Not long ago I was asked by a CEO of a company if they should be concerned about IP hacking. He had mentioned it to his security lead, who didn’t seem overly concerned about it, basically stating that there were bigger threats to worry about. Naturally, I asked the CEO why he was concerned about this specific topic more so than others. It boiled down to a conversation he had with a peer who mentioned in passing that it was an issue in his smaller company.
We took a little time and discussed what an IP hack is compared to other things such as malware. A very simple explanation is that malware is a broad attack, meaning its target is anyone and everyone, while IP hacking is targeted to a web server or personal computer.
His immediate comment was, “So we shouldn’t worry that much about IP hacking.” My response was merely, “Security isn’t that simple; you need to understand what risks are faced by your organization.”
As I explained further, an attacker needs to know the target IP address. Gaining access to IP addresses isn’t that hard, it’s a little harder to gain it against individuals but still not too difficult. An IP hack against a web server is done to steal data or deface a website. If it’s against an individual it could be for a number of reasons. It can be as basic as messing with a coworker or other shenanigans, however, it could also be to steal personal information or even upload a virus; these attacks are targeted, planned, and have a purpose.
He then asked, “So should we or should we not do anything?”
At that point I realized he wasn't concerned about how to mitigate IP hacking, his concern was whether his security team should make this a focus. Simple answer? Yes. Complicated answer? It all boils down to managing risk, prioritizing it, and the ability of his security lead to report up through the chain.
I avoided a soapbox moment with him, but what I really wanted to ask him was how much he talked with his security lead. What’s their overall plan? What’s the direction? Otherwise, security looks more like buckshot and less like it’s a managed defense.
My response? “You should sit down with your security lead and discuss with him how IP Hacking was part of his overall strategy. If he doesn't have one, work with him to develop one.”