Bypassing Security Controls: Weapons to Commit Cyber Crime

Larry Boettger / December 13, 2016
Bypassing Security Controls: Weapons to Commit Cyber Crime

The Problem

Not too long ago firewalls, intrusion detection/prevention, and anti-malware controls were the targets of cyber criminals. If they could bypass these controls they would have a higher probability of getting to your sensitive data and systems – the payday. This is how the criminals make their money or meet their objectives (ransomware, hacktivism, espionage, warfare, etc.). To defeat these core controls, cyber criminals figured out some universal methods to bypass these core controls;

  • Fragment packets while conducting port scans to bypass the packet inspection

  • Alter/spoof headers to make the packets appear to be from different protocols (making TCP or UDP appear to be ICMP is one common example)

  • Spoof source addresses to make them appear to be from inside the firewalls

  • Send malicious files (malware, rootkits, etc.) to the target systems through the spoofed protocols and addresses allowed through the firewall

  • Disable anti-malware

  • Create signatures that the anti-malware does not detect (0-Days)

These control bypass methods are still used today. However, due to advances in technology; and more layers of defense (Data Loss Prevention (DLP), Web Application Firewalls (WAF), File Integrity Monitoring (FIM), Network Access Control (NAC), etc.) it is harder for the criminal to bypass core controls using these methods. The criminals have had to adapt to the added layers of defense. Some of the ways criminals have been successful in bypassing the added layers of controls include:

  • Social engineering attacks like phishing, pre-texting (calling the user), and physical attacks like leaving USB drives in your parking lot or in common areas inside your organization. The intent with these attacks are to deceive the user into unintentionally installing malicious code that bypasses the security controls. Once inside the network, either via remote through backdoors created by malware; or physically on premise, the criminal will attempt these activities with the goal of gaining access to valuable data (Protected Health Information, Personally Identifiable Information, credit card numbers, etc.) and exfiltration of the data to a location on the internet that the criminal controls.

  • NAC bypass methods, such as MAC spoofing of devices that are authorized to be on the network and that cannot have a NAC agent on them. Another popular method would be to piggy-back on an authorized system on the network, such as compromising a user’s computer, and using the computer to attack other computers.

  • DLP control bypasses by disable DLP software, encrypting and sending the data over allowed communication protocols, or creating a virtual machine on the compromised system to hide activities.

The Solution

Most organizations conduct risk assessments, vulnerability assessments, and/or penetration tests to identify any weaknesses in policy, procedure & practices, technology configurations and application security development. However, in most cases, these assessments do not include an in-depth analysis to determine if your existing controls can be bypassed. To reduce these risks, it is important for your organization to include a regular assessment to determine if your security controls can be bypassed. Heartland Business Systems calls this a Cyber Threat Assessment. The value of the Cyber Threat Assessment is that it will identify, analyze and report on:

  • Systems that have undetected malware on them. ​Given that Anti-Malware is in general only about 25-30% effective, malware is prevalent in many organizations today. Most infections happen without the user knowing. They are typically introduced by Email Phishing or during normal web browsing activities.

  • High risk applications that could allow data exfiltration. With the prevalence of online tools, such as web based email internet file sharing, as well as anonymizing services, employees are able to easily bypass many of your implemented corporate controls.

  • Data Leakage that is occurring now. Due to the usage of High Risk Applications in company networks, as well as potential misconfigurations, sensitive or confidential company or customer information may be leaving your network unprotected.

  • Attacks that may be occurring now. Internet attacks are largely automated today. Only when a network is taken over will an actual attacker get engaged. Every device attached to the internet is attacked each and every day.

Final Thoughts

Identifying ways that criminals are bypassing your controls is an important component in your overall cyber security program. It is important to conduct regular assessments on ways that your security controls can be bypassed to mitigate data exfiltration risks. Contact HBS to discuss the details of our Cyber Threat Assessment services.

Larry Boettger
About the Author

Larry Boettger
Lead Security Consulting Engineer

Larry brings almost 20 years of Technology and Security experience. He has specialized in the Healthcare, Financial, and Retail (PCI) verticals, additionally he has both the breadth and depth of knowledge and experience needed to provide end-to-end Information Security and Privacy solutions to nearly any industry. Larry also brings 15+ years of experience with security and compliance and regulatory or industry audits for HIPAA, PCI, FFIEC, GLBA, SEC as well as state privacy rules and regulations. He is as strong leader who has developed and managed technology and security programs for several large and complex organizations.

Blog post currently doesn't have any comments.