Hacking Team and other breaches as security lessons learned

Recent aggressive hacks on companies underline the need for good risk analysis, situational awareness, and incident response. Just ask AshleyMadison, Hacking Team, and Sony Pictures.

Recent aggressive hacks on companies underline the need for good risk analysis, situational awareness, and incident response. Just ask AshleyMadison, Hacking Team, and Sony Pictures.

If you are in charge of defending IT systems you know there’s a big difference between an attacker who is trying to steal payment card data and an aggressive assault by folks who wants to expose your internal emails and trash your servers and/or reputation. In the last twelve months we’ve seen a number of high profile attacks that were not straightforward grabs for monetary instruments or intellectual property (although there were plenty of those as well). So what can we learn from these aggressive attacks, like the one on the Italian “security” company called Hacking Team, or AshleyMadison, and SonyPictures?

Recently I presented a 55 minute webinar on this topic, a recording of which you can view if you scroll down the page. The following paragraphs distil some of the observations I made.

Risk analysis

Whenever an endeavor fails or suffers a setback, for example a company’s deepest secrets are exposed on the Internet, it makes sense to ask: what went wrong? Often the answer boils down to failure to fully understand and account for the risks that the undertaking faced. For example, some of the largest fines handed down for medical record breaches were triggered by the covered entity’s failure to perform an adequate risk analysis of the systems on which the records were stored.

Of course, the need for risk analysis extends well beyond IT systems, indeed, IT risk analysis is really a subset of organizational risk analysis, itself part of risk management. The International Organization for Standardization has a bunch of standards for risk management, known as ISO 31000. Risk is defined therein as the “effect of uncertainty on objectives” where an effect can be a positive or negative deviation from what is expected. That’s right, not all risks are bad (after all, there is a risk that the Kickstarter for your biopic of a legendary musician will get funded, and your risky decision to get out of security and into movies could prove fortunate, especially if the world suddenly turns its back on cybercrime).

The Institute of Risk Management defines risk as “The combination of the probability of an event and its consequence” where “consequences can range from positive to negative.” Events with negative consequences are those that have the potential to adversely impact your organization’s objectives; and the risk of such events needs to be addressed at multiple levels: strategic, tactical and operational. Such risks need to be well-researched and accounted for in the organization’s risk management efforts. (If you are new to risk assessment and management you might want to check out my webinar on the basics as they relate to data and IT systems.)

What can we learn about IT risks from these recent “aggressive attacks” that include elements of revenge, spite, politics, intimidation, and hacktivism? The first lesson is that the risk of attacks of this nature is higher than it has ever been. This is not to say that there has been a decline in the risk level of more conventionally motivated cybercrimes (data theft/ransom, DDoS extortion, wire fraud, account credential abuse for gain, and sundry other scams). The point is, these days people who take issue with your organization have, for reasons I explain later, much greater access to hacking expertise today than ever before.

Unfortunately, too many organizations approach IT risk analysis in isolation from other aspects of the organization, often working to a checklist of the usual suspects, from malicious code infection to employee sabotage to power outage. Sure, those threats are important, and so are the controls that you put in place to mitigate them (such as antimalware, strong authentication, encryption and backup/recovery systems); however, you and your organization need to be sure you are objectively assessing the lengths to which some people will go to thwart your objectives through systems abuse.

Situational awareness

What seems to be missing in the risk analysis of some organizations, including those victims that I mentioned at the outset of this article, is situational awareness. In the context of today’s highly connected global society, situational awareness at the organizational level means knowing who doesn’t feel good about your organization. Why do you need to know this? Because people who don’t feel good about your organization may be moved to act against it. This has always been a challenge for human endeavors, from running a business to any other form of getting together to get something done, but four factors have made that challenge tougher to meet today:

  1. The population of people who can find out what you do is larger than ever.
  2. The chances of someone objecting to what you do are greater than ever.
  3. The means of taking action against you are cheaper, more numerous, and more widely available than ever.
  4. The ability of your organization to function in the world while keeping secrets from it is probably less than you’ve been thinking.

For example, let’s say you want to sell software that enables one group of people to spy on another. It is reasonable to expect that some people will object to that activity, and to your organization, if they know this is its business model. Then, if you put that business model on the global web, which is a good place to advertise some–but not all–goods and services, haven’t you just painted a target on your operations? If so, your information security strategy needs to account for that.

