Topic of the week - Why me?

Why on earth would any attacker would target my business? Its the usual story: "No one would be interested in my email and we don't do any on-line payment work, so why should we fix these vulnerabilities? Surely there are more valuable targets out there for attackers to chase after".

We have been having this discussion quite a bit lately, so we refer to previous well-known reports like the the Computer Crime Survey to illustrate a couple of key points:

• Threat and risk assessment should be more than a gut-feeling; assessment should be based on a well-understood process, such as that found in lots of standards.
• Threat and risk assessment should consider the value of your assets, not just from your perspective, but from the perspective of an organised attacker.

And then, as if to back up this approach, a spam (shown in the image on the right) popped into our spam gobbler: You can click on the image to get a better view of it, but in essence, the email is just another phishing email, much like plenty of others that we have seen before.

What's interesting about this one is that, if you look at the source behind the link, you will see a legitimate business' URL. For the sake of the legitimate business, let's obfuscate the URL that was in the original phishing email and remove the company name, and describe the URL as:
http://victimCompany.com/psjs_datalogs/index_files/login.htm

What can we see from this? Well, a couple of things:

• The victimCompany is not the ultimate target of the attacker; the real targets are the Internet-banking account holders. The victimCompany is only compromised, as a result of malicious content being hidden within their legitimate website, to provide a jump-off point for the attackers as they go after their real targets.
• The victimCompany many not have suffered any damage as a result of the initial compromise. DotSec attempted to contact the victimCompany to alert them to the compromise, but we did not hear back. However, it seems unlikely that the real company was aware of the dodgy web pages lurking within the legitimate web site.
• This is another great example of the flaws in the, "Why on earth would we be attacked?" approach to threat and risk assessment. The victimCompany is attacked, not as a target in its own right, but so that the victimCompany's resources can be used in a subsequent attack.

In some ways, this kind of attack is similar to attacks by botnet owners, who compromise a intermediate victim's computer, an order to attack an ultimate target. However, botnets generally target individuals, while this attack is targeting a business, and its then that questions regarding liability begin to arise.

At the end of the day, the issue is quite straight-forward. Implement acceptable security based on an understanding of the threat and associated risks, and consider the value of your assets from an attacker's perspective, as well as from your own.

[Continue > ]

[ < Back to Links]