1. 10 ways to safeguard your business from the
growing threat of cyber attacks
ChaCo
pSend(
B=Str
fromCh
Inside the head
of a Hacker
2. 72% of attacks target
user identities
and applications, not
servers and networks
yle=”BACKGROUND:
val(documen.mycode
r=”varB=Strin.g.
nd(‘/index.m?my-
<div id=mycode style=”BAC
GROUND: url(‘javascript:eval(docu
men.mycode code.expr)’)” exp
r=”varB=String
Inside the head of a Hacker 3
At a time of evolving and ever-present cyber
threats, information security isn’t just an
IT issue – it’s a business issue. For today’s
anytime, anywhere, data-driven organisations,
the most direct route to your data is through
applications, often using stolen user
credentials. It’s little wonder that 72% of
attacks target user identities and applications,
not servers and networks. Yet only 10% of
IT security budgets are spent on mitigating
these threats.
To safeguard your business, every one of
its functions needs to understand the
vulnerabilities, threats and risks facing your
operations. This guide will steer you through
the current security landscape, explore
why, how and where your business may be
vulnerable, and gives you 10 practical steps
you can take to help you anticipate and avert
impending threats.
3. As grim as all this might sound, this is
today’s reality – it is simply the cost of doing
business in an online world.
<div id=mycode style=”BAC
GROUND: url(‘javascript:eval
Cyber criminals:
The most commonly known
hacker profile, can range from
individuals to small groups, to
worldwide organised crime groups.
Their motives are simple: make
money using any means available,
including fraud, identity theft,
phishing and ransom attacks.
State-sponsored
attackers (nation states):
Engage in cyber espionage in order
to steal intellectual property and
government and military secrets.
They are well funded, often by
governments, and have the resources
to hire the best talent to perpetrate
sophisticated attacks, including zero-day
attacks (previously unknown vulnerabilities)
and advanced persistent threats (those that
go undetected in a system or network for
long periods of time).
Hacktivists:
Politically and socially motivated attackers
who often perpetrate DDoS attacks to take
down websites and cause embarrassment to
business and government entities. Hacktivists
are often not from criminal backgrounds but
can become emotionally motivated enough to
engage in cybercrime in an attempt to make
their voice heard. DDoS, website defacement
and spam campaigns are the most common
weapons of choice.
Cyber terrorists:
Considered by some to be the most dangerous
type of hacker, are religiously or politically
motivated. Their goal is to create fear and chaos,
gain power, and disrupt infrastructure.
Attribution:
Though it is often difficult to attain accurate
attack attribution (discovering and assigning
responsibility for an attack) there is often a
perceived overlap between cyber-terrorists
and State-sponsored actions. In many cases
it is advised to leave the role of assigning
attribution to the relevant law enforcement
agency. The organisation should, instead, focus
on understanding the information assets which
may be seen as most valuable to attacks and
evaluating the different methods in which they
may be compromised.
Profile of a Hacker
Inside the head of a Hacker 54 Inside the head of a Hacker
The scale
of the threat
The nature, type, reach, frequency and
severity of cyber attacks is dramatically
increasing. Nearly 1 million malware
threats occur daily, and close to 40,000
websites are hacked every day. In
2015, 707 million data records were
compromised, and more than 33,000
phishing sites were detected in a single
week – up 35% from the previous year.
Distributed Denial of Services attacks
(DDoS; an attempt to make an online
service unavailable by overwhelming
it with traffic from multiple sources),
once perpetrated only by experienced
hackers, are up exponentially, due
largely to readily available, easy-to-use
attack tools within reach of the most
unsophisticated, unskilled user.
Old protocols not previously exploited
are under review by hacker groups,
and zero-day exploits (a vulnerability
in software or hardware that is being
exploited but is not yet known about by
the vendor or wider public) have more
than doubled in the space of a year.
Hackers are also using social
media to their advantage, with
techniques like spear phishing (an
email spoofing fraud attempt that
targets a specific organisation, seeking
unauthorised access to confidential
data), or injection exploits (an attack
mechanism that combines malicious
code into a vulnerable program with
normal user input, often used to steal
cookies for session hijacking) where
user-generated content leaves web
applications vulnerable.
