By Nestor E. Arellano
In the simulated network attack used in the recently concluded SC Canada Congress security conference, organizers attributed the hypothetical theft of a fictitious company’s data to a secretive band of hackers known as LulzSec.
The simulated attack which was the highlight of the session titled 2 ½ hours to network meltdown was a hilarious affair featuring a hapless operations chief of a network security team that scarcely had any idea how to handle the attack that was taking place.
But there is nothing to laugh about in the real attacks poised recently by the grey hat hacker group whose motto is ironically “laughing at your security since 2011”.
Among LulzSec’s high profile exploits this year include the compromise of more than 1 million user accounts of Sony. LulzSec has also claimed responsibility for taking offline the vey Web site of the Central Intelligence Agency and is credited for stealing 180 passwords of members of InfraGard, an affiliate of the Federal Bureau of Investigation. Just yesterday, the group is believed to have leaked 62,000 passwords and user names from a yet unknown Web site.
LulzSec does not appear to be making money out of these attacks and appear to carry them out simply to illustrate that they have the capability to do so.
While I don’t support the attacks, I do believe there are some good lessons to be gleaned from them.
For one thing, by breaking into these networks which conceivably should be well-protected, LulzSec is telling network security practitioners and decision makers of businesses and governments that it is high time to look at cyber security seriously.
Despite numerous instances of data breaches each year which costs businesses millions of dollars, there remains no shortage of poorly protected networks. Keep in mind these targets are companies that we trust to do business with and have in their databases our addresses, credit card and other financial information. These are government agencies or quasi government agencies that could be storing in their servers private information that may include legal records, addresses and other data traceable to their owners.
Some studies estimate that the average data breach costs about $6. 7million, but this figure probably only take into account the known breaches. What about other breaches that have not yet been discoevered? How many security and privacy breaches should customers and individuals suffer until these businesses and agencies taken note?
In the case of InfraGard, a information sharing analysis community in partnership with the FBI, Lulz Sec revealed that the exploit was made possible because its members were extremely lax with basic security measures. LulzSec was able to lift usernames and passwords because some account holders re-used their login credentials.
Rich Baich, North Carolina-based principal of Deloitte & Touch LLP, says it is not necessary for hackers to bring down a network. “The smart attackers inject a Trojan and let it sit there undetected while is quietly siphons off data. They can turn it on and off as they please and it can go on for year,” according to Baich who is also a former naval information warfare officer for the National Security Agency, ex- special assistant to the department director for national infrastructure protection centre of the Federal Bureau of Investigation and one time senior director for the security software firm now known
as McAffee Inc.
Many networks, according Baich, are breached through their weakess link – employees that misplace passwords, executives who hook-up to the network through unprotected devices like smartphones and iPads or clients and partners that do not have robust security systems.
If LuLzSec’s actions have any saving grace I believe it is that they shed light on the woeful state of network security of many companies and organizations that people entrust their personal and financial data to.
Perhaps it will bring public opinion to a tipping point where people will demand better security and these organization will have no choice but to comply. Okay – maybe that scenario is too far out. But at least for those organizations that are hacked, I hope the breach brings about a genuine rethinking of security posture, policies and processes.