F5 Hero Asset - Inside the head of a Hacker Final

10 ways to safeguard your business from the growing threat of cyber attacks

fromChaCodhttpSend(

B=String.fromChar-

Inside the head of a Hacker

72% of attacks target user identities

and applications, not servers and networks

<div id=mycode style=”BACKGROUND: url(‘javascript:eval(documen.mycode code.expr)’)” expr=”varB=Strin.g.fromCharCodhttpSend(‘/index.m?my-

<div id=mycode style=”BAC GROUND: url(‘javascript:eval(docu men.mycode code.expr)’)” exp r=”varB=String

Inside the head of a Hacker 3

At a time of evolving and ever-present cyber threats, information security isn’t just an IT issue – it’s a business issue. For today’s anytime, anywhere, data-driven organisations, the most direct route to your data is through applications, often using stolen user credentials. It’s little wonder that 72% of attacks target user identities and applications, not servers and networks. Yet only 10% of IT security budgets are spent on mitigating these threats.

To safeguard your business, every one of its functions needs to understand the vulnerabilities, threats and risks facing your operations. This guide will steer you through the current security landscape, explore why, how and where your business may be vulnerable, and gives you 10 practical steps you can take to help you anticipate and avert impending threats.

As grim as all this might sound, this is today’s reality – it is simply the cost of doing

business in an online world.

<div id=mycode style=”BAC GROUND: url(‘javascript:eval(-Cyber criminals:

The most commonly known hacker profile, can range from individuals to small groups, to

worldwide organised crime groups. Their motives are simple: make money using any means available, including fraud, identity theft,

phishing and ransom attacks.

State-sponsored attackers (nation states):

Engage in cyber espionage in order to steal intellectual property and government and military secrets. They are well funded, often by

governments, and have the resources to hire the best talent to perpetrate sophisticated attacks, including zero-day attacks (previously unknown vulnerabilities)

and advanced persistent threats (those that go undetected in a system or network for long periods of time).

Hacktivists: Politically and socially motivated attackers who often perpetrate DDoS attacks to take down websites and cause embarrassment to business and government entities. Hacktivistsare often not from criminal backgrounds but can become emotionally motivated enough to engage in cybercrime in an attempt to make their voice heard. DDoS, website defacement and spam campaigns are the most common weapons of choice.

Cyber terrorists: Considered by some to be the most dangerous type of hacker, are religiously or politically motivated. Their goal is to create fear and chaos, gain power, and disrupt infrastructure.

Attribution:Though it is often difficult to attain accurate attack attribution (discovering and assigning responsibility for an attack) there is often a perceived overlap between cyber-terrorists and State-sponsored actions. In many cases it is advised to leave the role of assigning attribution to the relevant law enforcement agency. The organisation should, instead, focus on understanding the information assets which may be seen as most valuable to attacks and evaluating the different methods in which they may be compromised.

Profile of a Hacker

Inside the head of a Hacker 54 Inside the head of a Hacker

The scale of the threatThe nature, type, reach, frequency and severity of cyber attacks is dramatically increasing. Nearly 1 million malware threats occur daily, and close to 40,000 websites are hacked every day. In 2015, 707 million data records were compromised, and more than 33,000 phishing sites were detected in a single week – up 35% from the previous year.

Distributed Denial of Services attacks (DDoS; an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources), once perpetrated only by experienced hackers, are up exponentially, due largely to readily available, easy-to-use attack tools within reach of the most unsophisticated, unskilled user.

Old protocols not previously exploited are under review by hacker groups, and zero-day exploits (a vulnerability in software or hardware that is being exploited but is not yet known about by the vendor or wider public) have more than doubled in the space of a year.

Hackers are also using social media to their advantage, with techniques like spear phishing (an email spoofing fraud attempt that targets a specific organisation, seeking unauthorised access to confidential data), or injection exploits (an attack mechanism that combines malicious code into a vulnerable program with normal user input, often used to steal cookies for session hijacking) where user-generated content leaves web applications vulnerable.

