"Anti-Virus, Firewalls, and IDS Are no Longer Enough" Warns Security Expert

95 Percent of Persistent Attacks Only Spotted by Accident Even Though Evidence Was Within Logs for Weeks and in Some Cases Months

(19.08.11) - Ahead of Sans London 2011 (from the 3rd to the 12th of December), Europe’s largest IT security training event, a top security expert and trainer is warning that administrators still don’t have the skills to spot a well executed persistent hack. "We work with a growing number of organisations that simply don't realise that they have been the victim of a well orchestrated and persistent attack," comments Steve Armstrong, former head of the UK Royal Air Force penetration testing and widely considered one of the UK’s most experienced IT security professionals.

"We go in, look at the logs and can quickly see clear evidence of the problem but there has either been a failure to spot it or not enough resource assigned to look for the evidence." Of the last 20 incidents that Armstrong and his team have been called into investigate, he estimates 95 percent of them had clear evidence that had gone unnoticed. "In many cases, it is often an admin who has a 'gut feeling' that calls us in but when we start digging, the full extent of the breach is normally far worse than initially suspected."

Armstrong, who has been within the security sector for over 17 years, believes that the issue is down to sophistication on the part of the hacker and an over reliance on tools. "The IT vendors keep on telling us how great the tools to spot problems are but they are certainly not fool proof. They can also be circumvented by criminals who know what they are doing."

For example, as one of the elements of the upcoming Security 464 Hacker Detection for Systems Administrators with Continuing Education Program course, Armstrong shows how the simple modification a known item of malware package can defeat up-to-date anti-virus protection software. "The days when a hacker would wander blindly around systems are gone," he explains, "Now, the goal is to get in and stay in, undetected, for as long as possible. This is the issue that is causing the most problems but getting the least headlines."

Armstrong agrees that there has been a surge in demand for IT security tools, penetration testing and training as a response to attacks by organisation such as Lulzsec and Anonymous. However, in some cases, he equates these antics to graffiti on a wall, "...it might be news worthy but some would argue that it distracts attention away from more insidious and organised hacks against US defence contractors and security tools suppliers like RSA," he notes, "A hacktivist hitting your site with a denial of service attack may well just be a distraction to get something more dangerous onto a critical server somewhere else."

The new 464 course will début in London this year and is part of a shift to an ongoing education model that the IT security industry is experiencing. "The notion that you can do a 2 day course and be up to date on the threat landscape forever is not realistic, "explains Armstrong, "Hacker Detection for Systems Administrators will be backed up by four Quarterly Threat and Tool Briefings which are included in the initial training fee and this ongoing training is extremely useful as we undergo a lot of upheaval in the move to more virtualisation and cloud platforms."

Initially running over 2 days with quarterly briefings to follow, Sans Security 464 Hacker Detection for Systems Administrators with Continuing Education Program provides the tools and techniques to bridge the gap and help systems administrator teams meet the needs of security and audit teams while still doing their day jobs. Topics covered include common mis-configurations and mistakes that lead to a system being compromised as well as security methodology and thought processes in daily systems administration activities. The course also covers a sysadmin's view of what matters in systems architectures, security monitoring and the understanding network traffic for systems administrators. (Sans: ra)