So now everyone knows Zimbabwe is
currently holding the number one spot in the global rankings of countries that
are the most vulnerable to attacks on the Internet, but what does that mean
exactly? The point of this article is to shed light on what this means from a
layman’s perspective and why that report was effectively a clarion call to all,
expert and inexperienced hackers, security researchers and script kiddies
across the globe that the public IP addresses of Zimbabwe are the place to test
your hacking skills and tools. Hopefully, at the end of this piece the private
and the public sector will realize there is a need to come up with a way to
join forces and resolve this crisis we are facing.
As a matter of fact, it is very
possible for us as a nation to get out of this dire situation we are in, take
Belgium for example. In 2016, Belgium was the number one most vulnerable
country on the internet but they successfully managed to not only get
themselves out of the top 10 in the 2017 rankings but they went all the way
down to number 179!
To shed a little more light to the rankings and the
authenticity of the source, anyone who has ever dabbled in ethical hacking or
offensive security should be quite familiar with a certain framework called the
Metasploit Framework which basically hosts an ever-growing arsenal of tools
that can be used for penetration testing. This framework belongs to a renowned
organization in the field of cyber security known as Rapid7. Rapid7 not only
develops and manages this framework, but it also releases periodic reports on cyberspace
threats to different organizations in varying fields including health, finance
and others.
Rapid7 also goes to great lengths to produce threat reports on a
quarterly basis that may be difficult to interpret for the untrained eye but
which we as cyber security trainers and experts tend to demystify in articles
like this. Among those reports is the Annual National Exposure Index Report in
question.
I think it is prudent that we get
one fact clear before proceeding further regarding the information in the National
Exposure Index Report. It is based on unsecured services running on internet
facing servers. I understand that may seem like a mouthful, but I will explain
using a real-world analogy.
You see, in the typical hacking methodologies, one
of the most important activities a hacker does before entering into a system
without permission is scanning the target. Imagine how a robber first passes by
the home he wants to steal from and looks around to see which windows and doors
that are typically left closed are currently open. In this analogy, the world
is a city and Zimbabwe is that neighborhood where most of the residents have no
fences and tend keep their windows and doors open.
Now imagine Rapid7 is the
city police. One of their duties is to publish a certain report on a weekly
basis that is supposed to help advise the city residents on how best to better protect
their homes. This report highlights how robbers usually enter homes through
open windows and unlocked doors and states how it is advisable that people
avoid keeping themselves open to such threats. Rapid7 police then drives around
the whole city checking for “vulnerable” homes and records all this data. From
this data, it goes on to rank the different neighborhoods with respect to the
ratio of “vulnerable” homes to the total number of homes in that neighborhood and
publishes that in the weekly report. The benefit of this report is that it
helps the more unsecure neighborhoods, like Zimbabwe, know they are very
vulnerable and ideally, this should help Zimbabweans improve the ways they
protect themselves.
However, this report has a drawback too. It unintentionally
becomes more of a clarion call to all the thieves in the city that if they come
to the Zimbabwean neighborhood the odds of them finding a home they can rob are
very high. In infosec circles, such homes as the ones in Zimbabwe in this
analogy are known as “low hanging fruit”. This means even people learning to be
thieves, people who simply steal as a habit, experienced criminal syndicates as
well as people who just research on the habits of thieves will all head to the
Zimbabwe neighborhood to try and hack, sorry, to try and compromise the security
of the homes.
Coming back to the context of
hacking and exposure, the internet today is a global village and if your server
has a public IP address (like a home address that is publicly available), it is
visible to everyone on the internet. Each of these servers has logical
components known as ports that allow said server to communicate with other
servers or devices through what are known as services. Now, the report by
Rapid7 basically states that the ratio of all the internet-facing/public IP
addresses active in Zimbabwe to those IP addresses offering unsecured services
(running on known ports) like Telnet and FTP is higher than those in any other
country in the world. The possible attacks that can be brought about through
these vulnerabilities include passive eavesdropping and even active attacks such
as attempts to brute force remote login credentials in some cases.
In the
simplest of terms, we really should close all these “windows” to avoid leaving
ourselves open to threats. The process of closing all unnecessary ports on
servers is a part of an activity known as Server Hardening and I strongly believe
that, as was done in Belgium, (the 2016 number one most vulnerable country in
the world), this hardening exercise among a host of other cyber security
responsive activities should become part of a national strategy. It is also
imperative, as is the case in Belgium currently, that it incorporates not only
the public sector but that it also equally engages the private sector along
with regular citizens too.
Great article!
ReplyDelete