Ondrej Krehel, CEO & Founder of LIFARS is recognized world-wide for his Digital Forensic expertise and Ethical Hacking. He actively participates in many high-profile engagements around the world whereby his proprietary methodology is leveraged to achieve the most rapid root-cause analysis and remediation. This Interview With Ondrej Krehel is the second part in the four-part series. So, stay tuned for more! Part 1 is available here.
Note: Originally published in NEXTECH magazine and republished with the kind permission of Mr. Martin Drobny.
NXT: What are the most common weak points in companies‘ security?
Ondrej Krehel: We have come across three main groups of weak points during the uncountable cases, tests, analyses, and audits that we have been engaged in. These three groups are technical vulnerabilities of information systems, weaknesses of both employees and company leaders, and insufficiencies in processes.
It is hard to say which of these groups is the most significant one, but the statistics show that around 90% of cyber-attacks begin with a phishing attack. This attack misuses the potential of people to fall for manipulative techniques of social engineering that trick them into giving away their credentials or running malicious software, which in turn gives attackers a foothold into the internal network of the company granting them the ability to covertly carry out attacks. If the company does not have a network monitoring system, these attacks can go on for several years. Throughout that time, the company loses sensitive data or even money without knowing it.
Attackers also often aim at applications or company websites that are publicly accessible. They try to find known vulnerabilities in these targets by utilizing automated tools in an attempt to take advantage of these vulnerabilities. Many companies think that attackers have no reason to target them and therefore the chances are that they will not get hacked. However, attackers do not always target a specific company. The use of automated tools enables a wide-ranging scanning of the internet and if your company has vulnerable applications or websites that are publicly available, the attackers will automatically find them. Therefore, it is necessary to regularly scan vulnerabilities of every web application and web page and immediately fix them. The question today is not IF, but WHEN you will get hacked.
Considering insufficiencies in processes, I would like to emphasize an often-underrated topic of business continuity, disaster recovery, and incident response. In each moment of a company’s lifetime, the IT staff and security employees should know what, when, and how to execute in case of an incident. They should at least know who to call and have some person that can come and solve the problem on their behalf.
NXT: What types of companies and organizations are most often targets of attacks?
Ondrej Krehel: Any type of company or organization as well as any person can be a target. As I mentioned earlier, the ones with many security flaws are most likely to be attacked. These automated attacks can escalate into serious incidents that will cost the company hundreds of thousands of dollars. They can even cost the company its existence if the security flaws were so serious that the incident cannot be resolved. If the company cannot restore its operation in a reasonably short amount of time, it can lose customers and its reputation. The impact can be devastating when it is combined with sensitive proprietary data leaks, client’s personal data exfiltration and its publication. GDPR sanctions can climb up to 20 million euros or 4% of the company’s sales.
There are also targeted attacks where the attackers aim at a certain company because they are interested in their data or want to harm the company. An example of such an attack can be data exfiltration, disabling of crucial functions, or DDoS attacks which try to make web services inaccessible. DDoS-as-a-Service attacks are considerably cheap; they can be bought for 20 USD per hour. If the target uses DDoS protection, the price can be as high as 400 USD per day. This type of attack often serves as a distraction for security staff, while and it attempts to cover another, more serious attack. The company may feel relieved that they handled the situation correctly. However, while they were dealing with DDoS, the attacker might have gotten into the internal network and taken the domain controller under his control.
There is a very good documentary (called Zero Days) about one of the most famous targeted attacks. It was an attack on the Iranian nuclear program and it was most likely a joint effort of the United States and Israel during which they developed a cyber weapon – a worm called Stuxnet. It used at least four 0-day vulnerabilities which are usually rather expensive because they are exclusive and not even the vendors of the software know about them. Therefore, we can assume that it was one of the most expensive cyber-attacks in history. Nevertheless, it fulfilled its purpose because this worm helped physically damage uranium enrichment facilities with air-gapped networks, that were strictly controlled, and hermetically sealed.
Nowadays we can also encounter many incidents associated with stealing data related to coronavirus research and vaccine development. Oftentimes we see attacks against healthcare, finance, education, and public administration sectors.