WASHINGTON—I was having coffee with Angela Gunn, an old friend who is working as a security researcher these days. She was explaining some of the problems with traditional approaches to thinking about security.
But she is focused on Hewlett-Packard’s latest push, which is to think like a bad guy trying to break into computer networks and databases. We were both attending the HP Protect conference here, which spotlighted the “Think Like a Bad Guy” theme pretty much everywhere you looked.
“Really,” she said, “you have to think like whoever the bad guy is working for.” My friend had a point. While it’s important to understand the cyber-criminal’s approach when they’re attacking you, the only way to really understand them is to understand their motivations. What is it they’re looking for when they break into your network?
I found out when I entered the conference display floor and wandered to the back of the room to the Bad Guys’ Lair. This required a walk through a smoke-filled corridor crisscrossed with laser beams to reach a bunch of people sitting around among pizza boxes, soda cans and bags of empty calories.
These were the HP “Bad Guys.” I later found out that I could have gone around to the rear entrance and avoided the drama. Leave it to security guys and corporate hackers to engineer in an analog back door.
What I found there laid out clearly was what HP means about thinking like a bad guy. On a wall-sized screen were employment ads for low-level hackers to run a local mission, provide expertise in specific areas of some operating systems, or perhaps infiltrate an office and drop off a malware laden USB memory stick. On another screen there was page after page of ads for commercial software, but these packages were commercial malware designed to sniff out credit cards or passwords.
These applications were sold and licensed just like software from big-name software companies. Want an app to read credit card numbers from Firefox? That’ll be $500. Want one that does Firefox and Internet Explorer? You can upgrade for an additional $500.
One of the security researchers, who we’ll call “Sam” (they don’t want their real names used in public) explained that one of his colleagues maintained between eight and 10 identities on those hacker Websites so they can keep up with what’s current. Then he showed me where you can buy credit card numbers.
Unfortunately, this illustrated just how easy it is to obtain those numbers, and how easy it is to create counterfeit credit cards. He took a blank plastic card with a magnetic stripe, ran it through a device and created a blank credit card in less than five seconds. So I asked him how useful such a card would be. What he told me is enough to immediately stop using any card without an EMV chip.
HP Demonstrates Why Everybody Needs to Think Like the ‘Bad Guys”
Sam pointed to a colleague. “We went to a Best Buy store with one of these blank credit cards and tried to make a purchase,” he said. When the cashier questioned the blank card, his response was remarkable.
“We just told her it was the new American Express ‘White’ card.” He said that he told the cashier that it didn’t show his name because the new card was designed to protect his identity. The cashier looked at his driver’s license, but didn’t make a note of anything.
Sam and his colleague performed this exercise to learn how it was done and to see if they could actually pull it off. But the blank card was actually cloned to a valid personal credit card so there was no fraudulent transaction or loss to the store.
As I spoke with other security researchers, a pattern became clear. Despite all the reports about credit card fraud, data breaches, malware and other criminal activity, the people who actually need to protect their data have learned nothing. The training about credit card security has apparently fallen on deaf ears.
Then I talked with another researcher who showed me the latest Top 10 list of the Open Web Application Security Project. This is a research project that lists the most common vulnerabilities of Web-based applications. The OWASP site lays out the list and also has detailed articles about each item on the list as well as why it’s a problem.
The list includes the usual suspects, including injection, misconfigured Websites, broken authentication, cross-site scripting and similar problems, most of which are the result of poor coding or a failure to follow best practices.
But what’s really depressing about the list is that it’s virtually identical to the Top 10 list from 2010. In other words, even though the same vulnerabilities have been exploited for years, nothing has changed—there have been no improvement in the security situation despite the availability of ways to fix those very problems.
I spoke with Jacob West, CTO for HP’s Enterprise Security Products practice and who briefly remarked on the fact that so much about security was about training people to be mindful about security. That, of course, is a necessity.
But there has to be more. While enterprises can think like a Bad Guy, or train their employees not to click on attachments, there needs to be a better solution. One approach is to essentially take the people out of the process, which is what Apple is doing with Apple Pay.
But there also has to be some level of commitment by people at every level of the corporate hierarchy to think about security, whether a person is running a cash register, running a board meeting or designing code. I’m beginning to wonder if that part is futile.