It was not the first, and it will not be the last, such an attack. However, certain details have worried cybersecurity experts: First, the hackers used a zero-day exploit, that is, an as yet unknown flaw in the code, to execute their attack. Second, they targeted a company that is not as valuable a target as a bank, for example, but that is strategically important because of its connection to the companies it serves.
According to experts, independent hackers are improving their game, using advanced tools and strategies, acting as elite government-backed hackers, rather than mere criminals.
While I don’t necessarily disagree with this assessment, I can’t help but wonder if these experts have underestimated the global hacker community? Moreover, it is as if they are unaware of the state and rapid growth of the global data infrastructure.
Globalization and unification
We live in a time when digital globalization and unification have reached the highest levels in history. In addition to some benefits, it also came with multiple risks.
One is centralization. Instead of having a decentralized structure fragmented across multiple nodes, data is often stored in a unified system, meaning there is a singular point of failure. When this system is ultimately hacked, the attacker can gain access to more information and power than he would have had if he had accessed an isolated segment of the same system.
This is especially the case with cloud-based services. The monopoly power of tech giants and service providers that is growing in the developed world is another issue, as it ensures that a handful of companies provide services to the vast majority of companies that share a unified infrastructure and a software backbone.
While it may not be obvious to the less tech-savvy, it is quite easy, even for a novice hacker, to discern which operating system (OS), content management system (CMS), marketing technology (martech) or other entry point its victims use, and what type of vulnerabilities (if any) exist for the version the victim is currently using.
It remains only to execute the attack and to cover the tracks.
Finally, the power of social engineering should never be underestimated; this approach is superior to any other because it allows access to valuable information regardless of the security in place. On the contrary, experience has taught us that no system is immune to hacking.
It also means that the end of the game shouldn’t be to make a system “impossible to hack”. Rather, the objective should be to limit and mitigate the damage that could result from a possible violation.
Placing countermeasures that make hacking harder than it’s worth is a better tactic than luring in hackers with huge vaults of digital treasure. Instead of relying on “good old Windows” or WordPress, you have to use lesser known, even custom, operating systems and software whose exploits are not publicly available.
But these investments require additional knowledge and funds, and companies are either reluctant, unskilled, or unable to do what is necessary.
However, businesses can do more to protect their data and their network.
Earlier in the article, I mentioned the significant benefits of decentralizing and fragmenting IT infrastructure as the best way to mitigate malicious attacks. These two characteristics are the characteristics of the principle of zero confidence.
The main concept behind zero trust is that devices do not need to be trusted by default, even if they are connected to a managed corporate network such as the corporate local area network (LAN) and have been previously verified. Each device on the network should only have access to the necessary software and infrastructure – for example, only an accountant’s computer should have access to the accounting software.
In this way, a hacker must overcome many obstacles, authenticate himself multiple times, and bypass many security procedures to accomplish his task – and even then, the data to which he has access is limited to what the entity does. hacked knew about it.
The beauty of this approach was best demonstrated when hackers gained access to the Verkada cameras used in Cloudflare NET,
desks. As the company’s CTO said on the company’s blog:
“To be clear: this hack affected the cameras and nothing else. No customer data was consulted, no production system, no database, no encryption key, nothing. Some press reports indicate that we are using a facial recognition feature available in Verkada. This is not true. We dont do.
“Our internal systems follow the same zero trust model that we provide to our customers, and as such, our corporate office networks are not implicitly trusted by our other sites or data centers. From a security perspective, signing in from one of our corporate sites is no different than signing in from a non-Cloudflare site. “
The chain is as strong as its weakest link. By applying the principles of zero trust, the network architect assumes that each link is the weakest. In this case, it was the Verkada cameras.
However, even with a zero trust model in place, a hacker could still get hold of valuable information, such as customer data.
Big data companies like to use (and abuse) data provided to them by their customers and users, and rarely implement adequate measures to protect it. Hackers are very aware of this neglect and are very happy to make use of stored credentials, which are of enormous value not only in the black market, but also for subsequent phishing and social engineering attacks.
So let’s add one more item to the list: Businesses should ensure that consumer data is encrypted and, in the spirit of zero trust principles, used and accessed as needed and in an encrypted state wherever possible. .
However, the story of hacking does not end there. By now we have learned that hacking is bad. But are there any scenarios where hacking could be a good thing? Plus, do we really need non-hackable systems these days?
In an increasingly authoritarian world, it would be ill advised to strive for an infrastructure that is impervious to scrutiny and whistleblowers. Although businesses and government organizations do not like to remain vulnerable, it is imperative to gain unauthorized access to critical information in the event that these organizations exceed their limits, which has often happened repeatedly over the course of the year. the story.
Edward Snowden’s act of social engineering has lifted the veil and exposed the damage the National Security Agency (NSA) has done to Americans’ personal freedoms. WikiLeaks and others have given the public the necessary insight into the work and actions of elected officials and organizations. Media organizations have done the same over the years, exposing corruption.
This type of unauthorized access allows for bottom-up control and should always be a welcome sight for truth-seekers and individuals who refuse to blindly trust anything governments and corporations do or say in their efforts to govern and not serve the citizens. Having this kind of built-in security is the protection of last resort against tyranny and, as such, should be a desirable weakness in the eyes of the average person.
Now, perhaps, more than ever.
What’s your take on recent hacks? Does your company or the company you work for employ any of the countermeasures mentioned in this article? Let me know in the comment section below.