Ignore The Man Behind The Curtain…

While your eyes are on the data-centre, you could be losing the data from the desktops. IT security specialist Jay Abbott explains why “Threat Detection” isn’t just just for the big boys

Once upon a time, defending your business from a hacker or cyber-attack was quite easy. Everything was internal and you had a firewall between you and the scary internet. This approach meant you could focus all your security efforts in one place, essentially between your data-centre (where all the data lives on the servers) and the internet (the single point of likely entry for bad guys wanting to steal your data).

Unfortunately, that isn’t how it works any more – and, in fact, it hasn’t for quite some time.
For many years now the IT and Security industries have been throwing around the term “eroding boundaries” which, in short, describes the effect that consumerisation, and the explosion of the internet over the last decade has had on traditional IT. Essentially, business now relies on the free flow of data between organisation and individuals through the internet, and the internet has become part of our individual lives in a social and business context. This erosion of the demarcation between internal and external data is where the game has changed. The actual barrier between your business data and the attackers on the internet is now the desktop/laptop or mobile device.

This marked change in the technology landscape has led to a marked change in the way cyber-attacks are perpetrated. Now, there is little point going after the data-centre, as over the years IT have become wise to that and have focussed on ensuring that area is safe. However, with the exception of anti-virus, some content filtering and perhaps the odd personal firewall, desktops are still largely unprotected and unmonitored. What compounds this problem is that business users can and do use the internet to perform their daily jobs, whether it be checking a travel plan, booking a trip, purchasing a resource or consulting a data-source.

This is where the problem arises. “Client side attacks” focus on the client side of the server/ client relationship and take advantage of a few basic truths:

1. When a user goes to a website and gets content, that site serves up whatever is in its cache to that user;
2. The user makes an OUTBOUND request to that site to SOLICIT the data;
3. Most organisations allow HTTP/HTTPS (Web Traffic) to flow freely OUT of the business and come back IN freely as long as it was asked for as per points 1&2;
4. Client side software such as Java, Shockwave, Acrobat, Office, Internet Explorer etc is unpatched and excluded from core patching programmes;
5. Users are not as security savvy as we would like and even if they are vigilant, around 30% of them can/will be tricked into clicking on something they shouldn’t if it’s compelling to do so.
Those five points pretty much guarantee success for an attacker. Let me show you how:

Those five points pretty much guarantee success for an attacker. Let me show you how:


An attacker manages to hack into and breach the security of a low level website that has financial information about the credit rating of businesses. Rather than deface the site or bring it down, they add some JavaScript to the header of the page that is invisible to anyone reading the page. The JavaScript runs a known unpatched exploit within Internet Explorer that allows the attacker to install software silently onto the victim’s computer. The attacker makes use of this to deploy a small Trojan horse program he wrote that is not detected by any anti-virus programs. This small Trojan horse program first establishes a connection back to a server on the internet over HTTPS so it looks to the network and all security devices like the user is just accessing a normal secure website. The attacker then uses this connected session to remotely control the users desktop as if they were sat at the desk, and from there, they are able to scan the internal network for further areas of attack, and access any data the user could access.


An attacker creates a well-crafted email to a victim organisation through the use of intelligence gathered from LinkedIn and Facebook. The attacker explains in the email that the users have been selected, as “model employees trusted for their value and opinion” to have a sneak preview of some new corporate branding options. Attached to the email is a PowerPoint file with some new colour schemes and logos etc. for the users to peruse. Once the users open the PowerPoint, in the background, making use of normal office functionality, PowerPoint executes a program that installs the small custom Trojan horse program into the users desktop. The rest of this example is just like the first example.

Already I can hear the cries from the IT experts about “deep packet inspection”, “state-full firewalls” and “content-filtering”, but the reality of this attack is that it looks just like normal user traffic as far as any of those devices are concerned. As for Anti-Virus solutions, all an AV program can really do is check what is running against a list of malicious programs it has (definitions) and check to see if it matches. More advanced solutions can also look for similar programs and block certain types of activity, but it’s a 99.99% likelihood that something new won’t get detected until its discovered, sent to the “labs” and been evaluated manually by a technician. AV is useful, don’t get me wrong – but it’s not reliable as a single point of control.

So what is the answer?

Well, there is no one simple solution that prevents this, but what you can do to detect and stop breaches is have “Threat Detection”. Essentially, this is like putting a guard dog on the network. If someone comes snooping the dog barks, and if they keep on snooping, it bites – in the form of security analysts defending your business against the attack in progress.

At that point, even though the client side has been compromised in an attack, you can respond immediately by closing the connections on the firewall, temporarily suspending that user’s access and disconnecting the desktop from the network. Alternatively, you could just sit back, rely on all that money you spent protecting your data centre, and wait to read about your data breach in tomorrow’s papers. Its your call.

Jay Abbott is the Founder and Director of Advanced Security Consulting Limited (JustASC), a specialist business offering consulting and managed services, focused on improving the SME and mid-tier sectors ability to understand, and ultimately withstand inevitable cyber-attack – Contact: 08456 437 406

Leave a Reply

Comments are closed.

Register an Account