A virtual game of cat and mouse

Nothing in the cyber-security sector ever comes as a surprise, hackers make merry, companies cry poor and the infosec arms race continues unabated.

Nothing in the cyber-security sector ever comes as a surprise.Hackers make merry, companies cry poor and the cyber cat-and-mouse game continues unabated.

Media organisations under siege, Google’s Android platform a magnet for malware, these are simply put the latest manifestation of what happens behinds the scenes daily.

The Syrian Electronic Army is the latest actor to take centre stage with its brazen attack on the New York Times, Twitter and Huffington Post. With Melbourne IT implicated as the weak link in the security perimeter the cyber-security merry go round will spin around for a few days. Whether the attention, which will inevitably wane, actually prompt better security practices within organisations is debatable.

The SEA’s motivations may be abstract but it has at least highlighted the significant deficiencies still present, which frankly make the job of hackers much easier than it needs to be.

When a simple “spear phishing” attack is enough to crack open the registries of such vaunted internet properties like the New York Times and Twitter, then there is a problem somewhere.

Securing the architecture

Securing the architecture of the internet is a complex proposition and with multiple actors and myriad motivations in play, the threat landscape remains as obscure as ever.

The one constant however, is the appetite for financial gain, which still motivates hackers to seek out the low hanging fruit strewn across the internet. But media organisations are increasingly becoming a bigger target. The Financial Times, Associated Press and the New York Times (twice) have all been hit this year. The hacktivism trend, galvanised by Wikileaks and Anonymous in the last couple of years, puts motivation in a new perspective.

Hacking as a tool to foment dissent, or drive a political agenda is now just as lucrative as stealing customer passwords or pilfering trade secrets. It adds an intriguing dimension to the tug of war between hackers, organisations and security vendors.

McAfee’s CTO Asia Pacific, Mike Sentonas, says that most attack campaigns are naturally clandestine but hackers are quick to exploit new opportunities to make easy money and follow the trail of any trend that gets the internet excited.

Bitcoin bullseye  

The recent interest in Bitcoin is a good case in point. McAfee’s second quarter threat report highlights this trend with a significant spike in Distributed Denial of Service (DDoS) attacks on Bitcoin exchanges following the sudden activity in the cyber-currency industry as the value hit record highs.

The recent legitimacy accorded to Bitcoin has made it an attractive target and in a way propels it away from the anonymity and the mystique that virtual currencies like Bitcoin revel in.

Sentonas says the biggest concern is the number of apps, such as the Bitcoin wallet services, that are potentially vulnerable when it comes to security.

“These apps provide great functionality and are a great feature but they often have weak security and with insecure private keys managing these wallets, that’s an amazing motivation for cyber criminals,” Sentonas says.

Securing the weakest link

Whether it’s Bitcoins or spear phishing, when outfits like the SEA make a splash they highlight the porosity of the current security strategies in place within organisations.

This isn’t just about services procurement and network visibility. It’s about building a robust security culture within an organisation that mitigates the weakest link – human error. The biggest challenge today isn’t the technology, its education and we are making it just too easy for the hackers. Poorly configured firewalls and the use of single factor authentication are just some of the simple mistakes that leave the door open for attackers.

Sentonas is a big fan of the directives provided by the Australian Signals Directorate (ASD). The four steps provided by ASD – application whitelisting, patching applications and operating systems and using the latest versions, and minimising administrative privileges.

This practical primer is absolutely essential reading and is the platform on which any education strategy should be based.

Organisations need to appreciate that every bit of data is valuable. They need to know where the data is kept, how it’s kept and how secure the security architecture is. Now this may not be the most emotive of messages to spread across the workplace but developing a security culture will require a way to distil the information in a simple, more practical manner.

“Everybody has valuable information and organisations need to understand what would motivate an attacker to target their network and how easy it would for them to break in,” Sentonas says.

“If you haven’t role played then I can guarantee you someone else has.”