to an end. Hacking into something, may or may not involve taking advantage of bugs. Hacking is more about outsmarting those that have put the restrictions on first place.