More details are coming out about the Google/China hacking incident. There’s even talk of how resistance is futile
Dave Aitel from Immunity, who is one the top guys out there on the offensive side, has been making this point for a while. Given a modern penetration toolkit (Canvas for the flush, Metasploit for the cheap), breaking into nearly any organisation is possible. Given more resource, pretty much anything softer than GCHQ/NSA is a target. It’s just a matter of time, effort and economics. How many person-days is it worth the attacker spending on breaking in?
For the defender, things are muddied even further by the issue of unpatched bugs, or zero-days. How do you defend against an attack for which no patch, anti-virus signature or IPS rule exists? To quote Dave again:
Everyone says an attack is “sophisticated” whenever any 0day is involved. But that should be the baseline. Or rather, it IS the baseline and everyone seems to just be finding out
Universities maybe can be less worried by this than most, but not for good reasons. Attackers use their resources wisely: there’s no need to use an expensively developed zero-day Internet Explorer exploit when there’s an unpatched copy of WordPress running on the user webserver and no DMZ.
For most people and organistations this is somewhere between unpalatable and unacceptable. It’s saying that even if we keep all our systems patched and make sure every PHP app anywhere on the network is secure we’ll still be 0wn3d. And the reality is that most Universities (especially the older ones) are so devolved that even getting everything patched is a Sisyphean task.
So if a senior manager asks “What is the point of employing these InfoSec staff if we are going to be broken into anyway” it’d be best to have a good response ready. That’s something we’ll return to in a future post (along with a post on the mechanics of how targetted attacks work)
