We (Netragard) have been meaning to say Thank You to Anonymous for a long time now. With that said, Netragard does not condone the actions of Anonymous, nor the damage they have caused. What Anonymous has demonstrated, and continues to demonstrate, is just how poorly most network infrastructures are managed from a security perspective (globally, not just within the USA). People need to wake up.
If you take the time to look at most of the hacks done by Anonymous, you’ll find that their primary points of entry are really quite basic. They often involve the exploitation of simple SQL Injection vulnerabilities, poorly configured servers, or even basic Social Engineering. We’re not convinced that Anonymous is talentless; we just think that they haven’t had to use their talent because the targets are so soft.
What Anonymous has really exposed here are issues with the security industry as a whole and with the customers that are being serviced. Many of Anonymous’s victims use third party Penetration Testing vendors and nightly Vulnerability Scanning services. Many of them even use “best of breed” Intrusion Prevention Systems and “state of the art” firewalls. Despite this, Anonymous still succeeds at Penetration with relative ease, without detection and by exploiting easy to identify vulnerabilities. So the question becomes, why is Anonymous so successful?
Part of the reason is that regulatory requirements like PCI DSS 11.3 (and others) shift businesses from wanting Penetration Tests for security reasons to needing Penetration Tests in order to satisfy regulatory requirements. What is problematic is that most regulatory requirements provide no minimum quality standard for Penetration Testing. They also provide no incentive for quality testing. As a result, anyone with an automated vulnerability scanner and the ability to […]