Stonesoft: Rethinking of IT security practices needed
June 2011 by Stonesoft
The network security company Stonesoft encourages organizations to re-evaluate their existing risk management and security architecture. Recent phenomena such as Wikileaks, Stuxnet, Advanced Evasion Techniques and the RSA security breach have changed the security landscape permanently and acted as wake-up calls also in the strategic aspect. Organizations should re-evaluate their existing risk management and security architecture, whereby the ultimate responsibility is held by the top management and board of directors.
The year 2010 and the beginning of the year 2011 have changed the security landscape permanently. Four different phenomenon; Wikileaks, Stuxnet and Advanced Evasion Techniques and the hacking of the SecurID source code have shifted the axioms of security thinking and acted as wake-up calls also in the strategic aspect. The recent series of sever cyberattacks further emphasize the need to take action. It even seems that the more valuable information an organization possesses, the more likely it is to become the target of an attack. Even on the board level, organizations should re-evaluate their existing risk management and security architecture.
Wikileaks has been criticized for exposing classified information, harming national security, compromising international diplomacy and lack of editorial discretion. This had lead to the need for organizations to consider whether they can still afford to have business information and habits which, if disclosed to the public, would harm or in the worst case even destroy their business. If an organization’s core information is something which cannot be revealed to the public, it should be protected accordingly.
Stuxnet has shown that there are organizations and/or individuals who have the resources and competence to make very advanced, targeted attacks against organizations. Consequently, the claim that attacking certain networks is too difficult or requires too much resources is not valid any more if you are offering high rewards for cyber criminals and hackers.
Advanced Evasion Techniques (AETs) are a new species of evasion techniques that can be altered or combined in any order to avoid detection by security systems. Set of AETs work as a master key to highly protected places and by using them any malicious payload (new or old) can be delivered to targets. Advanced Evasion Techniques put the functionality of organizations’ data capital and systems at risk, indicating that the security field has focused too much on the speed and marketability of products while compromising the most important – real security. With the discovery of AETs, organizations face the responsibility to re-evaluate their security architecture to make sure their critical data and systems are protected.
The RSA security breach has made it possible for cybercriminals to enter into security systems by creating duplicates to "SecurID" electronic keys from EMC Corp’s RSA security division. SecurIDs are widely used electronic keys designed to thwart hackers who might use key-logging viruses to capture passwords by constantly generating new passwords to enter the system. In March 2011, EMC disclosed that hackers had broken into their network and stolen some SecurID-related information that could be used to compromise the effectiveness of those devices in securing customer networks.
Overview of recent security breaches
During 2010-2011, we have witnessed several severe security breaches:
• Nasdaq, 2010
o Hackers have repeatedly penetrated the computer network of the company that runs the Nasdaq Stock Market during the year 2010, The case poses two concerns for authorities: preserving the stability and reliability of computerized trading, and ensuring that investors have full faith in that system. Stock exchanges know they are frequently targets for hackers.
• RSA breach, March 2011
o Hackers successfully infiltrated security firm RSA to steal information related to its two-factor authentication products.
• SONY hacked several times in 2011
o The incident is the latest in a week-long string of hacks and breaches. The problems began in April 19, when the company began investigating and ultimately discovered a massive breach of security on its PlayStation Network, a cyber scandal that compromised the personal information of more than 100 million users.
• Comodo breach, March 2011
o US digital certificate authority Comodo has admitted that two more of its Registration Authorities (RAs) have been hacked. The hacks appear to be separate from the so-called Iranian lone hacker incident earlier in the month when at least five accounts were compromised.
• Barracuda, April 2011
o After several hours of automated probing, hackers found and exploited an SQL injection vulnerability at the Barracuda website to raid various databases and hijack the names and contact information of partners, customers and Barracuda employees.
• Lockheed martin Corp, May 2011
o Unknown hackers have broken into the security networks of the world’s biggest defence contactor Lockheed Martin Corp.
• L-3 Communications, hacking attempt in 2011
o Defence contractor L-3 Communications was targeted with penetration attacks aimed at acquiring confidential information. L-3 did not disclose any information regarding the success of the attack.
• Citibank, hacked in May 2011
o The personal and account information of some 200,000 Citibank card holders in North America was breached, including contact specifics like names and email addresses.
• IMF hacked in June 2011
The International Monetary Fund, the intergovernmental group that oversees the global financial system and brings together 187 member nations, has become the latest known target of a significant cyber attack.
The common denominator of almost all of the organizations listed is the fact that their network security systems operate at the highest levels of security and integrity. These organizations have dedicated security teams with command and control centers to manage and protect their networks against multiple incident scenarios. Nevertheless, they have been hacked. It is likely that there will be more of these kinds of events and that the security breaches will spread also to not so well protected areas as hacking tools continue to evolve and become more commonly available.
“The threat landscape has changed permanently, and the design principles which have been used to protect organizations’ digital assets need to be re-evaluated. IT security strategy is becoming increasingly important area of risk management. Top management need to have it on their agenda. Ignoring security and leaving responsibility only on IT management shoulders is a clear sign of poor governance”, said Ilkka Hiidenheimo, CEO of Stonesoft Corporation. “Even corporate boards should participate to exercise oversight of management’s responsibilities and review the risk profile of the organization.