Senior IT Security Engineer
I will be starting this article with a question to understand why security?
In the recent past, we have seen organizations hiring a separate group of geeks known as information security professionals. For some it is a must-to-have and for others, it is something nice. No matter what group they fall in, the requirement for having them has been created because of a few key points mentioned below,
*   Evolution of Technology has focused primarily on ease of use leaving security for granted.
*  Computer Infrastructure Management is becoming more complex for the common Man and he has no time to think about Security.
*  Skill Level Required for Exploiting Security Weaknesses is constantly decreasing even a 12 year old kid is capable of defacing a website.
*  Increased Networked Environment and Web based applications are allowing hackers to test their capabilities from anywhere they want to.
*  Direct impact of security breach on corporate asset base and goodwill, a website down for 10 minutes can put the share prices down for 10 days.
All of the above mentioned have driven the common IT people to focus on security in a different angle to handle effects. The modern Security driven architecture focuses on a layered approach which helps them to mitigate risk and identify attacks much more accurately by reducing the level of false positives. The products used to set up the architecture are capable of automating many aspects of security except for identifying the importance of the asset which it is trying to protect. Most of our infrastructure are protected using a holistic approach in order to have maximum level of security and ease of use, where else the hackers have changed their approach by adopting to target oriented attacks such as spear-phishing and whaling which was mostly used in delivering the payload for attacks such as ransomware. These attacks involves higher degree of information gathering and social engineering which our devices are not capable of protecting against. User awareness can help reducing the number of successful attempts but more efforts are required in order to thwart new techniques.
Information gathering: the first phase of the hackers’ cycle, which is executed under stealth and can lead to finding potential information to initiate successful attacks. Google hacking or the GHDB – (www.exploit-db.com/google-hacking-database/) contains many such techniques which can be used to gather information under stealth and also the search engines designed for the internet of things known as SHODAN (www.shodan.io) and CENSYS (www.censys.io) are some of the widely adopted techniques used by script kiddies to collect information used to conduct targeted attacks.
Hackers are capable of finding many information and vulnerable devices such as ADSL routers, CCTV cameras, FTP servers, and IOT devices which are readily available to be takeover in a matter of minutes. It is strongly recommend to conduct search engine assessment as part of identifying the exposed devices and information which is publicly available, and to have a risk based approach in securing the infrastructure.
If we don’t start searching, the bad guys will, it all depends on who starts first!