Skip to main content

Why can’t you detect breaches?

BreachRecent reports of the Hilton Hotel Group’s Point of Sale (POS) systems being breached in order for hackers to gain access to credit card data were the latest in a series of attacks directed at the hospitality sector. These have proven that today’s advanced threats and targeted attacks are easily able to bypass standard security defences and remain undetected for long periods of time while exfiltrating valuable information.

According to John Mc Loughlin, MD of J2 Software, organisations whose security strategies focus on products and tools such as access control and identity management will have problems, as today’s advanced threats cannot be prevented using yesterday’s controls, or without an understanding of the threats themselves.

“POS systems in hospitality and retail usually run on Windows operating systems, as do ATM’s – the same operating system that most PCs and laptops run on. That makes it much easier for cyber criminals to gain entry into these machines than organisations realise. Companies need to actually know what is going on at the end points in order to mitigate attacks,” he says.

“Today’s attacks are stealthy, sophisticated and highly targeted. Targeted attacks need a targeted defence. An effective security strategy is not about preventative tools. It requires a far greater focus on understanding the threats that organisations are facing, and following that, on detection of, and response to, such threats. Traditional security products’ signature-based, mud-against-the-wall approach cannot cope with highly customised targeted attacks and the threat actors behind them, who are after specific information. These cyber criminal groups employ malware, social engineering and other techniques that have been specifically designed to slip through the defence nets provided by standard security tools,” Mc Loughlin explains.

Because threat actors usually follow similar patterns, there are several ways businesses can root them out before they wreak too much havoc. Mc Loughlin says that attacks happen via several vectors, first among them through sophisticated spear phishing techniques, where a threat actor targets a particular group of individuals; be it employees of a specific organisation or members of a particular association, and sends them an email purportedly from a legitimate source. The email requests an action from the individual, and will either include malicious links to Web sites controlled by the criminals, or a malicious attachment that infects the target’s machine. Another is via a zero-day exploit, a vulnerability as yet undisclosed and uncorrected by the particular vendor, which can be exploited to infect a program, PC or network.

Once they have successfully spear phished an individual and breached the network, or obtained entry via a zero-day exploit or network vulnerability, cyber criminals carry out a series of activities to entrench themselves and compromise the organisation’s systems. “They can end up lurking around a network undetected for months, fortifying their position, exfiltrating or modifying data, as was the case in some of the hotel breaches.”

He says that this is why it is vital that companies have ongoing and automated end user visibility to pick up changes in behaviour. “Using a tool like SystemSkan’s behavioural monitoring, the company can be alerted to changes in human or machine behaviour immediately. We have the ability to tell those responsible for security that the malware has been added, what files have moved and they then can immediately remediate the risk. As you can see from these and other breaches – these attacks happen over extended periods of time. I feel it is more important to stop them now than to try and hunt them down long after the fact,” Mc Loughlin concludes.