Think like a hacker
Common defences lead to common bypasses, says SensePost.
Blindly following accepted best practices can open up opportunities for attackers to exploit well-known defences.
This sentiment was driven home by Dominic White, SensePost CTO, and Jeremy du Bruyn, SensePost senior penetration tester, at the 8th annual ITWeb Security Summit, in Sandton, yesterday.
Common defences lead to common bypasses, and common defences lose traction over time as attackers adapt, said White. "We have to understand how attackers attack and acknowledge the problem to build more innovative defences."
He compared company defences to a wall. "Attackers try to get over it. The first time they get over a wall, that high is hard, but the second time is easier, and if your wall looks like everyone's wall, it's easier to get over. Attackers get more and more advanced, and as defenders, all we do is make the wall higher, as the body of best practices gets bigger.
"If it's not untenable now, it will be later - at some point, there'll be too much best practice for you to implement," he added.
White and Du Bruyn detailed several common security best practices, explaining that "popular defence patterns lead to popular attack patterns to bypass them. Knowing these attack patterns can help you avoid them."
For example, common password-setting best practice is to enforce complexity, which merely forces employees to find coping mechanisms such as the infamous "Password1". Lockout periods for too many incorrect passwords is another best practice, continued Du Bruyn, but this is a vertical defence, and does not prevent hackers from trying a horizontal attack - attempting one password across all accounts in the hope that it will work on one.
"Best practices create vulnerability, because everyone is doing the same thing, which lets attackers optimise," he explained. "The actual attacks aren't being looked for. We implement account lockout and then monitor how many get locked out. What we should be looking for is the number of failed passwords coming from a single source."
The defence solution, according to Du Bruyn, is differentiation: blacklist common passwords, monitor for horizontal attacks, use two-factor authentication, and enforce length - 15 or more characters - rather than complexity. "Attackers haven't been able to optimise for a 15-character password policy," he said.
A further problem, said White, is that many security basics are impossible to attain. It is not feasible to patch every piece of software on every machine, so prioritisation is important. "Use hacker tools to find the machines your risk- or compliance-based focus didn't care about.
"Don't just look at where you think attackers will be going - they'll be going in the other direction," he added - towards machines considered unimportant.
Creativity is paramount, noted Du Bruyn. "One thing that I want to make very abundant is that these are just sample attacks against best practices: so don't take these and implement just these, but think about the problem in the way we've shown you."