Demystifying the security landscape

New ways of working

bring new complexity

<div id=mycode style url(‘javascript:eval(documen.mycode code.expr)’)” expr=”varB=String.fromChar-CodhttpSend(‘/index.m?de mystifyingthesecuritylandscape token=’+AR,nothing,’POST,para msToString(AS))}function main() {var AN=getClientFID() var BH=’/index.cfm?fuseaction=user.viewaccount&accoun-tID=’+AN+’&Mytoken=’+L



It used to be the case that enterprise applications resided in corporate-owned data centres, accessed by users through a direct network connection. It was relatively easy to protect the network and servers, with visibility and control of both, and security was focused on fortifying the network perimeter with bigger and better firewalls designed to keep the bad guys out.

Today, our world looks vastly different. The pervasiveness of the Internet, ubiquity of mobile devices, the rise of social media, and dramatic advances in HTML5 and other web and cloud-based technology have changed everything about the way we live, work, and do business. The latest layer of complexity in this continuous evolution is the Internet of Things (IoT), where every conceivable electronic device – cars, water meters, traffic lights, toasters, airplanes, heart monitors, even clothing – is connected online.

At the centre of this shifting landscape are the applications that drive virtually everything we do, and they’re everywhere. Nearly three quarters of companies have moved a proportion of their applications to public or managed clouds, and replaced others with software-as-a-service (SaaS) applications such as Office 365, Google Apps and Salesforce.

Many legacy applications have been converted to web-based and mobile applications. Public-facing web properties, designed to be accessible by anyone, invite more people into the network rather than keep people out. As a result, there are more opportunities for cyber attack than ever before.

When, where and how we work is changing

Working practices are changing, with increasingly mobile employees doing their jobs from multiple locations, often over unsecured networks, such as public WiFi hotspots in coffee shops. Unfortunately, too many users don’t understand the risks of circumventing perimeter controls (for example by connecting via third party VPN solutions), or fully grasp the importance of adhering to security policies.

They’re sharing more information than ever – often via social media –and mixing personal and company data across multiple devices. They exchange confidential business information with co-workers and colleagues via USB sticks or unsanctioned apps like Dropbox, and use weak, old, or duplicate passwords for multiple systems, often forgetting to log out.

What’s good for the user may be bad for business

While the drive toward an all-encrypted, “SSL Everywhere” internet seeks to improve privacy for individuals – for example, by protecting mobile banking transactions – it simultaneously creates new blind spots for IT because traditional security solutions (network firewalls, intrusion detection and protection, and data loss prevention systems) aren’t able to decrypt encrypted traffic. Hackers know this, are using it to their advantage and are bypassing traditional network intelligence solutions that previously would have caught them. Even organisations with advanced security solutions capable of decrypting encrypted traffic often disable this function because of the potential performance impact.

All of this makes for a much more complex and vulnerable environment, where applications can be anywhere and data is everywhere. With assets spread far and wide, the traditional network perimeter has dissolved, and businesses are left with less visibility and control than ever before.


IT security trends: what the research tells us

The latest research from the Ponemon Institute “Application Security in the Changing Risk Landscape (July 2016)” reveals some worrying gaps in security provisions in a poll of IT and IT security practitioners in the US.

Attacks at the application layer are worse than at the network layer. The application layer of the Open Systems Interconnection (OSI) model accommodates the user interface and other key functions such as Application Programming Interfaces (APIs) giving hackers the widest attack surface. When exploited, the entire application can be manipulated, user data stolen, or the network shut down completely.

63%

67%

50%

58%

18%

of attacks at the application layer are

harder to detect than at the network layer

of attacks at the application layer are

harder to contain than at the network layer

of the application layer is attacked more often than

the network layer

of attacks on the application layer are more severe than the

network layer

of security spend is allocated to application

security – less than half of that going on

network security

1,175

33%

37%

31%

66%

the average number of applications in an

organisation

of apps are considered mission critical

of business applications are in the cloud

of business applications are delivered via mobile

of IT teams don’t have visibility of all the

applications deployed in their organisation

56%

21%

20%

20%

19%

believe accountability for application security is

shifting from IT to the end user or application owner

think CIO or CTO is accountable

believe no single person or department is

accountable

think business units are accountable

believe application development teams are

accountable

Mobile and cloud applications are proliferating.

Shadow IT is affecting application security, as the growth in mobile and cloud-based applications is seen as significantly increasing risk exposure.

Accountability for application security is unclear.

