BreachExchange mailing list archives
Will Your Site be Hacked on Nov. 5?
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Sun, 3 Nov 2013 23:05:02 -0700
http://www.govtech.com/data/Will-your-site-be-Hacked-on-Nov-5.html The clocks are ticking down and the masks have been gathered for Nov. 5, a day now unavoidably associated with the hacker group Anonymous and their momentary but memorable acts of civil disobedience. Anonymous and its members are linked to multiple attacks on that date since the international network of hackers and activists was established in the early 2000s. The group’s targets have ranged from various industries, to religious denominations and government organizations. And as such, CIOs and security officers are on watch. Jerry Irvine, CIO and IT and security expert at Prescient Solutions and a member of the National Cyber Security Task Force, has been focused on the attacks for years. He says they are part of a trend toward more sophisticated attacks. “The distributed nature of cyberattacks today is really different than it’s been,” Irvine said. “They’re no longer being performed by individuals, or ‘script kiddies,’ but rather by organizations, city states and political groups like Anonymous.” Just like Anonymous, Irvine is taking advantage of the day, but in an opposing direction to call attention to a few tips that agencies can use to protect their data and digital networks. 1. NOV. 5 TRANSLATES TO A DOUBLE CHECK For those brushing up on their cyberhistory, Nov. 5 commemorates Britain’s Gunpowder Plot of 1605, a.k.a. Guy Fawkes Day, when a band of revolutionaries nearly blew up the Houses of Parliament. Hackers now use the date as a vehicle for political mischievousness, and Irvine says this means it’s time for agencies to double check their information security measures. Irvine recommends a review of current security measures, allocating some time to make sure the latest software updates are in place and functioning properly. But he cautions against knee-jerk reactions or hasty security add-ons. “Cybersecurity must be baked into the platform, infrastructure and application environments at the time of concept and implemented throughout the entire development and implementation life cycle,” Irvine said. He advises agencies to conduct detailed, periodic cybersecurity system tests throughout the year that are performed both by in-house and independent third-party specialists. 2. COLLABORATION IS KEY Cybersecurity is a moving target. There are no one-time fixes, one-time security plans or one-time software purchases that will permanently keep data safe and IT infrastructure protected. In today’s digital world, most people understand this. What many overlook, Irvine said, is the need to invest not just in software and hardware protection but in the cybersecurity community. “Organizations should be involved within their community and industry’s cybersecurity collaboration organizations to be kept updated on current threats,” Irvine said. As examples, Irvine listed to Infragard, the FBI’s support organization for businesses, and the nonprofit Multi-State Information Sharing and Analysis Center, which is dedicated to government collaboration against cyber threats. He also suggested developing a familiarity with tips and tools provided on the DHS site us-cert.gov, or the United States Computer Emergency Readiness Team, and nist.gov, the National Institute of Standards and Technology, operated by the US Department of Commerce. 3. IDENTIFY AND LIMIT ACCESS Security access isn’t just about deciding which user gets to see what, Irvine said. It’s also about how data is accessible to specific devices such as outside computers and mobile devices. “End point devices (the electronic devices where data is finally delivered) should be limited in what they’re able to take away from sensitive data and information systems,” Irvine said. The push to make many types of government data more accessible complicates access control, Irvine said, because it can require organizations to open their security firewalls. That can create vulnerabilities if agencies don't change their security approach. “It’s like cutting holes in the fence,” Irvine said. “What has to happen is a completely different mindset of security, a move from perimeter-based solutions to data-centric solutions.” Data-centric solutions focuses on protecting specific data types instead of safeguarding the entry points to where data is located, he said. Examples of data-centric protection techniques include virtual data environments and representations of data information versus complete access. 4. CLASSIFY DATA This technique is like teaching a new dog an old trick. For years, larger government entities have classified data and limited access based on need. But now Irvine says it’s smart and in some cases absolutely critical for smaller governments to begin the practice. “To do this, smaller government entities need to classify access and degrees of sensitivity for each set of information and data,” Irvine said. “And it’s not just financial data but intellectual property too.” Personal contact information and anything that personally identifies employees must be included in this list, he added. 5. PICK UP THE PIECES In some cases, it may be too late to prevent an attack. If this happens, Irvine says it’s all about damage control and analysis. If an attack is detected, IT security teams must do whatever it takes to halt the breach and attempt to do as much forensic analysis as possible. This might mean isolating a system or even a full shutdown. “As much forensic information as possible should be retained to enable systems professionals to define the source of the breach and potential opportunities to mitigate these from happening in the future,” Irvine said. 6. CREATE A SECURITY BUDGET As a final note, Irvine said it’s important to remember that information security rarely comes cheap. The growing need for greater security, Irvine said, requires funding as much as it does technical knowhow so organizations don’t find themselves beneath the cybersecurity poverty line. “The bottom line is it isn’t a specific industry or a specific type of organization or size of organization that is at risk,” Irvine said, “It’s everybody.”
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: # OWASP http://www.appsecusa.org # Builders, Breakers and Defenders # Time Square, NYC 20-21 Nov o()xxxx[{::::::::::::::::::::::::::::::::::::::::> Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security offers security intelligence, risk management services and customized security solutions. The YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Current thread:
- Will Your Site be Hacked on Nov. 5? Audrey McNeil (Nov 04)