Recently, i read a discussion claiming that the corporate security is loosing the war to hackers, and quite soon corporate systems will crumble under the attacks. Here is an analysis of security positions of both hackers and corporations.
A corporation addressess security in a systematic and planned way, always being careful to reduce costs and avoid using resources on non-profitable investments. Also, A large company security position is hampered by:
- Investment cycles - capital expenditures are usually planned ahead for 1 and 3 year period, and the corporation needs to plan the funds for corporate security, while not really knowing what will happen
- Strategic orientation - due to specific corporate strategy like heavy investment, cost cutting, security may be left aside, and get delayed in development
- Vendor and product interoperability - anything set-up within a corporate environment must be tested to not break anything else and to enable good interoperation. The testing cycle is usually a month or more long, with delays if significant problems are found
- Human resources usage - again related to use of resources, the security personnell are also assigned other tasks, like project management or some form of legal or compliance work, which shifts their focus to other priorities and can cause them to miss an event
- A necessity for security upgrade is identified - duration: 1 week
- The CISO/CIO/CTO and their teams investigate the ability of the market - duration: 1 month
- The CISO/CIO/CTO prepare a formal suggestion for the board and submits for approval - duration: 2 weeks
- If the board approves, budget will have to be assigned to the project, and get approved by controlling. If there is no available budget, the project will be postponed until the next budget cycle (probably next fiscal year)
- The CTO and CFO will organize a price negotiation order or competititive bidding - duration: 1 month
- Contract will be drafted and signed - duration: 1 week
- The technical teams with the supplier will organize Delivery, installation and testing - duration: 2 months
- The system will begin its life - approximately 5 months after the initial identified need
Hackers employ guerrilla-like tactics. They are not hampered by systematic approaches and plans, and treat each attack as a separate case, reusing what resources they can get their hands on and abuse, including impersonation, surveillance, even theft.
Let's review a typical process of a very systematic hacker attack on a corporation:
- The hacker has a good idea for an attack - duration: 1 day
- The hacker will research the target for attack feasibility and possible approach. During this time he will do information gathering, social engineering and collect a large volume of details about the target. During this period, he may also involve partner hackers into the attack team - duration: 1 month
- If the attack is feasible, the hacker will research the web and message boards for a possible solution to accomplish the attack - duration: 1 week
- If the solution is available, he will organize a way to download it - duration: 1 day
- If the solution is not available, the hacker will organize to make a program - duration: 1 week
- The solution will get tested on a low value target, or several of them - duration: 5 days
- The solution will then get used in the original planned attack. approximately 2 months after the initial attack idea
Discussion and conclusions
The reaction time advantage is obviously on the hacker's side. How come they haven't overrun the corporations by now?
There can be many different discussions about this, but they all boil down to:
- resources and
- ease of communication
- For any guerrilla to be successful, it needs support. Support is given when there is a common cause. For most hackers, the cause is personal gain (financial or promotional), so the other internet population gives little to none support.
- The corporations while slow in a normal process, have the option to "throw money at a problem", once it becomes too problematic. This will include: immediate purchase of special equipment and software, hiring of consultants, employment of better experts.
- The corporations have a large system base, and while a lot will suffer some security deficiency, it takes time to hack into any one of them. So the hacker will actually need time to properly.
- The hackers need to maintain high level of secrecy and constantly watch their back. If an attack becomes too flagrant, hackers are viewed as common criminals, and are immediately under the scrutiny of police authorities. This limits their communication with peers to only the most trusted ones, and this circle of trust is rarely opened.
- A corporation with a problem can communicate the problem to consultant and partners, and simply bind them with a Non-Disclosure Agreement, which is usually sufficient to maintain corporate level of secrecy - breaching it would mean huge penalties and loss of reputation
While the hacker community is much more agile, it is simply hitting the small weak points of the corporate world and is careful not to hurt the corporations too hard, since hitting harder will bring the game to a whole new level where they'll be facing undercover police agents, specific and very powerful detection systems
So, the overall corporate security levels vs hackers will remain at Status Quo, with attacks and security improvements happening at regular alternating intervals.
Portrait of Hackers
Talkback and comments are most welcome