Article

advertisement
Information
Steven J. Ross, CISA, CISSP,
MBCP, is executive principal
SecurityMatters
Eating Crow With a Tasty Sauce
of Risk Masters Inc. Ross has
been writing one of the
Journal’s most popular
columns since 1998.
He can be reached at
stross@riskmastersinc.com.
Do you have
something
to say about
this article?
Visit the Journal
pages of the ISACA
web site (www.isaca.
org/journal), find the
article, and choose
the Comments tab to
share your thoughts.
Go directly to the article:
1
ISACA JOURNAL VOLUME 6, 2011
In my last article in this space (“The Train of
Danger,” volume 5, 2011), I wrote, “Perhaps it
would be more accurate to say that, as of now,
only governments or organizations sponsored
by governments have those skills” needed to
execute cyberattacks. Within days of sending in
my submission, the news of the day showed that I
was, ahem, not completely accurate.
In rapid order, the media announced that:
• The US Federal Bureau of Investigation
arrested the members of a group called
Anonymous for hacking PayPal.1 According
to Wired magazine, the same group had also
attacked Visa and MasterCard.2
• A group in the UK calling itself LulzSec
claimed responsibility for a string of attacks on
web sites belonging to News Corp.3
• News Corp. was in the middle of a hacking
controversy of its own, in which it was alleged
that its newspaper News of the World had
hacked numerous mobile phone accounts.4
• WikiLeaks released thousands of US diplomatic
documents.5
So, enterprises other than governments
have the ability to do some serious damage
electronically—my turn to eat crow. At the same
time, this opens up a somewhat semantic, but
nonetheless important, distinction among the
terms “hacking,” “cyberattack,” “hacktivism” and
“cyberwar” that I would like to probe a bit.
Hacking
Hacking is a threat to all companies that have a
presence on the Internet, which, in effect, means
all companies. The list of companies whose web
sites have been defaced or whose firewalls have
been penetrated is too long to include here.
Not to minimize the reality of such attacks, but
the fact remains that they mostly fall into the
category of nuisances, not existential threats to
the organizations affected. I cannot recall a news
story on the order of “Company X Hacked,
Goes Broke.”
Moreover, the safeguards to protect against
straightforward hacking are well known. Firewalls,
access controls and encryption are the leading
tools in security professionals’ armories. The fact
that hacks succeed anyway indicates that many
organizations do not take the threat seriously
enough to implement the countermeasures
adequately, or that perhaps they are not willing
to invest sufficient funds to deter what their
managements consider to be nuisances, a cost
of doing business. Another factor is that, in too
many cases, the controls are used with enough
exceptions that their utility is questionable. How
many times each day can a firewall be lowered
to permit certain activities before it is more of a
phantom safeguard than a real one?
Cyberattacks
Of course, there are attacks to information
systems that go beyond annoyances. There are
companies that have suffered real economic harm
and whose security or lack thereof has created
lasting damage. Some have been victimized by
thefts. For example, earlier this year, hackers
penetrated Sony’s PlayStation Network and
brought the network down for at least five
days.6 Worse, the hack exposed the credit card
information of 77 million Sony customers.7
Credit card information has significant value
in underground markets, thereby spreading the
damage widely beyond the initial target of a hack.
Clearly, external misuse of information
systems is a problem that has plagued businesses
and governments since the advent of the Internet,
if not computers themselves, and sad to say, it is
a problem that is unlikely ever to go away. What
seems to have changed is the ingenuity of the
hackers and the power of the tools they employ.
Organizations are being attacked by criminals.
Just because the criminals use computers and
networks does not make them any different from
racketeers who have been undermining the safety
of business for as long as there has been business.
It would be unfair, in my opinion, to say
that no one is safe. There is always risk; there
will always be bad guys seeking to exploit the
vulnerabilities of the good guys. As a society,
we need to recalibrate what “usual and customary” controls
should be to make the odds better for organizations and
individuals.
