New Perils in a Connected World – by Stew Nelson
If you are the typical American Corporation I will bet you “Dollars to Donuts” that you will be hacked at some time and worse yet you probably won’t even know you were hacked! Further, if you do discover that you were hacked there is a good chance that you will be reluctant to reveal details to the public for fear of subjecting yourself to fines and or regulator scrutiny. Take the case of DuPont – last fall it was publicaly revealed that the giant chemical company was a victim of a 2009 network intrusion. This information became public not by an announcement by DuPont but through a series of emails posted on the internet. How did the emails get posted on the internet you might ask? That question is the irony of this whole story as the attack itself was subject of over 44,000 email conversations between DuPont, numerous other Fortune 1000 companies, and HBGary Federal, a “threat security” firm whose servers were hacked and leaked emails posted on various internet sites purportedly by “Anonymous” an infamous international group of hackers. It seems “Anonymous” was angered by HRG’s Federal CEO’s recent public threat in the Financial Times that that he would bring them down by exposing their identities.
DuPont’s network was not the only one compromised!
Google, General Electric, Walt Disney, Johnson & Johnson, Sony, Adobe, Juniper Networks, Northrop Grumman and Intel all were targets of a related series of sophisticated intrusions allegedly perpetrated by Chinese hackers to gain trade secrets from a “Who’s Who” of blue chip American companies. A subsequent investigation of the intrusion by DuPont’s internal security team revealed that several lap tops were compromised while they were stored in a safe while their owners were on a business trip in China. In fact, so many companies were part of this series of intrusions thought to have originated in China that it was given a code name “Operation Aurora”. From what I can tell, Google was of a few brand names that admitted they were the target of a cyber assault team.
How do companies that spend millions on security still get hacked?
It is becoming clear to me that no matter how much money you spend on network security and firewalls the hackers can still find a way through them or around them. The latest tactic seems to be targeted phishing e-mails sent to small number of strategic individual that can fool even the most savvy computer users. This new strategy is called spear-phishing” Late last week Google announced that they had detected clever emails sent to senior government officials to steal passwords to their Gmail accounts. If the unsuspecting recipient clicks on a link they were redirected to a Google Logon Screen that was a near perfect replica of the actual screen. Passwords and ID could then be revealed to the patient hackers. RSA, a network security firm owned by EMC provides details of the how determined Spearfishers made their end around moves against RSA’s own firewall in a fascinating blog entry entitled “Anatomy of an Attack”. RSA makes network security tags that are used by hundreds of military and civilian user in many of the top defense contractor including Lockheed Martin. It is unclear if the hackers used any RSA stolen keys to perpetrate the attack on Lockheed.
First, no matter how secure you think you are, the “perps” can still get in or around your defense perimeters. Second, your employees need to know that the bad guys are using Facebook and Twitter and other social media sites to learn more personal information about them so they can hunt them down in spear-phishing attacks. Lastly, it takes both good technology and ever vigilant employees to thwart these Advanced Persistent Threat attacks, APT’s, as they are referred now to. Promise me that one day soon you will sit down with the key players in your organization and examine what is behind your firewall that you would not want to share with the outside world because one day you will. You better have an action plan and practice it like a fire drill because the implications of a breach can be more devastating than a fire because at least you have insurance for a fire. Do you have insurance for a data breach? Hmmm?