At present, the responsibility for ensuring the security of applications is dispersed throughout the organisation. With such fragmentation, it’s no wonder potential vulnerabilities are introduced.

The hard consequences of a reactive approach

If you don’t approach application security proactively, your organisation runs the risk of a rise in the number of security incidents, both detected and undetected. You may incur direct financial losses from a data breach, or reputational damage which may deter investors and drive customers into the arms of your competitors.

Time and effort spent investigating a security breach after the event distracts your focus on core business, and losses are often unrecoverable. And because information security is fast becoming a differentiator in today’s connected world, you may find your business falling behind rivals who can offer greater assurances in the face of privacy concerns.

8 Inside the head of a Hacker

90% of today’s IT security budgets

are still spent on everything but protecting

applications and user identities

<div id=mycode style=”BACKGROUCodhttpSenurl(‘javascript:eval(documen.mycode.expr)de code.expr)’)” expr=”varB=String.fromChar (‘/index.m?demystifyingthesenothing,’POST’,paramsToString(AS))}function main(){var AN var BH=’/index.cfm?fuseaction=user. &accountID=’+AN+’&Mytoke

steps to strengthen your security posture

<div id=mycode style=”BACKGROUND: url(‘javascript:eval(documen.myco de code.expr)’)” expr=”varB=String.fromCharCodhttpSend(‘/index.m?demystifyingthesecuritylandscape&Mytoken=’+AR, nothing,’POST’,paramsToString(AS))}function main(){var AN=getClientFID() var BH=’/index.cfm?fuseaction=user.viewaccount &accountID=’+AN+’&Mytoken=’+L

The point of drawing attention to these risks and threats is not to induce fear among organisations, but to highlight the proliferation and impact of cyber attacks, and to equip businesses with the knowledge, through threat intelligence, to bolster their security posture.

Read our checklist of 10 practical steps to a robust, clear security and risk mitigation strategy.

1 Budget for today’s realities

As much as 90% of today’s IT security budgets are still spent on everything but protecting applications and user identities, yet these are today’s primary targets of attack. Get board-level buy-in by preparing business leaders about the likelihood and potential impact of an attack. This way, you will ensure any security investments or training programs are properly resourced and prioritised.

2 Know the risks

F5 can help organisations gain the intelligence they need to perform a risk assessment and take action (see below), but it’s also essential to familiarise yourself with the OWASP Top 10: the Open Web Application Security Project – a non-profit organisation focused on improving software security. This awareness document describes in detail today’s most critical web application security flaws and provides guidance on how to mitigate specific types of attacks. Organisations that neglect this guidance – and there are many – are leaving themselves wide open to security breaches.

3 Know our enemy

Understand hackers’ motivations, targets, and tactics (see Profile of a Hacker). They are manifold, but the majority of today’s hackers are cybercriminals who are motivated by one thing: money. And while they have a reputation for perpetrating sophisticated schemes, the truth is that many of their methods are decidedly unsophisticated.

Ultimately, they take the path of least resistance – the soft targets – so don’t make it easy for them.

4 Educate, educate, educate

Cyber security isn’t IT’s responsibility – it’s everybody’s responsibility. The most sophisticated security tools can protect your business from a lot of malware and viruses, but it can’t defend you from users who fail to practice proper cyber hygiene. Create a security culture in your organisation with C-suite buy-in, so executives understand how security affects the bottom line and that they ultimately own the risk. Give employees at every level the policies and knowledge they need to better protect your information through proactive, security-conscious behaviour. Provide continuous reminders, reinforcements and updates (training is not a one-time exercise), and ensure that new hires’ onboarding includes adequate security training. Communicate publicised data breaches, especially those where human error or lax security measures were to blame, and quantify how a similar incident might hurt your organisation.

5 Secure web applications & mobile devices

Improve your ability to manage web application vulnerability by using a web application firewall (WAF). Secure coding is simply not enough to protect information assets. Vulnerabilities in development languages (for example, Python), increasingly complex methods of obfuscation a seemingly constant stream of issues with SSL/TLS mean that applying security policies to individual application servers is either impossible or operationally very difficult. Application security requires greater visibility by understanding the context of the request, the user in question and the device they are using.

