It's like a $10 door lock...
It's still a crime to break it.
British shipping company Clarkson plc has obtained an injunction against hackers who broke into its IT systems, slurped a load of data and then tried to blackmail the business. The judgment, handed down by High Court judge Mr Justice Warby earlier this week, orders the unknown hackers not to publish the stolen data and to pay …
Yes it's difficult to find out who is behind attacks.
It's not difficult though, to hire experienced InfoSec professionals and support them adequately to provide a sufficient defense in depth architecture, patch management and monitoring to ensure it's difficult to get in, and just as difficult to get data out.
Since it is so difficult to identify hackers, you may want to keep this in mind when it comes to your risk management. Can I get a palm thump to the head?
Random attacks, yes you can defend quite well against.
But any targeted attack at all, anything with the help of even a low-level insider, anything by a well-funded or determined adversary, anything committed with a modicum of up-to-date technical knowledge? Not a chance of defending against.
This is the problem - scale. Sure, granny isn't really worth attacking but she is quite an easy target and is more likely to succumb to random spam than anything else.
Sure, Facebook are really worth attacking, but they shouldn't be an easy target and aren't likely to succumb to random attacks, pings, port-forwards, email attachments, social engineering etc.
The middle ground? That's tricky. They almost certainly deal with hundreds if not thousand of people a day, emailing back and forth, and all kinds of levels of staff most of which will have little to no dealing with the IT guys. They may be worth attacking. They can be easy targets. They are capable of succumbing to "one wrong click" no matter who you put in charge.
Take my example - a private school. Despite what you might think, teachers and other staff are paid pretty much market rates. But they suck in millions of pounds a year (which are spent with suppliers because they usually have to be non-profit). They will accept credit cards, they will have tons of personal information, they will have celebrity parents, they will have databases of children's details that every teacher needs to be able to log into, they will have contact with hundreds upon hundreds of parents from all kinds of staff (office, IT support, teachers, etc.) and all their suppliers. And they won't have teams or budgets big enough to stand up against a determined attacker or malicious interference from within.
Sure, you'll catch the silly stuff. Your remote desktop will be up-to-date. Your Windows patches will be recent. You'll have backups. Your network won't allow arbitrary access. You may even be able to stop people getting in via the website / parent portal / intranet / etc. if you're diligent. You'll have antivirus. You'll have sensible email defaults (i.e. not opening attachments, etc.). But there's still nothing in the way of a targeted, determined, knowledgeable attacker finding a PHP hole in the parent portal (which needs to talk to the main school database) and walking right through it. I guarantee you, the quality of most school online MIS software is such that I wouldn't trust it alone. And things like "set up a VPN to let us suck from your school database to your cloud-based parent portal" are surprisingly common (and usually with just arbitrary SQL access to said database without even limited views).
The people "in the know" will offer limited users, limited views, limited access, reverse proxies, DMZ, IDS/IPS, VLANs, audit logs, etc. But I guarantee you that most school IT departments - even where outsourced - follow the default installation instructions which leaves the potential for a massive hole the second someone finds one. And it's not going to be publicly advertised on the CVE lists.
The big-guys can handle themselves.
The little-guys, you can't really do much for them except try to build systems where compromise isn't capable.
The middle-ground is the scary part. Where they have just enough investment to require complex IT systems, but nowhere near enough expertise or resources to hire it to secure it against someone determined to get in.
Your primitive attempts at "I'm from Apple, click on this attachment" and scanning port 80 might not work. But for sure they are the risk category with the most to lose while being the easiest target for that kind of tradeoff.
The judgment, handed down by High Court judge Mr Justice Warby earlier this week, orders the unknown hackers not to publish the stolen data and to pay Clarksons' legal costs.
Good luck with that because it's never going to happen.
What makes them think that the hackers are even in this country?
Clarkson instructed its solicitors to proceed with court action, and they solicitously did so
The judge had an injunction to evaluate, and he judiciously did so
So, although no justice will ever be served by all these actions, everyone did their bit as expected and goes home with a clear conscience of a job well done
It might have some value if the suspected perps are identified later on - the court order goes into immediate effect to stop the leak going any further while the perps are on bail. Better than locking them up for months before a trial. Plus disobeying a court order has additional penalties.
The hackers can no longer rely upon sending the stolen information to a newspaper to publish because the injunction will ensure that no sensible editor would risk publishing it.
Actually, it would also allow take-down orders against any web site the hackers uploaded it to, although other legislation (such as copyright) would probably have sufficed.
The one slight fly in the ointment is Barbra Streisand. But if Clarksons can get an injunction against her, they'll be safe.
I'm starting to wonder about the mushrooms in my morning fry-up. My thought processes seem to be wandering and the walls are melting.
Biting the hand that feeds IT © 1998–2019