Hacktivism
Hacktivists are a threat of a different order. They are not
attacking organizations’ systems for the “fun,” such as it is,
that lies in simple vandalism, nor are they necessarily stealing
for economic gain. They have a cause that they are trying to
promote, and they strike out at businesses and government
agencies that they feel are doing harm to society. While
criminals can be deterred when enterprises make the cost of
an attack too high to justify the potential gains, hacktivists
are spurred on by a sense of justice denied that seemingly
has no economic barriers. One commentator has defined the
difference: “With the rise of hacktivism, now the people who
break into you tell you they break into you.”8
Members of the Anonymous group portray themselves as
hacktivists. If there is any good to be found in the response
to their exploits, it may be the improvement in security
at security-related organizations. For example, security
companies such as RSA and ManTech International have been
victimized and have promised to tighten their own security.9
Cyberwar
“Hacktivism” is a relative term. Those who undermine the
information systems of corrupt regimes are thought by many
to be freedom fighters. As I said in my previous column, I
question whether individuals, no matter how tech-savvy, can
successfully take on the power of a government. Similarly, I
now believe that only governments have the technology and
funding to attack other governments, and recent history has
shown that they are preparing to do so.
Very few—if any—businesses are prepared to prevent
losses incurred in a war. That is why acts of war are usually
excluded from insurance coverage. Governments owe it to their
citizens to protect their businesses and government agencies
from warfare. One can only hope that those governments that
are considered democratic (or if not democratic, at least just)
are doing as much to protect their own interests as they are to
attack the systems of other countries.
Security needs to be attuned to the actual and potential
threats to assets at risk. I propose that there are different
threats posed by vandals, criminals, rebels and war-makers,
and that the level and content of preparedness and response
• Learn more about, collaborate on, and discuss
cybersecurity.
www.isaca.org/topic-cybersecurity
need to be adjusted accordingly. No organization can claim to be
immune from all these categories of information system misuse,
but the reality of the risk does differ from business to business.
IT managers, including information security professionals, need
to think beyond technology and consider such arcane areas as
sociology, criminology and geopolitics if they want to prepare
their organizations for all the threats that they face.
Endnotes
1
Sengupta, Somini; “16 Arrested as FBI Hits the Hacking
Group Anonymous,” The New York Times, 19 July 2011
2
Zetter, Kim; “Feds Arrest 14 ‘Anonymous’ Suspects Over
PayPal Attack, Raid Dozens More,” Wired, 19 July, 2011
3
Bilton, Nick; “Lulz Security Says It Hacked News
Corporation Sites,” The New York Times, Bits, 18
July 2011, http://bits.blogs.nytimes.com/2011/07/18/
lulz-security-says-it-hacked-news-corporationsites/?scp=3&sq=LulzSec&st=cse
4
New York Times, “British Phone Hacking Scandal,”
Topics, 6 September 2011, http://topics.nytimes.com
5
Hosenball, Mark; “WikiLeaks Publishes Tens of
Thousands More Cables,” Reuters.com, 25 August 2011,
www.reuters.com/article/2011/08/26/us-wikileaksidUSTRE77O7PZ20110826
6
Bilton, Nick; “Sony PlayStation Network Still Down After
Attack,” The New York Times, Bits, 25 April 2011,
http://bits.blogs.nytimes.com/2011/04/25/sony-playstationnetwork-hacked. There is some indication that the attack
may also have come from the Anonymous group or one of
its members.
7
Bilton, Nick; “How Credit Card Data Is Stolen and Sold,”
The New York Times, Bits, 3 May 2011, http://bits.blogs.
nytimes.com/2011/05/03/card-data-is-stolen-and-sold
8
Sengupta, Semini; “Guardians of Internet Security Are
Targets,” The New York Times, 4 August 2011
9
Ibid.
ISACA JOURNAL VOLUME 6, 2011
2
Download