The Evolution of Hacking and Enterprise Information Security
Or, How Anonymous has changed us
This blog is about enterprise information security. (Just check the top of the page and you’ll see it right there in the tag line.) So I don’t often discuss current events. Generally, the things that grab news headlines are old news, or fluff security with little practical impact.
But the news stories lately surrounding Wikileaks, Anonymous and The Jester (th3j35t3r) are more than pop culture intersecting security. I believe these events reflect a shift in the nature of internet hackers. This shift has a direct impact on how enterprises need to secure their data.
As the internet rose from an inter-college network into the global web, so too arrived the first generation of hackers. These folks were a relatively small and interconnected group. Their primary interest was in testing the limits of systems, getting some fame for themselves, and having fun. They would create viruses, hack into networks, and deface websites mostly to show that they could.
The second generation of hackers arrived in force a few years later. This group consists of a folks who are in it for the money. Identity theft, phishing, spamming, and botnet herding are all illicit computer activities where the primary motivation is making money. Instead of looking for ways to show off their hacking skills, these folks did everything they could to keep their activities quiet and unnoticed for as long as possible.
The primary objective of hactivists is giving their targets a black eye.
And now we’re seeing another shift in the makeup of hackers. I call it generation 3. Not that our second generation has gone away, far from it. But we are now experiencing the arrival of the hacktivist movement. Their primary objective being to disrupt service for, and give a black eye to, companies or organizations with whom they disagree.
This latest breed of hackers adds a new element of challenge for enterprise security practitioners. Because denial-of-service (DOS) attacks are the primary weapon of these hackers, security teams must focus much more on the availability of our sites than we had previously. In the past, our concerns about availability were primarily around handling usage spikes and growth. But with the abundant availability of tools like LOIC, a relatively small number of malicious users can completely take down even a very large server farm.
Even though we know that DOS attacks are more prominent, we are working with the same budgets we had last year. And it’s not like any of last year’s threats have disappeared. We can’t simply cut out our firewall budget and sign up for a DOS-mitigation service. As with all other aspects of our security program, this needs to be handled by considering of the probability of the threat to our organization, the damage it would cause us, and our risk tolerance.
A key component to our calculation is the idea of Target of Choice versus Target of Opportunity. The basic concept is that a Target of Choice is one who the hackers will actively seek out and work diligently to penetrate. A Target of Opportunity is one who the attackers will attack because it’s there, and looks vulnerable. (Think of it like a burglar. If a burglar is just walking down the street looking for a house with a window left open, that house would be a Target of Opportunity. But if the criminal knows Mr. Smith down the road has a bundle of cash in the house, he will attempt to break into that house even though it looks well protected. Mr. Smith is a Target of Choice.) By knowing whether we likely to be actively sought out as a target we can much more accurately assign a probability to the attack.
The impact to our organization is going to be a combination of the hard and soft costs of the site going down. Hard costs include things like sales lost due to unavailability, lost employee productivity, costs to bring in outside teams to assist in getting back online and researching the attack. Soft costs will include difficult to measure effects, such as the PR hit from being seen as having an insecure network. Determining the total effect for our organization takes a strong knowledge of the business itself, not just the technologies.
Do some research on what you can do to be prepared for a DOS. Look into tools like Arbor Networks’ DDOS mitigation service. By researching these technologies ahead of time, even if you know you won’t be making the investment now, you accomplish a couple of important things. First, you have numbers to make a better decision about whether the technology makes sense for you. Does that kind of financial outlay make sense for your organization, and your risk appetite? Second, in the event that your risk equation makes a sudden dramatic change, you can have a plan in place for a quick implementation.
Your risk profile can change, sometimes very quickly. Some of those organizations who became a target of Anonymous probably would not have considered themselves a Target of Choice a year ago. But once they pulled their support of Wikileaks, they had a bull’s-eye on their backs. And when the news started coming out that Anonymous was taking out other targets that were associated with Wikileaks, the equation had obviously changed to the point where an attack become probable.
The information security world is continuously changing. Yet in many ways we’re using the same strategies, reading the same books, and implementing the same technologies we were 10 years ago. Defending our finances and data are no longer enough to keep our organization safe on the internet. We need to keep our company off of the front page. This new breed of hackers is not going away anytime soon. We need to adapt to them, as they certainly are adapting to circumvent us.
Connect with Robb on Google+