You might think you have a good explanation for what your business does and a noble mission statement to back that up, but realistically not everyone is going to buy your spin. In other words, expect trouble. And if you have been using too much spin, that is, your actions do not align with your declared aspirations, you have a tough choice to make: fess up or deny. And before you make that choice, see #4 above. Whoever exposed Hacking Team’s internal documents gave the world proof that the company had done in private things that it denied in public.

Everyone’s a hacker baby

That’s no lie (with apologies to Hot Chocolate). This headline is true because these days anyone can go online and hire a hacker. Has your organization been telling itself not to worry about hacking attacks because your opponents are technically unsophisticated? Guess what, they just rented a hacker and pointed him in your direction (sadly, it pretty much always is a “he” that is doing this). This new reality may be unpleasant, but you ignore it at your peril. Pending a universal uptick in human adherence to high ethical standards, we have to live with the fact that going on the attack in cyberspace is an available option for any disgruntled person, company, government, or terrorist.

Suppose you are the world’s best known website in the “affair facilitation” category. Your business model is to make it very easy for people to create accounts, even fake accounts in another person’s name. At the same time you make it difficult and costly for people to quickly and completely erase their accounts. Allegedly, that was the case at AshleyMadison. People got upset about this business model and apparently one or more of them hacked the company’s databases to show how upset they were and make a point.

Of course, another and bigger point was also made by that hack, and the earlier breach at Adult Friend finder: don’t trust anyone with any details of your life, or business, that you want to keep secret, not unless you have made sure they know how to keep secrets. Despite a logo that suggests discretion, and a big incentive to provide user confidentiality, it seems AshleyMadison could not keep millions of secrets. An alternative strategy is to be open and transparent about everything you do and trust that your fellow human beings will be universally understanding. We may get there one day, but for now it pays to think twice before sharing secrets in digital form, regardless of what those secrets are, and particularly if they include deals and deeds that you’ve done but don’t want anyone to know about.

Disastrous incident response preparedness

As firms like Sony and Hacking Team have discovered, disasters do happen. Unless you live a charmed life, it is pretty much inevitable that things will, at some point, go wrong for your organization. Therefore your organization needs to: a) try to reduce the chances that things will go wrong, and b) be prepared to respond when they do. Let’s forget Internet hacks and SYN flood attacks for a moment and think about old-fashioned water-based flooding. Suppose your offices are on a high floor in a high rise building located on a hill. You might think you are immune to flooding. Then a flood takes out the local water works, cutting the supply of water to your building’s air conditioning. That’s what happened in Des Moines, Iowa, in July of 1993. And that’s why the temperature inside the offices of insurance giant Principal Financial got unbearable (remember, it was July, and although there is no legal requirement to keep employees cool at work, there is a business need to keep computers cool). The company was forced to temporarily relocate operations for several weeks (there is now a huge cistern of “backup water” in that building).

The point is that your organization needs to be able to respond effectively to adverse incidents, regardless of their origin. This is the art and science of incident response and incident management. Hopefully your organization already has an incident response plan. But does that plan document what should happen if the company is hacked and secrets are revealed? Who is allowed to talk to the media? What are they allowed to say? How will you characterize your attackers? And so on.

Incident response is difficult to get right at the best of times but you will get some slack from customers, partners, and employees, largely in proportion to the unlikeness of the disaster (for example, a meteor strike on your data center). But goodwill may drop off drastically if people feel your organization “should have seen this coming”. The more we learn about conversations that took place in the months before the Sony Picture hack, the clearer it becomes that releasing a movie which graphically depicts the assassination of a head of state, even a very nasty one, was quite likely to draw fire.

Let’s return to the watery analogies. If there is a storm coming when you’re at sea you batten down the hatches. If you’re a company whose entire output can be contained in a collection of digital files, you batten down the firewalls, and a whole lot more. You review your email folders for potentially damaging messages that could come to light if the barbarians breach the firewalls or internal security (messages which, quite frankly, should not have been sent or stored in email to begin with). In hindsight, a plan to keep secrets to a minimum to reduce the potential for damaging leaks would have been a good idea. Does your organization need one? Before you come under fire is the best time to ask that question, and to check the current state of your encryption, authentication, malware protection, and disaster recovery.

Watch the webinar

I recently discussed many of these topics in a webinar. The recorded version is below. I hope you find it useful. Feel free to leave a comment if you think I missed important stuff, or if you think I got things wrong..Note that there are many more recorded webinars on a range of security topics on the ESET Brighttalk channel.

Note: You may be asked to register to watch, but there is no charge, and you only have to register once to see a whole bunch of security webinars recorded by myself and my fellow researchers.