Some organizations may feel that security vendors and MSSPs are trying to sell them something through scaremongering. After all, the chances that the company will become the next victim of a data breach are good capital one or Equifax are probably as far away as the sinking of the Titanic. That’s true, but what they might not realize is that it’s not just Russian spies, cybercriminal gangs or professional hackers who pose a threat to their money. In the world of IT security, even an experimenting teenager or an opportunistic thief could cost them enough to go out of business, and while it’s less likely, it’s still possible.
Hacking is easy!
In the early days of hacking, anyone who wanted to find ways to bypass security measures was basically on their own. Hence the term hacker was originally associated with people of extraordinary ability. With the development of the internet, blockchain payments, and the dark web, “hacking” for quick cash is now a breeze. For every common vulnerability, you can easily find an exploit that’s easier to use than your web browser. Very often all you have to do is aim at it and press a button. And there’s no problem getting unmarked cash in a white envelope — that’s what bitcoins we have for that.
Unfortunately, the world is full of people looking to make a quick buck, and they’re not like professional car thieves from movies who spend hours trying to figure out how to bypass immobilizers. They’re like those misguided kids who walk down a street, pulling on every car door handle to find one that’s unlocked for a spin. And then they crash for fun or rip out your radio. The same goes for web applications—these script kiddies, as we call them, aren’t after complex password-protected sensitive data. Instead, they’ll have fun and deface the front page or throw in user-friendly one-button ransomware to get some bitcoins.
What will that cost?
Your client may be thinking, “I’m fine.” They let you take care of all their primary systems. These systems are scanned regularly, and they prioritize any key vulnerabilities to ensure your client doesn’t have any RCEs in primary business systems. You may also have WordPress sites built by Marketing for campaigns, but there is no sensitive data there, so there is no point in worrying about them and they have not hired you to protect them. They don’t scan them at all. Because what’s the worst that could happen?
There is bad news.
Let’s say a script kiddie managed to hack into such a campaign page and deface the front page. What’s next?
Primary target forensics
First of all, your client needs a forensic expert to analyze their system and needs to shut down that system immediately. The cost of setting up a marketing campaign for a few days might not be that high, so things are looking good so far. Because they don’t hire full-time IT forensic experts, they spend some time finding a contractor, signing a contract, and getting them to start the work – maybe even you, or maybe even with your help. And the clock is ticking.
Secondary target forensics
The forensic expert goes to the defaced page and confirms that the attacker may have downloaded the entire WordPress database with all logins and passwords used by the marketing team. One of your client’s marketing reps admits to using the same login and password for the campaign page as for their main business page, and the password is only 6 characters long so it can be cracked in a few seconds (although it contains a number, a capital letter and a special character).
So next, the forensic expert looks at the logs of the primary corporate website. There they see access attempts from the same IP as in the case of the campaign page hack. They recommend that your client shut down their primary business website for a while and do a thorough analysis. Tick. tock Tick. tock Now your client’s primary website is down for hours or days.
Et tu, brute?
As your client loses more and more money because it turns out more systems may be affected and need to be shut down for thorough analysis, they’re being stabbed from a different direction. Someone saw their defaced website, thought it was very funny (the attacker was creative) and posted it on all social media. A commentary video mocking their brand now hits millions of views on TikTok with a catchy song.
Your customers’ customer support center agents are now working 24 hours a day with endless calls and messages from customers worried about their data and money. Your channel teams are sweating – their partners are worried supply chain Effects. Your PR department tries to reach all news sources and make statements that mitigate potential business losses as much as possible. It’s not the catchy TikTok and making fun of her, that’s the problem. It is the fact that many people now know they have been hacked and are losing trust in them.
Fortunately, this Armageddon will calm down in a few days, but there will be long-term consequences. Your customer has lost a lot of business, which means they may not be able to afford some new initiatives (including hiring you to protect all of their systems), and that will cost them even more business. You may have to fire employees, making other employees unhappy and uncomfortable and more likely to leave (including this one hard-to-find security experts). There’s the grim feeling that it must now take her HR department months to do the opposite. And last but not least – although it was their decision not to let you protect their campaign website, and the hack is absolutely not your fault, you, the MSSP, will probably end up with the blame.
All in all, this might seem like an extreme scenario, but that’s pretty much what happens with every security breach. What costs the most is not the stolen credit card numbers but the lost business because web applications have to be taken offline and there is very little the company can do except focus on all activities related to the hack. Not to mention the long-term consequences. The savings you see now will very likely cost your customers much more later and cause irreparable harm.
Is that scaremongering? No, it’s just happened way too many times. For example, SolarWinds has already spent more than $18 million to fix the events of December 2020. For this reason, while it’s understandable that your client’s budget is limited and they need to prioritize, you should encourage them to try and focus their budget cuts on other things. Don’t let them just ignore this campaign page – they don’t need to prioritize it, but they do need to make sure it isn’t completely forgotten. You should help them find any website they have (by Web asset detection) and make sure it’s in the scan queue.
Gastmoor courtesy of Invicti, an international web app security company headquartered in Austin, Texas. Find more Invicti guest blogs here. Regular guest blogs are part of MSSP Alert’s sponsorship program.