We (Netragard) have been meaning to say Thank You to Anonymous for a long time now. With that said, Netragard does not condone the actions of Anonymous, nor the damage they have caused. What Anonymous has demonstrated, and continues to demonstrate, is just how poorly most network infrastructures are managed from a security perspective (globally, not just within the USA). People need to wake up.
If you take the time to look at most of the hacks done by Anonymous, you’ll find that their primary points of entry are really quite basic. They often involve the exploitation of simple SQL Injection vulnerabilities, poorly configured servers, or even basic Social Engineering. We’re not convinced that Anonymous is talentless; we just think that they haven’t had to use their talent because the targets are so soft.
What Anonymous has really exposed here are issues with the security industry as a whole and with the customers that are being serviced. Many of Anonymous’s victims use third party Penetration Testing vendors and nightly Vulnerability Scanning services. Many of them even use “best of breed” Intrusion Prevention Systems and “state of the art” firewalls. Despite this, Anonymous still succeeds at Penetration with relative ease, without detection and by exploiting easy to identify vulnerabilities. So the question becomes, why is Anonymous so successful?
Part of the reason is that regulatory requirements like PCI DSS 11.3 (and others) shift businesses from wanting Penetration Tests for security reasons to needing Penetration Tests in order to satisfy regulatory requirements. What is problematic is that most regulatory requirements provide no minimum quality standard for Penetration Testing. They also provide no incentive for quality testing. As a result, anyone with an automated vulnerability scanner and the ability to vet results can deliver bare minimum services and satisfy the requirement.
We’ll drive this point home with an analogy. Suppose you manufacture bulletproof vests for the military. Regulations state that each version of your vest must pass a Penetration Test before you can sell it to the military. The regulations do not define a quality standard against which the vests should be tested. Since your only goal is to satisfy regulations, you hire the lowest bidder. They perform Penetration Testing against your bulletproof vest using a squirt gun. Once testing is complete you receive a report stating that your vests passed the test. Would you want to wear that vest into battle? (Remember, Anonymous uses bullets not water).
This need to receive the so-called “Passing” Penetration Test has degraded the cumulative quality of Penetration Testing services. There are far more low-quality testing firms than there are high-quality. Adding to the issue is that the low-quality firms advertise their services using the same language, song and dance as high-quality firms. This makes it difficult for anyone interested in purchasing high-quality services to differentiate between vendors. (In fact, we’ve written a white paper about this very thing).
A possible solution to this problem would be for the various regulatory bodies to define a minimum quality standard for Penetration Testing. This standard should force Penetration Testing firms to test realistically. This means that they do not ask their customers to add their IP addresses to the whitelist for their Intrusion Prevention Systems or Web Application Firewalls. It means that they require Social Engineering (including but not limited to the use of home-grown pseudomalware), it means that they test realistically, period. If a vendor can’t test realistically then the vendor shouldn’t be in the testing business.
What this also means is that people who need Penetration Tests will no longer be able to find a low-cost, low-quality vendor to provide them with a basic check in the box. Instead, they will actually need to harden their infrastructures or they won’t be compliant.
We should mention that not all business are in the market of purchasing low quality Penetration Testing services. Some businesses seek out high-quality vendors and truly want to know where there vulnerabilities are. They not only allow but also expect their selected Penetration Testing vendor to test realistically and use the same tactics and talent as the actual threat. These types of businesses tend to be more secure than average and successfully avoid Anonymous’s victim list (at least so far). They understand that the cost of good security is equal to a fraction of the cost in damages of a single successful compromise but unfortunately not everyone understands that.
So is it really any surprise that Anonymous has had such a high degree of success? We certainly don’t think so. And again, while we don’t condone their actions, we can say thank you for proving our point.