It was the best of cybercrimes; it was also the worst. The Lulz Security group (LulzSec) quickly became one of the most dramatic cyber-crime waves that we have seen to date. This small group of blackhats captured the media’s attention with their hacking rampage that lasted for nearly two months.
For now, the LulzSec group claims to be off the air. In its wake, the authorities are working diligently to track down the individuals behind the attacks on international corporations such as Sony, the U.S. government (the CIA and the Senate), and a smattering of other websites.
Let’s set aside the tempting David vs. Goliath angle of the LulzSec case. The fact is, after all the classes, training, patching, testing, perimeters and articles, these guys got in. They might not have made big money from such antics, but chances are that the next round of cyber attacks could cut much deeper.
While the LulzSec attacks were astonishingly quick and high profile, they are simply the latest in a series of grand cyber attacks. In previous months we found ourselves occupied by the RSA breach, attacks against PKI vendors, and the escapades of Julian Assange on WikiLeaks. After this string of malicious activity, people are really starting to question their confidence in security.
Could this be a healthy thing? Could we learn something from these very unfortunate events?
Responses to the LulzSec attacks have been all over the map. Some organizations are on high alert; others are mindfully watching and evaluating the threat landscape. A smaller number remains unconcerned, since they still believe the likelihood of being targeted is very low. Could they be right?
While attending a recent security conference, a panel of speakers fielded an open-ended question – “Are security professionals winning the war against cyber attacks?”
One panelist responded with a telling point: “In order to win, we need to be perfect. For a malicious party to win, he needs only to exploit one mistake.”
This truly illustrates the challenges that we security professionals face every day, night, weekend and holiday. Over-confidence and unfounded optimism could have a steep price, because the odds are stacked against us.
Dealing with Reality
Closing our eyes and telling ourselves that we’ll never be attacked simply doesn’t work as a countermeasure. To better protect ourselves from an attack, we must first accept that cyber criminals will eventually attempt to break in.
Once we have accepted that, the question becomes: Will the criminals find a vulnerability and successfully exploit it? If the answer is yes, then what data could be exposed and how could the criminals escalate the attack and gain access to other sensitive resources? That’s the beginning of a true “defense-in-depth” strategy for countering these risks.
Defense-in-depth isn’t a single action, but rather a series of technical and administrative layers designed to prevent attacks and to contain the damage should an attack occur. Defense-in-depth starts with the technical countermeasures that we all immediately think of – firewalls, intrusion prevention systems, proxy appliances, virus scanners, etc. However, it must also encompass other layers of protection such as:
- A good software patch management process
- Device configuration review
- Strong security policies
- User education
- Code review for home-grown apps
- Application security reviews
- Auditing and alerting mechanisms
By taking a multi-faceted defense-in-depth approach, we can greatly reduce the potential for compromise and continue to protect our systems and data. It’s about as close as we can get to our goal of perfection in a very imperfect and sometimes scary world.
Matt Lidestri manages Internet security and products for COCC, an IT outsourcing and support firm serving credit unions and community banks in Avon, Conn.