cni and the lessons of lulzsec article 04 jul 2011

Document Sample
cni and the lessons of lulzsec article 04 jul 2011 Powered By Docstoc
					                         CNI and the Lessons learned from Lulzsec
                      By Rob Rachwald, Director of Security Strategy and
                      Noa Bar Yosef Senior Security Strategist at Imperva

Hacktivism and It’s Criminal Inspiration
The recent hacking spree by Lulzsec has helped make hacktivism a household term. Although
hacktivism is nothing new, it has undergone a rapid evolution that is driven and inspired by
criminal, for-profit hacking. The Lulzsec team leveraged the methods and technologies used by
private hackers to steal data and sell it on the black market. During the Cold War, we witnessed
how military advances drove private sector—especially in aviation. Today’s robust criminal
hacking industry has helped driving hacktivism.
To understand how Lulzsec could thrive requires an understanding of how criminal hacking
operates. The Digital Age has created a huge, global black market for data. Today, mature
online exchanges exist that resemble eBay in structure, only their focus is selling personal and
corporate data of all kinds. For example, credit cards are put up for sale in this hacker forum:

Just a few months ago, a hacker offered to sell full administrative rights to several government,
military and educational websites for $499. So, for the price of an iPad, you could have
purchased the ability to control a US Army web site:
Earlier this year, a hacker tried to sell access to dating site eHarmony for $2,000.
And on it goes. Cumulatively, McAfee estimate sizes this market at $1 Trillion.
Of course, governments use hacking as a weapon, too. Hacking has enabled a new cold war with
data theft as its objective. For instance, North Korea, it is rumored, graduates 100 government-
certified hackers a year while China reportedly maintains six “Reconnaissance Bureaus” located
across the country that engage in cyber attacks.
How are attacks executed? They’re almost entirely automated. The online collaboration has
inspired a cyber crime “industrial revolution” where attacks are automated and massive in scale.
Research indicates that automated cyber attacks pollute between 40 and 50% of internet traffic.
Below is a picture of showing the output of one automated attack, producing 5,012 vulnerable
The worst news? The good guys will always be behind the curve since hackers, by definition,
are early adopters. Hacker forums, for instance, exemplify the spirit of web-based collaboration
and education, offering a rich menu of tutorials, advice and technology designed to steal data.
Analysis of one forum, with 210,000 registered hackers, showed that approximately 25% of
discussions were focused on hacking tutorials and techniques—ensuring a consistent supply of

The Lessons from Lulzsec for CNI
This episode highlights today’s new reality: cyber attacks have become as extraordinarily
dangerous. And it’s a global issue: Germany’s Der Spiegel reported recently that cyber-crime in
Germany has reached an all-time high. All around the world, governments are facing the same
challenge – building a national cyber-security strategy to protect their citizens. In the past,
hackers have gone after power grids and military systems. What can be done to prevent a cyber
1. Centralizing all Internet communications of government organizations in one pipe under a
single authority. Centralizing communications steals a page from China’s Great Firewall—a
single pipe controlled by one entity. Whereas the Chinese use this control to limit legitimate
traffic, it can also greatly help limit bad traffic. For instance, when Agency A gets attacked from
address B, this information can be proliferated almost instantly all other branches. Today, attack
traffic comes from many known toxic sources, the challenge is to share this information quickly.
Also, governments should put in place an authority whose responsibility should be two-fold: one,
to create robust monitoring and attack detection capabilities. The capabilities should span all
communication layers, and in particular, the application layer. Second, the authority should set
security standards which bind any government-affiliated organizations when adding new public-
facing connections.
2. Protecting national communication backbones against denial-of-service attacks. Denial of
service attacks are often the first attack of choice. Blunting them means:
    • Ensuring enough internal redundancy.
    • Maintaining enough redundancy with respect to out-of-country communication lines.
    • Timely detection of various types of attacks (including, even, the physical tampering of
        communication lines).
3. Engaging in a comprehensive and ongoing risk management process. National
infrastructure systems (e.g. traffic control, train systems, and power grids) should first be
evaluated according to their potential risk. As a second step, a thorough technical evaluation of
the security posture of involved systems. Any further investment in protective controls should be
guided by the results of the risk assessment process, directing resources at those places that are at
highest risk or at a risk or at a worse security posture.
4. Focus on the data and applications. Citizen and military data are national assets.
Governments should also ensure that this data - whether it is account numbers, health
information or other Personal Identifying Information (PII) - is securely stored. This means
defining exactly what constitutes sensitive information data and establishing requirements for
security controls. It should also take into account Intellectual Property (IP). The perpetrators of
IP-theft are often business competitors and nation-states, and since the victimized companies will
require the assistance of their country, they therefore should be obliged to adhere to compliance
One lesson from the recent, high profile, Lulzsec hacking spree was how many organizations
failed to properly secure databases and applications. Fundamentally, Lulzsec was a team of
hackers focused on breaking applications and databases, there were no virus or malware experts
among them. They stole data from the FBI, PBS and Sony to name a few victims. This episode
should bring attention to the fact that the center of gravity has shifted from firewalls and anti-
virus to applications and databases. For security, this does not just mean “we have updated our
anti-virus and put in place a network firewall.” Rather, it also means “we have identified all
sensitive data and have put in place technology with the audit and protection capabilities required
to safeguard that data.”
5. Performing hacker intelligence. Analyzing hacker activity- such as hacker tools, attack
origins, and attractive targets- provides the authority to detect in a timely manner substantial
attack campaigns against nation-based computers. Based on the data, the authority can also guide
on the creation of proper defense mechanisms.
But to be broadly effective, cyber ‘moles’ will be an essential tool against hackers. Perhaps it’s
time to hit the accelerator on this approach.
6. Creating processes and tools for analyzing information. Receiving data from the private
sector, and especially network carriers, can enhance the data analyzed by the authority’s hacker
intelligence. Further collaboration can include the detection of attacks that stem from the country
and rooting out these machines on a regular basis.

Shared By: