Ramblings following on from last Data Breach post

Is there a relationship between the increase of breaches and hacks and the paradigm shift to outsourcing and cloud services? Logic suggests that if services are consolidated then these points of control should be more mature and better equipped to deal with issues, but is this reality or a mindset that leaves us vulnerable to simple attacks?

The connection may be very difficult to see, as the other key factor to consider is why the attacks are taking place. Let’s consider this 1st. My early InfoSec studies taught me to consider method, motivation and opportunity when assessing threat and risk of a given asset. If we consider what is happening across the ‘net these days it is clear that political drivers are behind certain attacks and hacks (motivation), and both complex and simple attack vectors (method) are used to achieve the intended result. However there are a bunch of other attacks taking place in which the motivation is questionable. I.e. in the recent DNS compromise why were UPS, The Register, National Geographic and Vodafone the targets? The only visible connection is that they use the same DNS provider, NetNames, which suggests the motivation was to disrupt DNS services of major online brands rather than the specific brands themselves. This is of course one possible explanation, although does seem the most likely if you look at the hacking group’s track record. However it is difficult to say as we tend to piece together motivation and action from a single point of reference and based on the facts known to us – much like archaeologists try to join the dots using fossils. One must also consider the nature of the attack – in this case redirecting sites results in a mildly irritating denial of service, which goes back to questioning the motivation. Based on current knowledge it appears that the group behind this attack have some political motivation. But what is the connection between this and global western brands? I’m not sure there is one. To me it appears that some attacks are motivated, while others are merely opportunistic (completing our attack triad) and at most provide a platform to further advertise a particular group’s message. So the motivation is rather to reach a desired audience (or audience size), and not to focus on a particular target. Once an attack vector has been discovered to be successful, the inherent nature of the Internet’s interconnectedness puts it at risk of repeated opportunistic attacks. As noted in the previous blog post there are many soft targets out there that struggle with fundamental controls, so it is only a matter of time before these targets are discovered and exposed through tried and tested successful attack vectors.

So what does this mean to the broader Internet community? Stating the obvious – you need good security in place if you have an online presence, regardless of your line of business as some attacks frankly don’t care and are driven by underlying infrastructure or services. Alternatively, a more lackadaisical way of looking at this is to suggest you only need to have marginally better security than your neighbour, as often the attack identifies the softest target. However, this can only ever provide a false sense of security given that some part of your online service offering relies on other providers that may not be as secure as you hope. My fear is that all the current hype about the cloud could mean organisations chose to rather transfer (and to a point accept) the risk. This approach will not be conducive to the Internet community as a whole determining the best way forward to collaboratively protect against future attacks.

News and another great quote – Breached (again?!)

If I kept a running commentary of all the system, service and data breaches currently being disclosed this blog would probably look like it was scrolling in real time. Thankfully a bunch of other sites do a great job of keeping us up to date on the somewhat gloomy happenings across the Internet.

The recent DNS attacks are of particular interest, and concern. DNS is part of the fabric of the Internet, and without it many people’s (click-and-mortar) businesses and livelihoods could come to an abrupt halt. In this case it was large corporations targeted, but it is easy to see smaller home-based companies suffering collateral damage.

It sometimes feels like we have built our Internet/E-commerce house on sand. What is more concerning is that the simple, well-known attacks (SQL injection in this case) are still highly effective. The DigiNotar incident audit report also puts fundamental security control failures at the root of the breach – log management, password controls, patches and network segmentation.

Why do we spend time worrying and analysing APTs and advanced cyber-crime techniques when we still can’t get the basics right?

Brian Honan summed it up well in his Editor comment on the SANS NewsBites email yesterday (Brian I hope you don’t mind me quoting you!):

“This (DNS) attack and the one on DigiNotar highlight how fragile, insecure and unsuitable the Internet is for conducting the type of transactions we are using it for.  Putting security solutions as add-ons to the infrastructure is not working.  We need a fundamental rebuild of the security architecture we are using and we need it now! ”

http://isc.sans.edu/diary/Several+Sites+Defaced/11503

http://www.theregister.co.uk/2011/09/05/dns_hijack_service_updated/ (I like the irony of posting this link)

NEWS: UK ICO delivers fines for data breaches

A ‘breakthrough’ of sorts in the UK – earlier this year the Information Commissioners Office in the UK was granted the power to fine organisations that failed to adequately protect customer data and where breaches took place. Two organisations, the Hertfordshire County Council and A4e, were given fines for breaches.
The Council was found to be guilty of sending sensitive information to the incorrect people via fax, which is human error – I wonder how many times this happens and goes unnoticed?
A4e suffered the more common fate of losing an unencrypted laptop with personal information of 24000 people, which is a failed operational control, and human error – why were the records on the laptop in the 1st place?

ComputerWeekly have a good review on the story:
http://www.computerweekly.com/blogs/the-data-trust-blog/2010/11/ico-issues-first-fines—but-h.html

The feeling is that while the fines are a good move, the amounts dont relate to the severity of the breaches. The fines were GBP100k and GBP60k which do seem more like a slap on the wrists. For me it is a good start although if investigations are not handled properly and companies feel they are fined unfairly, this may result in fewer companies disclosing data breach incidents.