by Peter Dietrich
3:00 min read
Human security risks happen because people are trusting, not because they’re incidentally fools. Phishing (email) and SMiShing (texting/mobile) attacks abuse trust, and employees need to be careful with every message they get. But what happens when a site, which they have every reason to trust, is subverted? That's what happens in a waterholing attack.
The term "waterholing" comes from the expression "poisoning the waterhole," perhaps from predatory animals lurking near a waterhole. Businesses with serious data protection requirements put a lot of effort into protecting their websites, but their people often visit websites that are less careful. Local stores, restaurants, and entertainment sites may be small operations that use weak administrative passwords and don't patch their software regularly.
An attacker will find many of these sites easy to break into, thus making it possible to inject malware into a website. The aim is to take advantage of browser bugs and get access to the client's computer. From there the attacker can get into the business network and steal data, or run ransomware and destroy files.
The attack is usually a targeted one. The attacker decides what business it's attacking and looks for sites that its people are likely to visit. Probing enough sites has a fair chance of finding one that's vulnerable.
Protection against waterholing
The insidious part of waterholing is that the victim doesn't have to make any mistakes. Just visiting a familiar website is enough. Some waterholing sites require the user to accept a download, but many do their dirty work without any user interaction. Still, there are several practices that will reduce the risk.
Keeping browsers up to date will foil a lot of attacks. Waterholing exploits often rely on browser bugs that have been fixed in the latest version, counting on access from those who have yet to patch. However, many attackers use zero-day exploits that no one has patched yet, so any browser can be vulnerable.
Keeping plug-ins up to date is equally important. Adobe Flash is the number one target, and old versions of it are extremely vulnerable. Businesses should either make sure it's kept strictly up to date or else prohibit it completely. Adobe is phasing it out, since modern browsers have better ways of performing its functions. Limiting Flash to a set of whitelisted sites can strike a reasonable balance if banning it isn't acceptable.
Users should pay attention to browser warnings. The leading browsers check visited sites against a constantly updated list of known rogue or compromised sites. Security training needs to stress that ignoring the warnings is a bad idea, since people are very inclined to trust familiar pages.
Employees should be trained to ignore unexpected download requests. If the corner pizza shop asks you to download software, that’s a reason for suspicion.
Network security measures
Attacks that use trusted sites are insidious and have a high chance of getting past people's defenses. Strong network protection is necessary in order to limit their damage. Software such as Sentinel One covers the entire network, using dynamically updated threat intelligence to detect any breaches and handle them quickly.
Unusual network traffic may be the first clue that a breach has happened. Ongoing network monitoring will spot such events. The first thing to do when they're detected is to quarantine the affected machine from the network. This allows time to analyze the problem and remove the malware.
The more quickly a waterhole is identified, the sooner access to it can be blocked. The owner should be notified, and access shouldn't be allowed until the problem is truly fixed. If the site owner doesn't fix the underlying vulnerability, the malware may come back five minutes after it's removed.
Attempts to break into computer networks are a constant fact of life, and there's no absolute safety short of unplugging completely from the Internet. A strong multilayered defense will stop most attacks, though. It needs to include training, system maintenance, and software protection.
CYBER RISK | Strategy
CYBER RISK | Identification
CYBER RISK | Management
CYBER RISK | Monitoring
Product Integration Services
Product Procurement Services
Anchor offers special managed security solutions for small business.
Sign up to receive security news and information.
(NO SPAM and email information kept private)
Anchor Technologies, Inc.
6315 Hillside Court, Suite J
Columbia, MD 21046
Howard County, Maryland, USA
410.295.7601 or toll free: 866.841.0777
© COPYRIGHT 2018. ALL RIGHTS RESERVED.