Sophisticated hackers, with totally different motives, are making life difficult for their targets, writes KARLIN LILLINGTON
IT SECURITY must once have seemed so (relatively) simple, at least in terms of hacker intent: hackers primarily stole information that could prove financially lucrative or valuable for state or corporate espionage.
Then, as of late last year, along came the large scale (and loosely related) “hacktivists” Anonymous and LulzSec, anarchic global groups of technically sophisticated hackers with completely different motivations: social or political ideals, anger and, to some degree, personal amusement.
Initially they acted in response to government-led internet suppression in the developing world, then in fury over perceived lack of support for WikiLeaks. In recent months, the groups have successfully hacked and attacked many high-profile sites – from Visa to eBay, Booz Allen to Sony, claiming a range of reasons.
Now, fresh targets are anyone’s guess — most recently, it was News International.
Such groups have changed the hacking game. Attacks can now be broken down into two types, says Orla Cox, Symantec Ireland’s security operations manager – hacktivist-based attacks, and more traditional attacks “for the sake of stealing information”.
Hacktivist attacks tend to be more public, and usually, at least on the surface, more embarrassing because the intent is to make them highly visible and humiliating for the target, whereas more traditional hackers aim to be surreptitious thieves.
“They don’t want to be found, and in many cases, companies don’t want to admit they’ve been hacked,” she says.
With corporate targets, hacktivist groups don’t go after the usual trove of financially lucrative data. They want access to revealing e-mails and corporate files, often to post them publicly. They want to demonstrate how poorly protected many mainstream – including security company – websites and company servers are. They want to humiliate and punish select targets of their ire and it is hard to know what they will take once into a system.
“Companies are used to having to defend their financial sites, but not that used to thinking about e-mail systems, or the data being passed around the system,” says Ernst Young Ireland’s Hugh Callaghan, who advises the financial services industry on IT security and has a particular interest in hacking.
Callaghan describes underground hacktivist networks as “loose collectives collaborating on projects”. Members of Anonymous have in the past defended such attacks as the online equivalent of a sitdown protest. The recent hack on the Sun newspaper website, claimed by LulzSec, is a good example. Hackers probed the site for a few weeks, seeking an entry point, the Guardian reported. It eventually got in through a little-used duplicate “mirror” site with poor security.
The website at first showed fake stories, then redirected to LulzSec’s Twitter feed; later came suggestions LulzSec had downloaded data, including sensitive emails that might prove embarrassing to News International. In short: a mix of laughs, punishment, humiliation and potential data leakage.
Attacks generally are on the increase and are costly to organisations, a report this week from HP states. It notes that organisations surveyed experienced 72 successful attacks per week, up almost 45 per cent on last year.
The median annualised cost of cybercrime to a benchmark group of organisations was $5.9 million (€4.1 million) a year. More than 90 per cent of all costs originate in techniques common to hacktivist groups, such as denial of service and web-based attacks.
Where are organisations vulnerable? Using a web browser as an entry point for attacks is an increasingly common approach, says Callaghan, mainly because it is so often a poorly controlled gateway into an organisation’s internal network.
Web developers are not generally security specialists, he says. Web applications are often developed by companies for themselves as well, and have no vendor updates to stay abreast of security issues.
Callaghan says hackers will often look for the less secure areas of the website, such as the marketing section. Another problem – as with the Sun site – is that “maintenance is often not done in a timely way, and old or unused parts of functionality have weaknesses”.
Hackers seeking security holes in a website tend to look just like normal browsers on the site, making them very difficult to spot before entry, he says.
Cox says hacktivists tend to get into networks using known vulnerabilities, and their chosen mode of attack can be difficult to protect against – a denial of service attack, for example, where a website is bombarded with so many access requests that it cannot cope and is brought down.
Experts now advise that preventing entry may be futile. “Someone with resources, motivation, and technical skill will almost always circumvent the system,” says Callaghan.
A recent Ernst Young report argued that companies need to assume that parts of their networks may be compromised and instead focus on identifying the breach, containing it, and then recovering from the breach. “A different mindset needs to be applied, not just ‘detect and prevent’. We still have this concept of a hard shell – that either you’re inside or outside,” he says.
Organisations increasingly must think in terms of network “perimeters” and a “core”. If the perimeter is breached, the idea is that sensitive data can be locked down inside the core.
This approach is echoed in a new report entitled When Advanced Persistent Threats Go Mainstream, from the Security for Business Information Council, which comprises 16 multinational security companies. It notes that sophisticated hacker techniques once limited to organised cybercrime groups working on behalf of nation-states – “advanced persistent attacks” – have now “gone viral” and mainstream.
Such attacks, which typically require months of planning and often, make use of “social engineering” – getting individuals to accidentally allow an attack by tricking them into opening e-mails or files, or plugging in USB sticks with malware on board – have not, at least yet, been used in hacktivist attacks, says Cox.
“Hacktivists are pretty much smash and grab. They act quickly, usually in response to some media story.”
Council member EMC, which owns security company RSA, says organisations need to move their security focus from “preventing infiltration to detecting attacks and mitigating damage as quickly as possible”, according to a statement from EMC Ireland.
Cox says such a “layered approach” to security is best for all types of hackers – try to prevent entry to systems, but then prioritise keeping attackers from getting data out.
For any organisation in this changing hacker landscape, security is never “done”, says Callaghan. “Security is both a process and an end result. It is not an enduring state, and needs to be maintained – and that’s where a lot of companies fall down.”
