Friday 17 June 2011

Security Breach Epidemic: Are we becoming Complacent about Security?

At the moment hardly a day goes by without a security breach making the news, even as I write this I am hearing the CIA website has been taken down by a ‘Distributed Denial of Service’ (DDoS) attack by LulzSec. These are unprecedented times, as we are seeing large corporations, government enforcement agencies, banks and even reputable IT security companies being successfully attacked, which goes to validate phrases I regularly use, such as ‘there is no such thing as 100% security’ and nothing can ever be considered as being ‘secure’. My face always etches up with contempt when reading words like “this is a secure website”.  So what is going on, why are these breaches occurring now? Are these cyber attacks becoming cleverer and more sophisticated? Are such attacks going to continue? I’ll endeavour to explore and answer these questions in this post.

Cyber attacks appear to have reached an epidemical scale, why? 
Firstly we must take into account the public breach disclosure laws, which have been introduced in recent years stateside. The majority of US businesses now have a legal obligation to publicly announce data breaches, so we are becoming more aware of more data breaches than ever. In the past many data breaches were kept secret and we, the public, just never found out about them. This breach secrecy still exists in the UK today, where only public sector organisations have an obligation to disclosure data breaches to the Information Commissioners Office. And so the vast majority of UK private sector data breaches are still not making it into the media headlines, which is bad, as public data breach disclosure is an important driver for wholesale information security improvement, a subject which I have already discussed in an earlier post. http://blog.itsecurityexpert.co.uk/2009/01/why-uk-data-breach-disclosure-laws-are.html

Secondly some of the Groups behind these attacks, like Anonymous and LulzSec, are in the business of celebrating their attacks, promoting their organisation and particularly their ideology; these two groups really do see themselves as being righteous. To be honest I can’t help but smile when I visit the LulzSec website http://lulzsecurity.com/. Groups like these are claiming responsibility, and are even telling us in advance who they are going to attack next, LulzSec even asks for suggestions on who they should attack next. So when we are told they are going to attack a organisation that they have taken exception to, and that organisation’s website goes down the next day, it really leaves the target organisation with no option but to come clean to the world. So making the media headlines, even when no data loss has occurred, normally such breaches wouldn’t be disclosed and be put down to a technical issue.


In recent years most high profile hacks have been for financial gain. Normally such hackers tend not to announce their accomplishments, as doing so significantly increases their chances of being caught by the authorities. These days cyber theft is dealt with pretty harshly by the law enforcement authorities, hackers that steal know this, and the last thing they tend to do is to tell anyone about their crimes. In fact these types of hackers tend to really distrust each other, they are fully aware that the US Secret Service disguise themselves as fellow hackers within the global underground communities they frequent, and so tend not to talk about their accomplishments.  If anything the best ‘black hat’ hackers go to great lengths to cover their tracks, a notice of breach makes it harder for them to sell their informational booty and can even decrease its value on the black markets. The best outcome for them is to sell on their stolen info well before the company becomes even aware of the security breach.

Credit Card Data presents the fastest way to 'Cash Out' with a Breach

Are cyber attacks becoming more sophisticated?
This is a question being frequently asked by the media at the moment, I would have to say the current wave of cyber attacks are in general not any more sophisticated of those of the past few years. By nature most of these attacks do have a certain level of sophistication to them, in that targets are being specifically selected, reconnaissance and research is being done, and some of the attacks have several stages to them, but hacking has always been this way. If you look at both the technical and human vulnerabilities these attacks are exploiting, I have to say we aren’t really seeing anything new with most of the recent breaches.


Recent Breaches:
RSA Breach – The hacker(s) targeted specific RSA staff with malware. Specifically sending targeted individuals crafted Emails (known as Spear Phishing) with a malware infected attachment, namely an Excel Spreadsheet which held a Flash executable, which in turn installed a piece of malware called Poison Ivy.  This provided a “way in” to the RSA internal network, and exploited a non-public (zero day) vulnerability, and as such was undetected by RSA’s malware prevention, but this attack also relied on the RSA employees opening the infected file, which in turn installed the malware.  The second stage of this attack, namely stealing RSA SecurID seed data, is probably a failing of not having adequate internal data protection, protecting what is very clearly high valued information, something I’m sure that has been rectified now.

