Critical National Infrastructure (CNI) and the lessons learned from Lulzsec.
The recent hacking spree by Lulzsec has helped make hacktivism a household term. Although hacktivism is nothing new, it has undergone a rapid evolution that is driven and inspired by criminal, for-profit hacking. The Lulzsec team leveraged the methods and technologies used by private hackers to steal data and sell it on the black market. During the Cold War, we witnessed how military advances drove private sector--especially in aviation.
Today's robust criminal hacking industry has helped driving hacktivism.
To understand how Lulzsec could thrive requires an understanding of how criminal hacking operates. The Digital Age has created a huge, global black market for data. Today, mature online exchanges exist that resemble eBay in structure, only their focus is selling personal and corporate data of all kinds. For example, credit cards are put up for sale in a hacker forum.
Just a few months ago, a hacker offered to sell full administrative rights to several government, military and educational websites for $499. So, for the price of an iPad, you could have purchased the ability to control a US Army web site.
Earlier this year, a hacker tried to sell access to dating site eHarmony for $2,000.
And on it goes. Cumulatively, McAfee estimate sizes this market at $ I Trillion.
Of course, governments use hacking as a weapon, too. Hacking has enabled a new cold war with data theft as its objective. For instance, North Korea, it is rumored, graduates 100 government-certified hackers a year while China reportedly maintains six "Reconnaissance Bureaus" located across the country that engage in cyber attacks.
How are attacks executed? They're almost entirely automated. The online collaboration has inspired a cyber crime "industrial revolution" where attacks are automated and massive in scale. Research indicates that automated cyber attacks pollute between 40 and 50% of internet traffic.
The worst news? The good guys will always be behind the curve since hackers, by definition, are early adopters. Hacker forums, for instance, exemplify the spirit of web-based collaboration and education, offering a rich menu of tutorials, advice and technology designed to steal data.
Analysis of one forum, with 210,000 registered hackers, showed that approximately 25% of discussions were focused on hacking tutorials and techniques--ensuring a consistent supply of expertise.
The Lessons from Lulzsec for CNI
This episode highlights today's new reality: cyber attacks have become as extraordinarily dangerous. And it's a global issue: Germany's Der Spiegel reported recently that cyber-crime in Germany has reached an all-time high. All around the world, governments are facing the same challenge - building a national cyber-security strategy to protect their citizens. In the past, hackers have gone after power grids and military systems. What can be done to prevent a cyber disaster?
1. Centralizing all Internet communications of government organizations in one pipe under a single authority. Centralizing communications steals a page from China's Great Firewall--a single pipe controlled by one entity. Whereas the Chinese use this control to limit legitimate traffic, it can also greatly help limit bad traffic. For instance, when Agency A gets attacked from address B, this information can be proliferated almost instantly all other branches. Today, attack traffic comes from many known toxic sources, the challenge is to share this information quickly.
Also, governments should put in place an authority whose responsibility should be two-fold: one, to create robust monitoring and attack detection capabilities. The capabilities should span all communication layers, and in particular, the application layer. Second, the authority should set security standards which bind any government-affiliated organizations when adding new public-facing connections.
2. Protecting national communication backbones against denial-of-service attacks. Denial of service attacks are often the first attack of choice. Blunting them means:
* Ensuring enough internal redundancy.
* Maintaining enough redundancy with respect to out-of-country communication lines.
Timely detection of various types of attacks (including, even, the physical tampering of communication lines).
3. Engaging in a comprehensive and ongoing risk management process. National infrastructure systems (e.g. traffic control, train systems, and power grids) should first be evaluated according to their potential risk. As a second step, a thorough technical evaluation of the security posture of involved systems. Any further investment in protective controls should be guided by the results of the risk assessment process, directing resources at those places that are at highest risk or at a risk or at a worse security posture.
4. Focus on the data and applications. Citizen and military data are national assets. Governments should also ensure that this data -whether it is account numbers, health information or other Personal Identifying Information (PII) -is securely stored. This means defining exactly what constitutes sensitive information data and establishing requirements for security controls. It should also take into account Intellectual Property (IP). The perpetrators of IPtheft are often business competitors and nation-states, and since the victimized companies will require the assistance of their country, they therefore should be obliged to adhere to compliance standards.
One lesson from the recent, high profile, Lulzsec hacking spree was how many organizations failed to properly secure databases and applications. Fundamentally, Lulzsec was a team of hackers focused on breaking applications and databases, there were no virus or malware experts among them. They stole data from the FBI, PBS and Sony to name a few victims. This episode should bring attention to the fact that the center of gravity has shifted from firewalls and anti-virus to applications and databases. For security, this does not just mean "we have updated our anti-virus and put in place a network firewall." Rather, it also means "we have identified all sensitive data and have put in place technology with the audit and protection capabilities required to safeguard that data."
5. Performing hacker intelligence. Analyzing hacker activity- such as hacker tools, attack origins, and attractive targets- provides the authority to detect in a timely manner substantial attack campaigns against nation-based computers. Based on the data, the authority can also guide on the creation of proper defense mechanisms.
But to be broadly effective, cyber 'moles' will be an essential tool against hackers. Perhaps it's time to hit the accelerator on this approach.
6. Creating processes and tools for analyzing information. Receiving data from the private sector, and especially network carriers, can enhance the data analyzed by the authority's hacker intelligence. Further collaboration can include the detection of attacks that stem from the country and rooting out these machines on a regular basis.
Rob Rachwald, Director of Security Strategy and Noa Bar Yosef Senior Security Strategist at Imperva
|Printer friendly Cite/link Email Feedback|
|Author:||Rachwaid, Rob; Yosef, Noa Bar|
|Publication:||Database and Network Journal|
|Date:||Aug 1, 2011|
|Previous Article:||Dataguise teams with NetApp.|
|Next Article:||GFI Software reports continued malware infections.|