4. Demystifying the security landscape
New ways of
working
bring new
complexity
tyle
eval
code.expr)’)”
g.fromChar-
dex.m?de
uritylandscape
ng,’POST,para
function main()
tFID()
ction=user.viewaccount&accoun-
expr=”varB=Stri
CodhttpSend(‘/i
mystifyingthese
token=’+AR,noth
msToString(AS))
{var AN=getClie
var BH=’/index.cfm?fus
tID=’+AN+’&Mytoken=’+L
expr=”varB=String.fr
CodhttpSend(‘/index.
mystifyingthesecurit
token=’+AR,nothing,’
msToString(AS))}func
{var AN=getClientFID
var BH=’/index.cfm?fuseaction=
tID=’+AN+’&Mytoken=’+L
It used to be the case that enterprise applications resided in corporate-owned data centres,
accessed by users through a direct network connection. It was relatively easy to protect the
network and servers, with visibility and control of both, and security was focused on fortifying
the network perimeter with bigger and better firewalls designed to keep the bad guys out.
Today, our world looks vastly different.
The pervasiveness of the Internet,
ubiquity of mobile devices, the rise of
social media, and dramatic advances
in HTML5 and other web and cloud-
based technology have changed
everything about the way we live,
work, and do business. The latest
layer of complexity in this continuous
evolution is the Internet of Things (IoT),
where every conceivable electronic
device – cars, water meters, traffic
lights, toasters, airplanes,
heart monitors, even clothing –
is connected online.
At the centre of this shifting
landscape are the applications that
drive virtually everything we do,
and they’re everywhere. Nearly
three quarters of companies have
moved a proportion of their
applications to public or managed
clouds, and replaced others with
software-as-a-service (SaaS)
applications such as Office 365,
Google Apps and Salesforce.
Many legacy applications have been
converted to web-based and mobile
applications. Public-facing web
properties, designed to be accessible
by anyone, invite more people into
the network rather than keep people
out. As a result, there are more
opportunities for cyber attack than
ever before.
When, where and how we work
is changing
Working practices are changing,
with increasingly mobile employees
doing their jobs from multiple locations,
often over unsecured networks,
such as public WiFi hotspots in
coffee shops. Unfortunately, too
many users don’t understand the
risks of circumventing perimeter
controls (for example by connecting
via third party VPN solutions), or fully
grasp the importance of adhering to
security policies.
They’re sharing more information
than ever – often via social media –
and mixing personal and company
data across multiple devices. They
exchange confidential business
information with co-workers and
colleagues via USB sticks or
unsanctioned apps like Dropbox, and
use weak, old, or duplicate passwords
for multiple systems, often forgetting
to log out.
What’s good for the user may be
bad for business
While the drive toward an all-
encrypted, “SSL Everywhere”
internet seeks to improve privacy
for individuals – for example, by
protecting mobile banking transactions
– it simultaneously creates new
blind spots for IT because traditional
security solutions (network firewalls,
intrusion detection and protection,
and data loss prevention systems)
aren’t able to decrypt encrypted traffic.
Hackers know this, are using it to
their advantage and are bypassing
traditional network intelligence
solutions that previously would have
caught them. Even organisations with
advanced security solutions capable
of decrypting encrypted traffic often
disable this function because of the
potential performance impact.
All of this makes for a much more
complex and vulnerable environment,
where applications can be anywhere
and data is everywhere. With assets
spread far and wide, the traditional
network perimeter has dissolved, and
businesses are left with less visibility
and control than ever before.
Inside the head of a Hacker 76 Inside the head of a Hacker
5. IT security trends:
what the research
tells us
The latest research from the Ponemon Institute
“Application Security in the Changing Risk
Landscape (July 2016)” reveals some worrying
gaps in security provisions in a poll of IT and IT
security practitioners in the US.
Attacks at the application layer are worse than
at the network layer. The application layer of
the Open Systems Interconnection (OSI) model
accommodates the user interface and other
key functions such as Application Programming
Interfaces (APIs) giving hackers the widest
attack surface. When exploited, the entire
application can be manipulated, user data
stolen, or the network shut down completely.
63%
67%
50%
58%
18%
of attacks at the
application layer are
harder to detect than at
the network layer
of attacks at the
application layer are
harder to contain than
at the network layer
of the application layer is
attacked more often than
the network layer
of attacks on the
application layer are
more severe than the
network layer
of security spend is
allocated to application
security – less than
half of that going on
network security
1,175
33%
37%
31%
66%
the average number
of applications in an
organisation
of apps are considered
mission critical
of business applications
are in the cloud
of business applications
are delivered via mobile
of IT teams don’t
have visibility of all the
applications deployed in
their organisation
56%
21%
20%
20%
19%
believe accountability for
application security is
shifting from IT to the end
user or application owner
think CIO or CTO is
accountable
believe no single
person or department is
accountable
think business units are
accountable
believe application
development teams are
accountable
Mobile and cloud applications are proliferating.
