Wired reported on a blog entry by Netragard detailing a wonderfully clever social engineering attack that should open some eyes. I’m not sure it will, but it should. For the unaware, social engineering is the art of manipulating a person into doing something you want, in this case inserting a USB device into their work computer.
Fearing the awareness levels around USB flash drives and malware were too high, they opted for a different USB device…a mouse. Carefully disassembling the mouse, they added a mini USB hub to which they attached a mini flash drive. When the user plugs in the mouse, they get the added bonus of a free flash drive with malware. After reassembly, they repackaged the mouse and sent it on it’s way. Are you surprised that within three days of sending it to their target the malware phoned home?
It’s a truly brilliant attack and they are to be commended for their creative thinking. I would think with most targets this attack or a variant thereof (free printers anyone?) would have a 100% success rate. I’d also like to thank them for sharing the story. While it sounds like to the stuff of spy movies, it’s real. And if good guys can think up these kinds of attacks you can bet the bad guys can to.
Which gets me thinking about risk. Does risk matter at all when the reality is you’re faced with attacks like this? Lesser attacks are just as effective, like targeted spear phishing. At one point does risk just become a way of measuring security through obscurity? Or is it there already? We already assume a lot of risk. Have we crossed a threshold?
It does confirm what I’m reading a lot of lately, especially from the likes of Richard Bejtlich of TaoSecurity and Mandiant CSO. The future of defense is a balance between prevention AND detection, trust AND distrust. The new model is not foreign to us. It’s the same castle and inner-keep concept. The difference is we’ve been lulled by security vendors into thinking we can prevent attacks while all along we watch virus detection rates fluctuate but never striking anywhere near 100%. In fact, AV-Comparatives.org’s most recent tests of “proactive on-demand detection” topped out at 61% back in May.
The key to defense is in knowing where your sensitive data lives and building your architecture around protecting that data. It’s your Fort Knox. Guard it, monitor it, trend it, know it. Inbound and outbound access should be locked down to required use only. This is your inner-keep. If it falls, game over.
That doesn’t mean your people milling around inside the castle’s walls get left for the vikings. But you can never know everyone and everything going on out there. Focus on what you need to protect, position it so it can be protected and closely monitored and defend the rest to the best of your abilities. But always, always watch the keep.
SMBs take heed as you’ll likely have greater agility in adapting this approach. If you have a server, a point of sale host and one or more daily operations hosts, do they all need to talk? Isolate the server and the point of sale host. Those machines that get used mostly for surfing the web for research, lookups or entertainment? Keep them away from your server and point of sale. And keep casual use away from sensitive systems.
If you don’t try to protect your company’s data, no one will.