Saturday, December 31, 2011

2011 - Year of the HACK and DATA Breaches

This year’s headlines have been made up of data breaches, hacks, APT attacks and mergers and acquisitions

Like a sleeper agent, it embeds itself in key industrial systems and waits, gathering intelligence and biding its time. It studies design documents to find weak spots for future attacks that could bring a nation to its knees.

It is the description by US security firm Symantec of the newly discovered Duqu worm in its report ‘W32.Duqu: The precursor to the next Stuxnet.

Duqu is based on the sophisticated Stuxnet worm that shut down an Iranian nuclear fuel processing plant and set back its nuclear program by years. Duqu has so far infected industrial systems in eight countries: France, the Netherlands, Switzerland, Ukraine, India, Iran, Sudan, and Vietnam.

While at this point Duqu is only able to gather intelligence, Symantec judges that it is “essentially the precursor to a future Stuxnet-like attack” against industrial control systems. These systems are used to control everything from nuclear power plants and the electricity grid to oil pipelines and large communication systems.

The discovery of Duqu was a major security event in 2011; not exactly because of the effect that the worm has had, but for its potential. Duqu signals a growing trend of malware developed not to steal identities and profit financially, but to disable and destroy critical infrastructure – the life blood of modern society.

News of Duqu was followed by a (now-mistaken) malware attack on a US water utility network that destroyed the industrial control system of a key water pump.

Destruction of critical infrastructure has been the elephant in the room for the information security profession. Many recognize the danger, but it is seen as too esoteric and remote to worry about. It is someone else’s (i.e., the government’s) problem.

But if major critical infrastructure collapses from a cyberattack, whether your boss’s iPad makes the company’s network less secure is not going to matter all that much.

Cyber Wasteland

From the mega breach at Sony to the annoying self-righteous breaches perpetrated by Anonymous et al., 2011 was a wasteland of data loss.

In March, RSA – the company that ensures its elite customers are water-tight – sprang a leak when it was penetrated by a spear-phishing attack that hooked one of its employees and resulted in a huge catch for cyberattackers.

In an open letter to RSA customers, executive chairman Art Coviello said that a sophisticated “advanced persistent threat” (APT) attack had extracted valuable information related to its SecurID two-factor authentication product used by remote workers to securely access their company’s network.
"Destruction of critical infrastructure has been the elephant in the room for the information security profession"

“While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack”, Coviello said.
Coviello, it turned out, was wrong about this assumption, as numerous SecureID token customers – including US defense giant Lockheed Martin – reported attacks resulting from the RSA breach. In an effort to limit the damage, RSA agreed to replace the tokens for its key customers.

In response to the RSA breach, APT became the new catchword for cyberattacks. “It’s not our fault our networks were breached and our data stolen, it was an APT. What could we do?”, whined many companies in the ‘year of the breach’.

April was the Cruelest Month

April was indeed a cruel month for Sony, which admitted that hackers had gained access to names, addresses, email addresess, birth dates, passwords and IDs for over 100 million PlayStation Network, Qrocity, and Online Entertainment customers.

The massive size of the breach, as well as the delay in informing customers, attracted the attention of the US Congress. A House Commerce Committee panel held a hearing on the breach, but Kazuo Hirai, chairman of Sony Computer Entertainment America, declined to appear.

Panel chairman Mary Bono Mack (R-Calif.) criticized Sony for the delay in informing its customers of the data breach and the manner of notification through its blog. “I hate to pile on, but – in essence – Sony put the burden on consumers to ‘search’ for information, instead of accepting the burden of notifying them. If I have anything to do with it, that kind of half-hearted, half-baked response is not going to fly in the future.”

More Breaches!

Marketing firm Epsilon had a breach of its extensive database, which contained the names and emails of customers at such high-profile partners as BestBuy, Walgreens, Marriott, Lacoste, Marks & Spencer, JP Morgan Chase, Barclays, Citibank, US Bank, and Capital One.

While Epsilon initially downplayed the breach, its partners could not. They began issuing warnings to millions of their customers about the breach, cautioning them to be on the lookout for subsequent spam and phishing attempts as a result of the compromised email addresses. Reuters put a $100 million price tag on the incident, which falls directly on Alliance Data Systems, Epsilon’s parent company.

And for much of 2011, Anonymous and its offspring were claiming credit for what seemed like a breach a week – in the name of improving security by showing how incredibly bad many organizations’ information security really is.

Not with a Whimper, but a Bang

In the arena of mergers and acquisitions, 2011 started off with a bang, with Dell’s acquisition of SecureWorks, an Atlanta-based security-as-a-service provider with 3,000 clients worldwide, and Verizon’s $1.4 billion purchase of Terremark, a Miami-based managed IT infrastructure and cloud service provider with advanced security offerings.

Also early in the year, Sourcefire bought Immunent, a cloud-based anti-malware startup, for $21 million, and Google agreed to acquire Zynamics, a Germany-based forensic specialist, for an undisclosed consideration.

In April, storage giant EMC acquired NetWitness, a Herndon, Va.-based network monitoring specialist, and added it to RSA. While the purchase price was not disclosed, some estimates put the price tag as high as $500 million. Too bad RSA did not have network monitoring in March!

After the April showers, there was a spurt of acquisition activity in May. In that month, Symantec acquired Clearwell Systems, a provider of e-discovery, data archiving, and data backup products, for $390 million, augmenting its information management and governance portfolio.

In addition, cloud provider VMWare purchased Shavlik Technologies, a Minnesota-based patch management and cloud-security firm; Thoma Bravo bought Tripwire, a Portland, Ore.-based network security firm; and Sophos acquired Astaro, a Germany-based private network security firm.

Other noteworthy information security acquisitions in 2011 included: IBM’s purchase of Q1Labs, a Waltham, Mass.-based provider of security event and log management software; McAfee’s purchase of NitroSecurity, a Portsmouth, N.H.-based security information and event management firm; and Check Point’s acquisition of Dynasec, an Israeli-based governance, risk, and compliance firm.

“Prediction is very difficult, especially about the future.”

Despite the wisdom of those great minds, I will venture to make some predictions for 2012. First, I predict that the world will not end. If I’m wrong about that, then no need to read further.

Certainly, Stuxnet, Duqu, and their heirs will increasingly plague governments, critical infrastructure operators, and information security professionals. It’s time to take these threats as seriously as the mundane security problems of everyday life in the 21st century.

The explosion of mobile device use, particularly in the workplace, will increasingly concern information security staffs for years to come. Malicious mobile malware has become widespread, and this trend is likely to accelerate.

Enterprises will have to come to grips with social media, particularly as cybercriminals find it a fertile ground for mischief. Should employees be banned from using it at work or is it the next great efficiency tool? The answer is: Yes.

Of course, the cloud – companies will likely accelerate cloud adoption to improve the bottom line, while security professionals will struggle with the implications of giving up control over key corporate information assets.

And the boldest prediction of all: there will be more data breaches in 2012.

No comments: