Hello again! Welcome to my next installment with various slides I've stolen from my own presentations I'd deliver at conference
If you read last weeks installment on this Checkbox vs Checkbook Security you probably know by now that security is an area which is personally important to me.
With that said, let's dive a little deeper into what is often the IT Approach to security...
How many times have you heard someone say "I'm not a big enough target" heck, maybe you've even heard yourself say that.
Certainly in solidly targeted world where theater actors are striking to stop you from publishing what was otherwise a horrible movie (Sony) or you experience where credit card and customer data is to be stolen for purposes of stealing monies or other uses (JPMC/Chase) or where hundreds of millions are dollars are stolen from hundreds of banks (Too many sources to count).
Then sure, that puts you into the landscape of, "I'm not a big enough target, why would anyone bother with me!"
Let's not forget for a moment here though, that the security landscape is not hard and fast... attacking scripts and threat engines are indiscriminate in their assault at times. A perfect example is (taken from the old war-dialing days)... Just as we'd dial entire banks of phone numbers looking for modems to connect into, there are attackers who will cycle through entire IP banks while trying to exploit the latest zero day attack on the horizon. Most Wordpress sites that are hacked on a regular basis are not because they were targeted, it is because they were vulnerable.
Or if this analogy helps.. More people are likely to take something from a car with its windows open or its top down, than one which is all locked up.
What is it that makes us irrespective of size, a target?
I included this image here from my own threatmap to give you a sense of just what kinds of things can and do happen.
So the question then arises of, what exactly makes something 'targetable'
You are a target if:
- You are connected to a network
- You run a service which is accessible via a network protocol (TCP, IP, UDP, ICMP, Token-Ring...;))
- You run an application, server, service which has a vulnerability in it, whether known or unknown
- I just want to mention for a moment... Shellshock the Bash Vulnerability disclosed 24SEP2014 has been VULNERABLE since September 1989; just food for thought
So you're pretty much a target if you... Exist, Right? Wow that leaves us all warm and fuzzy I imagine...
But it doesn't have to be that way! You don't have to run in terror and shut everything down for fear of it being hacked. But in the same breath, we need not stick our head in the sand assuming that we are invincible and invulnerable because no one would ever attack us, or steal our data, or whatever other lies we tell ourselves to sleep at night.
Do you see a future with fewer Zero Day attacks or more critical ones being discovered which had existed for 25 years before being discovered (ala Shellshock) or introduced in the recent past such as Heartbleed?
You know I love your insight! So you tell me... How are you a target, or NOT a target! What other ways do you see people being a target? (I haven't even touched the mobile landscape...)
I look forward to your thoughts on this matter Thwack Community!