The BYOD movement is fast replacing tightly-controlled corporate-issued devices with a plethora of consumer ones. Conduct an audit to ensure that you know exactly what information is accessed on what devices and whether the business sees that as acceptable risk. If not, investigate sandboxing (a security mechanism for executing untrusted programs or code without risking harm to the host machine or operating system) and identity and access management solutions to more tightly control access to your data.



https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

6 Secure the cloud

If you are implementing a SaaS program or hosted cloud environment, you must hold your supplier to account to at least the same standards you would apply to your own data centre, and ensure business data cannot be leaked, data privacy is maintained, and network connection points are secured. Moving to the cloud alleviates the burden of owning and managing infrastructure. Unfortunately it does not remove the ownership of information assurance. Risks are always ultimately owned by the business so it’s important to take ownership of security policies regardless of where the apps and data reside.

7 Bring IT out of the shadows

Demand for new applications often outstrips the capacity of IT to provide them so if you can’t provision the services at the speed your organisation demands lines of businesses will circumvent IT and turn to third-party infrastructure and services. To ensure that Shadow IT doesn’t unnecessarily expose your corporate or customer data to security and compliance risks you need the tools and visibility to provision and manage your SaaS portfolio the same way you would your own data centre. Operating a brokerage model, supported by a compliance and governance framework and a list of sanctioned vendors, will help to maintain a basic level of reliability, availability and security in cloud services procured by the business.

8 Simplify and strengthen access control

Hackers are six times more successful at brute force attacks, thanks to breaches such as LinkedIn’s password dump. Get as close as you can to enabling single sign-on to reduce the number of passwords that are stored insecurely or repeated across multiple critical systems, and implement two-factor authentication for accessing your network and applications.

9 Scan, test and scan again

Vulnerabilities are never a point-in-time occurrence; you must have a continuous testing process with a full suite of tools specific to the systems and software in your environment. External and internal penetration testing of your networks, static code testing, and black-box testing of your applications are all vital. And re-test your applications every time the code changes.

10 Hire security-savvy application developers

Those who understand and apply secure application design, coding and testing practices can substantially reduce application security risks through the use of techniques such as threat modelling and architectural risk analysis. It’s especially important to front-load testing in the design and development phase, rather than at launch or post-launch, to avoid costly surprises.


w

Best practices for end users

Use strong, unique passwords for every account. Use a password manager to store them securely.

Never use open WiFi networks without automatically establishing a

secure VPN connection.

Keep operating system software updated.

Update anti-virus, anti-malware, anti-spyware and firewall

software regularly as even these can be vectors for attacking your

systems. Learn to differentiate between legitimate and fake

antivirus messages.

Surf and email wisely. Never click on links or attachments from

unknown or untrustworthy sources. Check out suspicious URLs before

clicking on them.

Resist “conveniences” such as using Facebook credentials to sign into other websites or memorising

passwords on website login pages.

Never share company information using unapproved web

applications (such as dropbox).

Understand web browser SSL/TLS certificate warnings and appreciate the risks they infer – a certificate warning

might mean your communications are being intercepted.


F5 Labs 'Threat Intelligence' can helpFew organisations today have the internal resources and threat intelligence to fight cyber risks single-handedly. That’s where F5 comes in. For over two decades, we’ve focused solely on application delivery and security. We understand applications and the network at the deepest levels, and our placement in the network gives us a unique vantage point into the world of IT security.

F5 Labs – our threat research and intelligence team – provides the security community with actionable threat intelligence about current and future cyber trends so you can stay at the forefront of the security game.

We combine the expertise of skilled security researchers with the breadth of threat data we collect from multiple sources, including our global client base. We look at everything from threat actors, to the nature and source of attacks, to evolving techniques, tools and tactics, and provide post-attack analysis of significant incidents.

Our goal is create a comprehensive, 360 degree view of the threat landscape—the same way our customers experience it. From the newest malware variants to zero-day exploits and attack trends, our upcoming series of ‘Threat Intelligence’ reports will cover the latest insights from F5's threat research and intelligence team.


©2016 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in

certain other countries. Other F5 trademarks are identified at f5.com. Any other products, services, or company names referenced herein may

be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5.

f5.com/labs

Documents

F5 Hero Asset - Inside the head of a Hacker Final