Sony PSN Breach – Unpatched systems and poor system architecture led to this breach; this is really basic Security 101. Indeed many hobbyist hackers had been more than aware of Sony’s PSN weaknesses for years.

Barracuda Networks – Was the subject of a successful SQL Injection attack, which is an easy to fix web application vulnerability which has been known about for over 10 years. Considering Barracuda are in the business of providing Web Application Security solutions, this is particularly embarrassing for them. However credit where credit is due, they did a great job in publicly announcing their data breach, providing specific details of the attack. RSA and Sony should take note, as this is the right way to handle a data breach, namely being open and honest, as this increases general awareness and allows everyone to learn from the mistakes. http://www.barracudalabs.com/wordpress/index.php/2011/04/26/anatomy-of-a-sql-injection-attack/

Sony Pictures – Again, SQL Injection, an old Web Application vulnerability.

Citigroup – Customer account data theft, again this hack is said to have taken advantage of well known web application vulnerability.

IMF – Subject of a “Spear phishing” email attack.


Google – Account theft of high profile users, another Spear Phishing email attack


CodeMasters - Personal info stolen via website, against well known web application vulnerability


Lockheed Martin – Use of compromised RSA SecurID Tokens, I don’t know all the details yet, I’m guessing there was a social engineering element to it.

Visa, the Spanish Police, US Senate & CIA websites all taken down - All done with by Distributed Denial of Service (DDoS) attacks. According to LulzSec, the CIA website was taken down by a “very simple DoS packet flood”, which says it all.
DDoS Overview

If such organisations can be hit so hard with what most experienced security professionals would regard as fairly unsophisticated methods, it goes to highlight the fact we all might be becoming too complacent about security.  Especially considering most of these organisations are already security focused, this is a concern, as what of the lesser security focused organisations.

Security Complacency: Mice that stand still, get caught!
Security has always been a game of cat and mouse, with the good guys trying to stay one step ahead, trying to outwit the bad guys who are continuingly seeking ways to beat the security barriers placed in their way. Maybe we have reached a stage where we are standing still again, with too much patting ourselves on the back for a job well done.  Perhaps we are becoming over arrogant and believing too much in vendor out of box solution promises, and relying too much on just best practices and information security standards. If we buy product x and follow what y says, we’re secure, job done? No, this is never the case. Information Security cannot be bought out of the box, nor can it be done properly by following a tick box approach to a list of requirements. All organisations are unique, as is the information flow within them, the best practice and vendor glove will not fit, to avoid being frost bitten by data breaches, you need to nit your own information security glove to fit correctly to the organisation, and it’s ever changing informational needs.

However securing large organisations with complicated and ever changing information flows, all occurring within a myriad of IT systems, is an extremely difficult task, and will always be impossible to completely secure. Replicating the hackers methods, specifically at the reconnaissance stage, which is namely trawling for the weak spots on a continuous basis, tends to be overlooked within industry best practices and regulatory requirements. Consider the highly regarded industry credit card security standard, PCI DSS, which sees as an acceptable level of security; network vulnerability scans on a quarterly basis and once a year penetration tests against key web applications, but does not require any social engineering tests at all. Yet these practices, which are a direct replication of what the hackers do, needs to be performed more frequently. IT systems rarely remain static while new vulnerabilities come to light on a daily basis.  We can take it as red that absolutely everything an organisation places on the Internet, will be frequently checked for weaknesses by the bad guys, so you need to ask yourself why organisations aren't checking for these weaknesses just as frequently, and fixing them before the bad guys get opportunity to find and to exploit them.

Becoming the Hacker is the Answer
In my view the best way to reduce the risk that external hacking presents, is to not only think like a hacker, but to actually act like a hacker. Until organisations adopt this kind of mindset and approach, instead of following security standards and purchasing out-of-the box security solutions like sheep, I think we are going to see plenty more hacking incidents and data breaches for some time to come yet.