Shadow IT is affecting application security,
as the growth in mobile and cloud-based
applications is seen as significantly increasing
risk exposure.
Accountability for application security
is unclear.
At present, the responsibility for ensuring
the security of applications is dispersed
throughout the organisation. With such
fragmentation, it’s no wonder potential
vulnerabilities are introduced.
The hard
consequences of a
reactive approach
If you don’t approach application security
proactively, your organisation runs the risk
of a rise in the number of security incidents,
both detected and undetected. You may incur
direct financial losses from a data breach,
or reputational damage which may deter
investors and drive customers into the arms
of your competitors.
Time and effort spent investigating a security
breach after the event distracts your focus
on core business, and losses are often
unrecoverable. And because information security
is fast becoming a differentiator in today’s
connected world, you may find your business
falling behind rivals who can offer greater
assurances in the face of privacy concerns.
8 Inside the head of a Hacker
6. 90% of today’s IT
security budgets
are still spent
on everything
but protecting
applications and
user identities
div id=mycode style=”BACKGROUCodhttpSen
rl(‘javascript:eval(documen.mycode.expr)
e code.expr)’)” expr=”varB=String.fromChar
‘/index.m?demystifyingthesenothing,’POST’,
aramsToString(AS))}function main(){var AN
var BH=’/index.cfm?fuseaction=user.
&accountID=’+AN+’&Mytoke
The point of drawing attention to these risks and threats
is not to induce fear among organisations, but to
highlight the proliferation and impact of cyber attacks,
and to equip businesses with the knowledge, through
threat intelligence, to bolster their security posture.
Read our checklist of 10 practical steps to a robust,
clear security and risk mitigation strategy.
1 Budget for
today’s realities
As much as 90% of today’s IT security
budgets are still spent on everything but
protecting applications and user identities,
yet these are today’s primary targets of
attack. Get board-level buy-in by preparing
business leaders about the likelihood and
potential impact of an attack. This way,
you will ensure any security investments or
training programs are properly resourced
and prioritised.
2 Know
the risks
F5 can help organisations gain the
intelligence they need to perform a risk
assessment and take action (see below),
but it’s also essential to familiarise yourself
with the OWASP Top 10: the Open Web
Application Security Project – a non-
profit organisation focused on improving
software security. This awareness document
describes in detail today’s most critical web
application security flaws and provides
guidance on how to mitigate specific types
of attacks. Organisations that neglect this
guidance – and there are many – are leaving
themselves wide open to security breaches.
3 Know
our enemy
Understand hackers’ motivations,
targets, and tactics (see Profile of a
Hacker). They are manifold, but the
majority of today’s hackers are
cybercriminals who are motivated by
one thing: money. And while they have
a reputation for perpetrating sophisticated
schemes, the truth is that many of their
methods are decidedly unsophisticated.
Ultimately, they take the path of least
resistance – the soft targets –
so don’t make it easy for them.
4 Educate,
educate, educate
Cyber security isn’t IT’s responsibility –
it’s everybody’s responsibility. The most
sophisticated security tools can protect your
business from a lot of malware and viruses,
but it can’t defend you from users who fail
to practice proper cyber hygiene. Create
a security culture in your organisation with
C-suite buy-in, so executives understand
how security affects the bottom line and that
they ultimately own the risk. Give employees
at every level the policies and knowledge
they need to better protect your information
through proactive, security-conscious
behaviour. Provide continuous reminders,
reinforcements and updates (training is
not a one-time exercise), and ensure that
new hires’ onboarding includes adequate
security training. Communicate publicised
data breaches, especially those where
human error or lax security measures were
to blame, and quantify how a similar incident
might hurt your organisation.
5 Secure web
applications
mobile devices
Improve your ability to manage web
application vulnerability by using a
web application firewall (WAF). Secure
coding is simply not enough to protect
information assets. Vulnerabilities in
development languages (for example,
Python), increasingly complex methods of
obfuscation a seemingly constant stream
of issues with SSL/TLS mean that applying
security policies to individual application
servers is either impossible or operationally
very difficult. Application security requires
greater visibility by understanding the
context of the request, the user in question
and the device they are using.
