Will Your Site be Hacked on Nov. 5?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.govtech.com/data/Will-your-site-be-Hacked-on-Nov-5.html

The clocks are ticking down and the masks have been gathered for Nov. 5, a
day now unavoidably associated with the hacker group Anonymous and their
momentary but memorable acts of civil disobedience.

Anonymous and its members are linked to multiple attacks on that date since
the international network of hackers and activists was established in the
early 2000s. The group’s targets have ranged from various industries, to
religious denominations and government organizations. And as such, CIOs and
security officers are on watch.

Jerry Irvine, CIO and IT and security expert at Prescient Solutions and a
member of the National Cyber Security Task Force, has been focused on the
attacks for years. He says they are part of a trend toward more
sophisticated attacks.

“The distributed nature of cyberattacks today is really different than it’s
been,” Irvine said. “They’re no longer being performed by individuals, or
‘script kiddies,’ but rather by organizations, city states and political
groups like Anonymous.”

Just like Anonymous, Irvine is taking advantage of the day, but in an
opposing direction to call attention to a few tips that agencies can use to
protect their data and digital networks.

1. NOV. 5 TRANSLATES TO A DOUBLE CHECK

For those brushing up on their cyberhistory, Nov. 5 commemorates Britain’s
Gunpowder Plot of 1605, a.k.a. Guy Fawkes Day, when a band of
revolutionaries nearly blew up the Houses of Parliament. Hackers now use
the date as a vehicle for political mischievousness, and Irvine says this
means it’s time for agencies to double check their information security
measures.

Irvine recommends a review of current security measures, allocating some
time to make sure the latest software updates are in place and functioning
properly. But he cautions against knee-jerk reactions or hasty security
add-ons.

“Cybersecurity must be baked into the platform, infrastructure and
application environments at the time of concept and implemented throughout
the entire development and implementation life cycle,” Irvine said.

He advises agencies to conduct detailed, periodic cybersecurity system
tests throughout the year that are performed both by in-house and
independent third-party specialists.


2.  COLLABORATION IS KEY

Cybersecurity is a moving target. There are no one-time fixes, one-time
security plans or one-time software purchases that will permanently keep
data safe and IT infrastructure protected. In today’s digital world, most
people understand this. What many overlook, Irvine said, is the need to
invest not just in software and hardware protection but in the
cybersecurity community.

“Organizations should be involved within their community and industry’s
cybersecurity collaboration organizations to be kept updated on current
threats,” Irvine said.

As examples, Irvine listed to Infragard, the FBI’s support organization for
businesses, and the nonprofit Multi-State Information Sharing and Analysis
Center, which is dedicated to government collaboration against cyber
threats.

He also suggested developing a familiarity with tips and tools provided on
the DHS site us-cert.gov, or the United States Computer Emergency Readiness
Team, and nist.gov, the National Institute of Standards and Technology,
operated by the US Department of Commerce.


3. IDENTIFY AND LIMIT ACCESS

Security access isn’t just about deciding which user gets to see what,
Irvine said. It’s also about how data is accessible to specific devices
such as outside computers and mobile devices.

“End point devices (the electronic devices where data is finally delivered)
should be limited in what they’re able to take away from sensitive data and
information systems,” Irvine said.

The push to make many types of government data more accessible complicates
access control, Irvine said, because it can require organizations to open
their security firewalls. That can create vulnerabilities if agencies don't
change their security approach.

“It’s like cutting holes in the fence,” Irvine said. “What has to happen is
a completely different mindset of security, a move from perimeter-based
solutions to data-centric solutions.”

Data-centric solutions focuses on protecting specific data types instead of
safeguarding the entry points to where data is located, he said. Examples
of data-centric protection techniques include virtual data environments and
representations of data information versus complete access.


4.  CLASSIFY DATA

This technique is like teaching a new dog an old trick. For years, larger
government entities have classified data and limited access based on need.
But now Irvine says it’s smart and in some cases absolutely critical for
smaller governments to begin the practice.

“To do this, smaller government entities need to classify access and
degrees of sensitivity for each set of information and data,” Irvine said.
“And it’s not just financial data but intellectual property too.”

Personal contact information and anything that personally identifies
employees must be included in this list, he added.


5.  PICK UP THE PIECES

In some cases, it may be too late to prevent an attack. If this happens,
Irvine says it’s all about damage control and analysis. If an attack is
detected, IT security teams must do whatever it takes to halt the breach
and attempt to do as much forensic analysis as possible. This might mean
isolating a system or even a full shutdown.

“As much forensic information as possible should be retained to enable
systems professionals to define the source of the breach and potential
opportunities to mitigate these from happening in the future,” Irvine said.


6. CREATE A SECURITY BUDGET

As a final note, Irvine said it’s important to remember that information
security rarely comes cheap. The growing need for greater security, Irvine
said, requires funding as much as it does technical knowhow so
organizations don’t find themselves beneath the cybersecurity poverty line.

“The bottom line is it isn’t a specific industry or a specific type of
organization or size of organization that is at risk,” Irvine said, “It’s
everybody.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.