Cyber attacks appear to have reached an epidemical scale, why?
Firstly we must take into account the public breach disclosure laws, which have been introduced in recent years stateside. The majority of US businesses now have a legal obligation to publicly announce data breaches, so we are becoming more aware of more data breaches than ever. In the past many data breaches were kept secret and we, the public, just never found out about them. This breach secrecy still exists in the UK today, where only public sector organisations have an obligation to disclosure data breaches to the Information Commissioners Office. And so the vast majority of UK private sector data breaches are still not making it into the media headlines, which is bad, as public data breach disclosure is an important driver for wholesale information security improvement, a subject which I have already discussed in an earlier post. http://blog.itsecurityexpert.co.uk/2009/01/why-uk-data-breach-disclosure-laws-are.html
Secondly some of the Groups behind these attacks, like Anonymous and LulzSec, are in the business of celebrating their attacks, promoting their organisation and particularly their ideology; these two groups really do see themselves as being righteous. To be honest I can’t help but smile when I visit the LulzSec website http://lulzsecurity.com/. Groups like these are claiming responsibility, and are even telling us in advance who they are going to attack next, LulzSec even asks for suggestions on who they should attack next. So when we are told they are going to attack a organisation that they have taken exception to, and that organisation’s website goes down the next day, it really leaves the target organisation with no option but to come clean to the world. So making the media headlines, even when no data loss has occurred, normally such breaches wouldn’t be disclosed and be put down to a technical issue.
Are cyber attacks becoming more sophisticated?
This is a question being frequently asked by the media at the moment, I would have to say the current wave of cyber attacks are in general not any more sophisticated of those of the past few years. By nature most of these attacks do have a certain level of sophistication to them, in that targets are being specifically selected, reconnaissance and research is being done, and some of the attacks have several stages to them, but hacking has always been this way. If you look at both the technical and human vulnerabilities these attacks are exploiting, I have to say we aren’t really seeing anything new with most of the recent breaches.
RSA Breach – The hacker(s) targeted specific RSA staff with malware. Specifically sending targeted individuals crafted Emails (known as Spear Phishing) with a malware infected attachment, namely an Excel Spreadsheet which held a Flash executable, which in turn installed a piece of malware called Poison Ivy. This provided a “way in” to the RSA internal network, and exploited a non-public (zero day) vulnerability, and as such was undetected by RSA’s malware prevention, but this attack also relied on the RSA employees opening the infected file, which in turn installed the malware. The second stage of this attack, namely stealing RSA SecurID seed data, is probably a failing of not having adequate internal data protection, protecting what is very clearly high valued information, something I’m sure that has been rectified now.
Sony PSN Breach – Unpatched systems and poor system architecture led to this breach; this is really basic Security 101. Indeed many hobbyist hackers had been more than aware of Sony’s PSN weaknesses for years.
Barracuda Networks – Was the subject of a successful SQL Injection attack, which is an easy to fix web application vulnerability which has been known about for over 10 years. Considering Barracuda are in the business of providing Web Application Security solutions, this is particularly embarrassing for them. However credit where credit is due, they did a great job in publicly announcing their data breach, providing specific details of the attack. RSA and Sony should take note, as this is the right way to handle a data breach, namely being open and honest, as this increases general awareness and allows everyone to learn from the mistakes. http://www.barracudalabs.com/wordpress/index.php/2011/04/26/anatomy-of-a-sql-injection-attack/
Sony Pictures – Again, SQL Injection, an old Web Application vulnerability.
Citigroup – Customer account data theft, again this hack is said to have taken advantage of well known web application vulnerability.
IMF – Subject of a “Spear phishing” email attack.
Google – Account theft of high profile users, another Spear Phishing email attack
CodeMasters - Personal info stolen via website, against well known web application vulnerability
Lockheed Martin – Use of compromised RSA SecurID Tokens, I don’t know all the details yet, I’m guessing there was a social engineering element to it.
Visa, the Spanish Police, US Senate & CIA websites all taken down - All done with by Distributed Denial of Service (DDoS) attacks. According to LulzSec, the CIA website was taken down by a “very simple DoS packet flood”, which says it all.
Security Complacency: Mice that stand still, get caught!
Security has always been a game of cat and mouse, with the good guys trying to stay one step ahead, trying to outwit the bad guys who are continuingly seeking ways to beat the security barriers placed in their way. Maybe we have reached a stage where we are standing still again, with too much patting ourselves on the back for a job well done. Perhaps we are becoming over arrogant and believing too much in vendor out of box solution promises, and relying too much on just best practices and information security standards. If we buy product x and follow what y says, we’re secure, job done? No, this is never the case. Information Security cannot be bought out of the box, nor can it be done properly by following a tick box approach to a list of requirements. All organisations are unique, as is the information flow within them, the best practice and vendor glove will not fit, to avoid being frost bitten by data breaches, you need to nit your own information security glove to fit correctly to the organisation, and it’s ever changing informational needs.
However securing large organisations with complicated and ever changing information flows, all occurring within a myriad of IT systems, is an extremely difficult task, and will always be impossible to completely secure. Replicating the hackers methods, specifically at the reconnaissance stage, which is namely trawling for the weak spots on a continuous basis, tends to be overlooked within industry best practices and regulatory requirements. Consider the highly regarded industry credit card security standard, PCI DSS, which sees as an acceptable level of security; network vulnerability scans on a quarterly basis and once a year penetration tests against key web applications, but does not require any social engineering tests at all. Yet these practices, which are a direct replication of what the hackers do, needs to be performed more frequently. IT systems rarely remain static while new vulnerabilities come to light on a daily basis. We can take it as red that absolutely everything an organisation places on the Internet, will be frequently checked for weaknesses by the bad guys, so you need to ask yourself why organisations aren't checking for these weaknesses just as frequently, and fixing them before the bad guys get opportunity to find and to exploit them.
Becoming the Hacker is the Answer
In my view the best way to reduce the risk that external hacking presents, is to not only think like a hacker, but to actually act like a hacker. Until organisations adopt this kind of mindset and approach, instead of following security standards and purchasing out-of-the box security solutions like sheep, I think we are going to see plenty more hacking incidents and data breaches for some time to come yet.