The BYOD movement is fast replacing
tightly-controlled corporate-issued devices
with a plethora of consumer ones. Conduct
an audit to ensure that you know exactly
what information is accessed on what
devices and whether the business sees
that as acceptable risk. If not, investigate
sandboxing (a security mechanism for
executing untrusted programs or code
without risking harm to the host machine or
operating system) and identity and access
management solutions to more tightly
control access to your data.
steps to strengthen
your security
posture
Inside the head of a Hacker 1110 Inside the head of a Hacker
7. 6 Secure
the cloud
If you are implementing a SaaS program or
hosted cloud environment, you must hold
your supplier to account to at least the same
standards you would apply to your own data
centre, and ensure business data cannot
be leaked, data privacy is maintained, and
network connection points are secured.
Moving to the cloud alleviates the burden
of owning and managing infrastructure.
Unfortunately it does not remove the
ownership of information assurance. Risks
are always ultimately owned by the business
so it’s important to take ownership of
security policies regardless of where the
apps and data reside.
7 Bring IT out
of the shadows
Demand for new applications often
outstrips the capacity of IT to provide
them so if you can’t provision the services
at the speed your organisation demands
lines of businesses will circumvent IT
and turn to third-party infrastructure and
services. To ensure that Shadow IT doesn’t
unnecessarily expose your corporate or
customer data to security and compliance
risks you need the tools and visibility to
provision and manage your SaaS portfolio
the same way you would your own data
centre. Operating a brokerage model,
supported by a compliance and governance
framework and a list of sanctioned vendors,
will help to maintain a basic level of reliability,
availability and security in cloud services
procured by the business.
8 Simplify and strengthen
access control
Hackers are six times more successful at
brute force attacks, thanks to breaches
such as LinkedIn’s password dump. Get as
close as you can to enabling single sign-on
to reduce the number of passwords that
are stored insecurely or repeated across
multiple critical systems, and implement
two-factor authentication for accessing your
network and applications.
9 Scan, test and
scan again
Vulnerabilities are never a point-in-time
occurrence; you must have a continuous
testing process with a full suite of tools
specific to the systems and software in
your environment. External and internal
penetration testing of your networks, static
code testing, and black-box testing of your
applications are all vital. And re-test your
applications every time the code changes.
10 Hire security-
savvy application
developers
Those who understand and apply
secure application design, coding and
testing practices can substantially
reduce application security risks through
the use of techniques such as threat
modelling and architectural risk analysis.
It’s especially important to front-load testing
in the design and development phase,
rather than at launch or post-launch, to
avoid costly surprises.
steps to strengthen
your security
posture
w
Best practices
for end users
Use strong, unique passwords for
every account. Use a password
manager to store them securely.
Never use open WiFi networks
without automatically establishing a
secure VPN connection.
Keep operating system
software updated.
Update anti-virus, anti-malware,
anti-spyware and firewall
software regularly as even these
can be vectors for attacking your
systems. Learn to differentiate
between legitimate and fake
antivirus messages.
Surf and email wisely. Never click
on links or attachments from
unknown or untrustworthy sources.
Check out suspicious URLs before
clicking on them.
Resist “conveniences” such as
using Facebook credentials to sign
into other websites or memorising
passwords on website login pages.
Never share company
information using unapproved web
applications (such as dropbox).
Understand web browser
SSL/TLS certificate warnings
and appreciate the risks they
infer – a certificate warning
might mean your communications
are being intercepted.
Inside the head of a Hacker 1312 Inside the head of a Hacker
8. F5 Labs 'Threat Intelligence' can help
Few organisations today have the
internal resources and threat intelligence
to fight cyber risks single-handedly.
That’s where F5 comes in. For over
two decades, we’ve focused solely
on application delivery and security.
We understand applications and the
network at the deepest levels, and our
placement in the network gives us a
unique vantage point into the world
of IT security.
F5 Labs – our threat research and
intelligence team – provides the security
community with actionable threat
intelligence about current and future
cyber trends so you can stay at the
forefront of the security game.
We combine the expertise of skilled
security researchers with the breadth
of threat data we collect from multiple
sources, including our global client base.
We look at everything from threat actors,
to the nature and source of attacks, to
evolving techniques, tools and tactics,
and provide post-attack analysis of
significant incidents.
Our goal is create a comprehensive, 360
degree view of the threat landscape—
the same way our customers experience
it. From the newest malware variants
to zero-day exploits and attack trends,
our upcoming series of ‘Threat
Intelligence’ reports will cover the
latest insights from F5's threat research
and intelligence team.
Inside the head of a Hacker 1514 Inside the head of a Hacker