Hacktivism and the lessons learned from LulzSec
What can be done to prevent future cyber disasters? By Rob Rachwald, director of security strategy and Noa Bar Yosef senior security strategist at Imperva
The recent hacking spree by LulzSec has helped make hacktivism a household term. Although hacktivism is nothing new, it has undergone a rapid evolution that is driven and inspired by criminal, for-profit hacking. The LulzSec team leveraged the methods and technologies used by private hackers to steal data and sell it on the black market. During the Cold War, we witnessed how military advances drove private sector—especially in aviation. Today’s robust criminal hacking industry has helped driving hacktivism.
To understand how LulzSec could thrive requires an understanding of how criminal hacking operates. The Digital Age has created a huge, global black market for data. Today, mature online exchanges exist that resemble eBay in structure, only their focus is selling personal and corporate data of all kinds. Cumulatively, McAfee estimates this market at $1 trillion.
Of course, governments use hacking as a weapon, too. Hacking has enabled a new cold war with data theft as its objective.
How are attacks executed? They’re almost entirely automated. The online collaboration has inspired a cyber crime ‘industrial revolution’ where attacks are automated and massive in scale. Research indicates that automated cyber attacks pollute between 40 and 50 percent of internet traffic.
The worst news? The good guys will always be behind the curve since hackers, by definition, are early adopters. Hacker forums, for instance, exemplify the spirit of web-based collaboration and education, offering a rich menu of tutorials, advice and technology designed to steal data. Analysis of one forum, with 210,000 registered hackers, showed that approximately 25 percent of discussions were focused on hacking tutorials and techniques—ensuring a consistent supply of expertise.
The Lessons from LulzSec
This episode highlights today’s new reality: cyber attacks have become extraordinarily dangerous. And it’s a global issue. All around the world, governments are facing the same challenge – building a national cyber-security strategy to protect their citizens and businesses.
What can be done to prevent a future cyber disaster?
1. Centralizing all Internet communications of government organizations in one pipe under a single authority. Centralizing communications steals a page from China’s ‘Great Firewall’ — a single pipe controlled by one entity. Whereas the Chinese use this control to limit legitimate traffic, it can also greatly help limit bad traffic. For instance, when Agency A gets attacked from address B, this information can be proliferated almost instantly all other branches. Today, attack traffic comes from many known toxic sources, the challenge is to share this information quickly.
Also, governments should put in place an authority whose responsibility should be two-fold: one, to create robust monitoring and attack detection capabilities. The capabilities should span all communication layers, and in particular, the application layer. Second, the authority should set security standards which bind any government-affiliated organizations when adding new public-facing connections.
2. Protecting national communication backbones against denial-of-service attacks. Denial of service attacks are often the first attack of choice. Blunting them means:
3. Engaging in a comprehensive and ongoing risk management process. National infrastructure systems (e.g. traffic control, train systems, and power grids) should first be evaluated according to their potential risk. As a second step, a thorough technical evaluation of the security posture of involved systems. Any further investment in protective controls should be guided by the results of the risk assessment process, directing resources at those places that are at highest risk or at a risk or at a worse security posture.
4. Focus on the data and applications. Citizen and military data are national assets. Governments should also ensure that this data - whether it is account numbers, health information or other Personal Identifying Information (PII) - is securely stored. This means defining exactly what constitutes sensitive information data and establishing requirements for security controls. It should also take into account Intellectual Property (IP). The perpetrators of IP-theft are often business competitors and nation-states, and since the victimized companies will require the assistance of their country, they therefore should be obliged to adhere to compliance standards.
One lesson from the recent LulzSec hacking spree was how many organizations failed to properly secure databases and applications. Fundamentally, LulzSec was a team of hackers focused on breaking applications and databases, there were no virus or malware experts among them. They stole data from the FBI, PBS and Sony to name a few victims. This episode should bring attention to the fact that the center of gravity has shifted from firewalls and anti-virus to applications and databases. For security, this does not just mean “we have updated our anti-virus and put in place a network firewall.” Rather, it also means “we have identified all sensitive data and have put in place technology with the audit and protection capabilities required to safeguard that data.”
5. Performing hacker intelligence. Analyzing hacker activity - such as hacker tools, attack origins, and attractive targets - provides the authority to detect in a timely manner substantial attack campaigns against nation-based computers. Based on the data, the authority can also guide on the creation of proper defense / defence mechanisms.
But to be broadly effective, cyber ‘moles’ will be an essential tool against hackers. Perhaps it’s time to hit the accelerator on this approach.
6. Creating processes and tools for analyzing information. Receiving data from the private sector, and especially network carriers, can enhance the data analyzed by the authority’s hacker intelligence. Further collaboration can include the detection of attacks that stem from the country and rooting out these machines on a regular basis.
•Date: 13th July 2011 • Region: World •Type: Article • Topic: ISM