Information Steven J. Ross, CISA, CISSP, MBCP, is executive principal SecurityMatters Eating Crow With a Tasty Sauce of Risk Masters Inc. Ross has been writing one of the Journal’s most popular columns since 1998. He can be reached at stross@riskmastersinc.com. Do you have something to say about this article? Visit the Journal pages of the ISACA web site (www.isaca. org/journal), find the article, and choose the Comments tab to share your thoughts. Go directly to the article: 1 ISACA JOURNAL VOLUME 6, 2011 In my last article in this space (“The Train of Danger,” volume 5, 2011), I wrote, “Perhaps it would be more accurate to say that, as of now, only governments or organizations sponsored by governments have those skills” needed to execute cyberattacks. Within days of sending in my submission, the news of the day showed that I was, ahem, not completely accurate. In rapid order, the media announced that: • The US Federal Bureau of Investigation arrested the members of a group called Anonymous for hacking PayPal.1 According to Wired magazine, the same group had also attacked Visa and MasterCard.2 • A group in the UK calling itself LulzSec claimed responsibility for a string of attacks on web sites belonging to News Corp.3 • News Corp. was in the middle of a hacking controversy of its own, in which it was alleged that its newspaper News of the World had hacked numerous mobile phone accounts.4 • WikiLeaks released thousands of US diplomatic documents.5 So, enterprises other than governments have the ability to do some serious damage electronically—my turn to eat crow. At the same time, this opens up a somewhat semantic, but nonetheless important, distinction among the terms “hacking,” “cyberattack,” “hacktivism” and “cyberwar” that I would like to probe a bit. Hacking Hacking is a threat to all companies that have a presence on the Internet, which, in effect, means all companies. The list of companies whose web sites have been defaced or whose firewalls have been penetrated is too long to include here. Not to minimize the reality of such attacks, but the fact remains that they mostly fall into the category of nuisances, not existential threats to the organizations affected. I cannot recall a news story on the order of “Company X Hacked, Goes Broke.” Moreover, the safeguards to protect against straightforward hacking are well known. Firewalls, access controls and encryption are the leading tools in security professionals’ armories. The fact that hacks succeed anyway indicates that many organizations do not take the threat seriously enough to implement the countermeasures adequately, or that perhaps they are not willing to invest sufficient funds to deter what their managements consider to be nuisances, a cost of doing business. Another factor is that, in too many cases, the controls are used with enough exceptions that their utility is questionable. How many times each day can a firewall be lowered to permit certain activities before it is more of a phantom safeguard than a real one? Cyberattacks Of course, there are attacks to information systems that go beyond annoyances. There are companies that have suffered real economic harm and whose security or lack thereof has created lasting damage. Some have been victimized by thefts. For example, earlier this year, hackers penetrated Sony’s PlayStation Network and brought the network down for at least five days.6 Worse, the hack exposed the credit card information of 77 million Sony customers.7 Credit card information has significant value in underground markets, thereby spreading the damage widely beyond the initial target of a hack. Clearly, external misuse of information systems is a problem that has plagued businesses and governments since the advent of the Internet, if not computers themselves, and sad to say, it is a problem that is unlikely ever to go away. What seems to have changed is the ingenuity of the hackers and the power of the tools they employ. Organizations are being attacked by criminals. Just because the criminals use computers and networks does not make them any different from racketeers who have been undermining the safety of business for as long as there has been business. It would be unfair, in my opinion, to say that no one is safe. There is always risk; there will always be bad guys seeking to exploit the vulnerabilities of the good guys. As a society, we need to recalibrate what “usual and customary” controls should be to make the odds better for organizations and individuals. Hacktivism Hacktivists are a threat of a different order. They are not attacking organizations’ systems for the “fun,” such as it is, that lies in simple vandalism, nor are they necessarily stealing for economic gain. They have a cause that they are trying to promote, and they strike out at businesses and government agencies that they feel are doing harm to society. While criminals can be deterred when enterprises make the cost of an attack too high to justify the potential gains, hacktivists are spurred on by a sense of justice denied that seemingly has no economic barriers. One commentator has defined the difference: “With the rise of hacktivism, now the people who break into you tell you they break into you.”8 Members of the Anonymous group portray themselves as hacktivists. If there is any good to be found in the response to their exploits, it may be the improvement in security at security-related organizations. For example, security companies such as RSA and ManTech International have been victimized and have promised to tighten their own security.9 Cyberwar “Hacktivism” is a relative term. Those who undermine the information systems of corrupt regimes are thought by many to be freedom fighters. As I said in my previous column, I question whether individuals, no matter how tech-savvy, can successfully take on the power of a government. Similarly, I now believe that only governments have the technology and funding to attack other governments, and recent history has shown that they are preparing to do so. Very few—if any—businesses are prepared to prevent losses incurred in a war. That is why acts of war are usually excluded from insurance coverage. Governments owe it to their citizens to protect their businesses and government agencies from warfare. One can only hope that those governments that are considered democratic (or if not democratic, at least just) are doing as much to protect their own interests as they are to attack the systems of other countries. Security needs to be attuned to the actual and potential threats to assets at risk. I propose that there are different threats posed by vandals, criminals, rebels and war-makers, and that the level and content of preparedness and response • Learn more about, collaborate on, and discuss cybersecurity. www.isaca.org/topic-cybersecurity need to be adjusted accordingly. No organization can claim to be immune from all these categories of information system misuse, but the reality of the risk does differ from business to business. IT managers, including information security professionals, need to think beyond technology and consider such arcane areas as sociology, criminology and geopolitics if they want to prepare their organizations for all the threats that they face. Endnotes 1 Sengupta, Somini; “16 Arrested as FBI Hits the Hacking Group Anonymous,” The New York Times, 19 July 2011 2 Zetter, Kim; “Feds Arrest 14 ‘Anonymous’ Suspects Over PayPal Attack, Raid Dozens More,” Wired, 19 July, 2011 3 Bilton, Nick; “Lulz Security Says It Hacked News Corporation Sites,” The New York Times, Bits, 18 July 2011, http://bits.blogs.nytimes.com/2011/07/18/ lulz-security-says-it-hacked-news-corporationsites/?scp=3&sq=LulzSec&st=cse 4 New York Times, “British Phone Hacking Scandal,” Topics, 6 September 2011, http://topics.nytimes.com 5 Hosenball, Mark; “WikiLeaks Publishes Tens of Thousands More Cables,” Reuters.com, 25 August 2011, www.reuters.com/article/2011/08/26/us-wikileaksidUSTRE77O7PZ20110826 6 Bilton, Nick; “Sony PlayStation Network Still Down After Attack,” The New York Times, Bits, 25 April 2011, http://bits.blogs.nytimes.com/2011/04/25/sony-playstationnetwork-hacked. There is some indication that the attack may also have come from the Anonymous group or one of its members. 7 Bilton, Nick; “How Credit Card Data Is Stolen and Sold,” The New York Times, Bits, 3 May 2011, http://bits.blogs. nytimes.com/2011/05/03/card-data-is-stolen-and-sold 8 Sengupta, Semini; “Guardians of Internet Security Are Targets,” The New York Times, 4 August 2011 9 Ibid. ISACA JOURNAL VOLUME 6, 2011 2