In my daily interaction with Government bodies, Police and other public sector authorities, we are seeing a huge rise in attacks which are state sponsored and targeted at the Critical National Infrastructure. The real fight isn’t from stopping them getting in, it’s actually about how far within your organization you can stop them reaching.
Today’s attacks are crafted on a per-user basis on a mass scale designed to regularly compromise some subset of the systems within an organization. The objective of the attacks are to gain access to the internal network with a set of valid credentials (the higher privileged the better), and then try to jump around from machine to machine gathering more and more credentials and access.
To counter these attacks some of our customers, who are under active 7/24 attack have begun to rotate all passwords every 8 to 24 hours. This has created a nasty problem for attackers: not only are they limited to only one compromised system, but even this access is terminated automatically.
It appears that the attackers have a good understanding of common weaknesses focusing on default passwords, blank passwords, common passwords, shared passwords, and the use of publicly publishing password spreadsheets on shares.
The point to be made is simple: there is little to no real security found in the commercial tools for anti-virus and anti-malware from the major software providers and the continued purchase of these products is a waste of money and time when the foe is more than a petty criminal.
The next major threat will come from a nation state taking aim at our critical national infrastructure and knocking out resources essential to life. This will be an easy target since many of the utilities have little interest or appreciation for security. Their systems have been fully characterized by hostile powers external to the United States and will eventually be turned off and/or damaged when the time is right.
The intelligence agencies have been warning Congress and the Senate about these problems as well as the utilities themselves. Unfortunately, someone, or a lot of someones, will need to be harmed to get these providers to change their ways.