Is there a relationship between the increase of breaches and hacks and the paradigm shift to outsourcing and cloud services? Logic suggests that if services are consolidated then these points of control should be more mature and better equipped to deal with issues, but is this reality or a mindset that leaves us vulnerable to simple attacks?
The connection may be very difficult to see, as the other key factor to consider is why the attacks are taking place. Let’s consider this 1st. My early InfoSec studies taught me to consider method, motivation and opportunity when assessing threat and risk of a given asset. If we consider what is happening across the ‘net these days it is clear that political drivers are behind certain attacks and hacks (motivation), and both complex and simple attack vectors (method) are used to achieve the intended result. However there are a bunch of other attacks taking place in which the motivation is questionable. I.e. in the recent DNS compromise why were UPS, The Register, National Geographic and Vodafone the targets? The only visible connection is that they use the same DNS provider, NetNames, which suggests the motivation was to disrupt DNS services of major online brands rather than the specific brands themselves. This is of course one possible explanation, although does seem the most likely if you look at the hacking group’s track record. However it is difficult to say as we tend to piece together motivation and action from a single point of reference and based on the facts known to us – much like archaeologists try to join the dots using fossils. One must also consider the nature of the attack – in this case redirecting sites results in a mildly irritating denial of service, which goes back to questioning the motivation. Based on current knowledge it appears that the group behind this attack have some political motivation. But what is the connection between this and global western brands? I’m not sure there is one. To me it appears that some attacks are motivated, while others are merely opportunistic (completing our attack triad) and at most provide a platform to further advertise a particular group’s message. So the motivation is rather to reach a desired audience (or audience size), and not to focus on a particular target. Once an attack vector has been discovered to be successful, the inherent nature of the Internet’s interconnectedness puts it at risk of repeated opportunistic attacks. As noted in the previous blog post there are many soft targets out there that struggle with fundamental controls, so it is only a matter of time before these targets are discovered and exposed through tried and tested successful attack vectors.
So what does this mean to the broader Internet community? Stating the obvious – you need good security in place if you have an online presence, regardless of your line of business as some attacks frankly don’t care and are driven by underlying infrastructure or services. Alternatively, a more lackadaisical way of looking at this is to suggest you only need to have marginally better security than your neighbour, as often the attack identifies the softest target. However, this can only ever provide a false sense of security given that some part of your online service offering relies on other providers that may not be as secure as you hope. My fear is that all the current hype about the cloud could mean organisations chose to rather transfer (and to a point accept) the risk. This approach will not be conducive to the Internet community as a whole determining the best way forward to collaboratively protect against future attacks.
Logical Business Information Security 