Protecting your servers: it’s a good start…

When we talk to a potential customer, we like to get a good understanding of their current security posture and how they are prioritizing their next security projects. Several times recently, as we drilled down with the customer on their environment and priorities, they told us their plan was to first lock down and secure the servers.

Well, makes sense right? That’s where all the sensitive info is, so make sure you’ve got the gold safely locked in a vault? Sure why not.

Yet, looking backwards at some of the biggest hacks and attacks of the last few years, very few were the result of directly hacking critical servers. Most hacks could be categorized broadly into two types (excluding insider threats or physical theft):

1) Web-based attacks, using SQL injection or cross-site scripting or other methods to siphon out information from databases, like credit card info or PII (personally identifiable information).

2) Malware-based attacks, where the initial infection vector may be a (spear-)phishing attack or some other method to get control of a target’s endpoint, including the credentials of the user of that endpoint. (see our blog post on DarkComet RAT and AV evasion).

In the first instance, the hack is via the web server, rather than the server containing the underlying data. Locking down the host through whitelisting or application control, while no bad thing, would have no mitigating effect on this hack type.

So let’s look further at the second type. To put some numbers behind that, I referred to the Verizon 2012 Data Breach Report , one of the more authoritative sources out there. By their numbers, 98% of breaches, and greater than 99% of the stolen data, is due to external hacks rather than insider threats. Verizon breaks out data breaches between small and large organizations. We believe that the information for large organizations presented in the report is representative of what our readers and customers face, not because of their size necessarily, but rather that our audience regardless of size share the IT sophistication and other attributes of large organizations. Zeroing in on that breakdown (page 26) we find that a full 84% of data records reported stolen were stolen through use of stolen login credentials, usually by some form of keylogger.

Right there Verizon states the key point for why protecting just the servers may provide a false sense of security. It’s safe to assume that for the majority of those breaches using stolen credentials there was nothing that triggered any alarms on the server side, after all it appeared on that side that a legitimate user was accessing data they had full rights to access. So by all means lock down your servers. But if you’re considering doing that as priority over securing and monitoring the users’ endpoints, we urge you to reconsider!