The Evolution of Hacking and Enterprise Information Security

The Evolution of Hacking and Enterprise Information Security

Or, How Anonymous has changed us


This blog is about enterprise information security. (Just check the top of the page and you’ll see it right there in the tag line.) So I don’t often discuss current events. Generally, the things that grab news headlines are old news, or fluff security with little practical impact.

But the news stories lately surrounding Wikileaks, Anonymous and The Jester (th3j35t3r) are more than pop culture intersecting security. I believe these events reflect a shift in the nature of internet hackers. This shift has a direct impact on how enterprises need to secure their data.

As the internet rose from an inter-college network into the global web, so too arrived the first generation of hackers. These folks were a relatively small and interconnected group. Their primary interest was in testing the limits of systems, getting some fame for themselves, and having fun. They would create viruses, hack into networks, and deface websites mostly to show that they could.

The second generation of hackers arrived in force a few years later. This group consists of a folks who are in it for the money. Identity theft, phishing, spamming, and botnet herding are all illicit computer activities where the primary motivation is making money. Instead of looking for ways to show off their hacking skills, these folks did everything they could to keep their activities quiet and unnoticed for as long as possible.

The primary objective of hactivists is giving their targets a black eye.

And now we’re seeing another shift in the makeup of hackers. I call it generation 3. Not that our second generation has gone away, far from it. But we are now experiencing the arrival of the hacktivist  movement. Their primary objective being to disrupt service for, and give a black eye to, companies or organizations with whom they disagree.

This latest breed of hackers adds a new element of challenge for enterprise security practitioners. Because denial-of-service (DOS) attacks are the primary weapon of these hackers, security teams must focus much more on the availability of our sites than we had previously. In the past, our concerns about availability were primarily around handling usage spikes and growth. But with the abundant availability of tools like LOIC, a relatively small number of malicious users can completely take down even a very large server farm.

Even though we know that DOS attacks are more prominent, we are working with the same budgets we had last year. And it’s not like any of last year’s threats have disappeared. We can’t simply cut out our firewall budget and sign up for a DOS-mitigation service. As with all other aspects of our security program, this needs to be handled by considering of the probability of the threat to our organization, the damage it would cause us, and our risk tolerance.

A key component to our calculation is the idea of Target of Choice versus Target of Opportunity. The basic concept is that a Target of Choice is one who the hackers will actively seek out and work diligently to penetrate. A Target of Opportunity is one who the attackers will attack because it’s there, and looks vulnerable. (Think of it like a burglar. If a burglar is just walking down the street looking for a house with a window left open, that house would be a Target of Opportunity. But if the criminal knows Mr. Smith down the road has a bundle of cash in the house, he will attempt to break into that house even though it looks well protected. Mr. Smith is a Target of Choice.) By knowing whether we likely to be actively sought out as a target we can much more accurately assign a probability to the attack.

The impact to our organization is going to be a combination of the hard and soft costs of the site going down. Hard costs include things like sales lost due to unavailability, lost employee productivity, costs to bring in outside teams to assist in getting back online and researching the attack. Soft costs will include difficult to measure effects, such as the PR hit from being seen as having an insecure network. Determining the total effect for our organization takes a strong knowledge of the business itself, not just the technologies.

Do some research on what you can do to be prepared for a DOS. Look into tools like Arbor Networks’ DDOS mitigation service. By researching these technologies ahead of time, even if you know you won’t be making the investment now, you accomplish a couple of important things. First, you have numbers to make a better decision about whether the technology makes sense for you. Does that kind of financial outlay make sense for your organization, and your risk appetite?  Second, in the event that your risk equation makes a sudden dramatic change, you can have a plan in place for a quick implementation.

Your risk profile can change, sometimes very quickly. Some of those organizations who became a target of Anonymous probably would not have considered themselves a Target of Choice a year ago. But once they pulled their support of Wikileaks, they had a bull’s-eye on their backs. And when the news started coming out that Anonymous was taking out other targets that were associated with Wikileaks, the equation had obviously changed to the point where an attack become probable.

The information security world is continuously changing. Yet in many ways we’re using the same strategies, reading the same books, and implementing the same technologies we were 10 years ago. Defending our finances and data are no longer enough to keep our organization safe on the internet. We need to keep our company off of the front page. This new breed of hackers is not going away anytime soon. We need to adapt to them, as they certainly are adapting to circumvent us.

Connect with

Advertisements

The Department of No

On being the “Department of No”

When we discuss metaphors for an information security department, we often talk about things like a traffic cop (giving out tickets for breaking the rules), or a referee (looking for those who play dirty). The problem with those examples is that we’re portraying security as something to be avoided, whose primary contribution is punishing negative behaviors. It’s precisely this type of implementation that has led so many information security departments to be thought of as the “Department of No.”

Being known as the “Department of No” is problematic. Once a reputation is established that information security is where good ideas go to die, people will start finding ways around it. Projects will get pushed through without security being involved or without being involved early enough to make a difference. Employees will structure their projects in such a way as to narrowly avoid getting security participation. Generally, security becomes a hindrance to the company, rather than the asset it needs to be.

The metaphor that best fits what information security should be is that of a skills coach. Be it a hitting coach in baseball or an offensive line coach in football, the skills coach exists to identify areas for improvement, and come along side his charges, to build them up.

While the cop or referee is there to identify mistakes and levy a punishment for them, the coach is there to help grow the skill-sets and foster the attitudes that will result in improved performance. The skills coach works as a partner with his players and helps them grow to become better contributors to the team.

Simply put, we can best avoid the “Department of No” label by saying “Yes” more often than “No.” And we can only do that if we are actively involved in the business of our coworkers. When we get involved with their procedure-level activities we can offer practical assistance in ways to become more secure and efficient. Once we get elbow deep into the work of our coworkers, they won’t be coming to us asking if their insecure systems are okay, instead we will have already created a secure system working side by side.

We are not the head coach of our companies. That’s the job of management. But we have been brought on board to give specific advice on how to perform their jobs the right way. By involving ourselves in their work before the security questions are asked, we can spend more time teaching, and less time fixing mistakes and saying “No.”

Connect with