Recent Entries
Popular articles
Topics
Recommended links

RSS icon Subscribe

» View my profile
Technorati

del.icio.us My links on del.icio.us

Tags
analysis antivirus application security auditing botnets breaches compliance crime cryptography DNS encryption forensics humor interesting Linux Malware marketing network pdf pentest phishing php Privacy rant reference software ssl standards sysadmin tool tools trends ubuntu Virtualization virtualization security vmware vulnerabilities vulnerability+assessment web web application security webappsec web security windows Windows security xss

« Previous article — Next article »

“But we’ve never had a problem”

May 19th, 2009 Posted by D Webber

Convincing decision makers to be proactive with information security is always a tough sell, but it’s really difficult with small to medium size businesses.

Lately I’ve been hearing a lot of the old “but we’ve never had a security problem” myth as an excuse for inaction (hmm… maybe I should add it to the list).

Usually this statement is made in relation to intrusions, so let’s look at that:

By now almost everyone has heard that attackers are not kids out for kicks and street cred anymore. Compromising systems is big business, whether it’s just to rent out as nodes on a botnet, a crypto ransom scheme, stealing bank and card data or industrial espionage. Whatever the goal, it’s worth serious money to the attackers to not be detected.

So we see targeted malware that scoot though pattern-based IDS and antivirus, rootkits that subvert the operating system, and smuggling traffic back to the attacker’s command and control center through HTTP, DNS, or ICMP.

With a skilled attacker, you won’t know they are there:

When I worked at a CIRT, the reports we got of web sites hosting malware most often turned out to be small sites like business “brochure” sites and personal blogs. Attackers exploited a vulnerability (usually in an out-of-date version of a CMS like WordPress or Joomla), uploaded malware, then sent out phishing email pointing to the URL.

Unlike in the old days, the sites were never defaced and there were no other signs that the site had been compromised, except perhaps lots of traffic to an unusual file showing up in the site’s web stats. In each case it took considerable effort to convince the site owner they had been compromised and were indeed serving malware.

Beyond intrusions, every organization has information security issues of some kind: vulnerability management, backups and continuity, user awareness, etc.

With a little help and honest reflection on past events, most organizations quickly realize that “we’ve never had a problem” is not really the case.

Posted in Myths & misconceptions |
Tags: , , ,

2 Responses to ““But we’ve never had a problem””:

  1. Andy Cunningham Says:
    July 22nd, 2009 at 9:59 am

    Saying “We haven’t had a problem” is like refusing to buy a child seat until you’ve had a child killed or injured in a car crash.

  2. Derrick Webber Says:
    July 22nd, 2009 at 10:20 am

    @Andy:

    Hopefully the situation isn’t as quite that grim, but yeah… it indicates a lack of awareness, both of the risks and their present situation.

    There was an eye-opening statement recently over at TaoSecurity: “Pretty much everyone I speak to firmly believes that in the real world, companies do not get hacked into and data is never compromised as the result of a systems-based intrusion.”

    Stunning. I guess all the recent press given to lost laptops etc. has reduced the perceived risk of active attacks.


Article contents copyright © Advosys Consulting Inc. Comments are copyright of the author
Icons courtesy Wikimedia Commons and are copyright of their authors.