The security landscape changed in 2011 as large companies and governments were taught serious lessons about vulnerability but action has been slow in coming, says Eric doyle
The past year got off to a late start for some Apple fans. The wake-up alarm they set on their shiny new iPhones failed to go off. And this was just the start of an eventful year.
Different kinds of alarm bells were already ringing across the South Mediterranean coast as the rich and powerful in Tunisia, Egypt and Libya started to fall during the “Arab Spring” uprisings. For the first time, the organisational potential of the Internet, social networking and the global adoption of mobile phones all played a part in co-ordinating the protests and paramilitary offensives.
Revolution and looting
Once again, the encrypted communications of RIM’s BlackBerry played a part. Encryption is a power for good and evil in the digital age. In 2010, various governments pressurised RIM to allow access to its servers’ secret source of information following earlier terrorist action in India. When public disobedience reared its head, the African Arab states chose a more direct path of action by trying to sever Internet links and telecoms networks.
The governments’ actions were widely condemned by other nations. The UK complained bitterly about these infringements on human rights but when trouble struck at home and looting and destruction hit many of its cities, the British government was quick to blame social networks and to lay plans for disrupting communications if similar altercations occured in the future.
Governments also hit the news as international espionage hit the Internet and national projects to protect businesses, governments and the planned smart grids began to receive serious attention and funding. The energy grids are a particular source of concern because supervisory control and data acquisition (SCADA) attacks continued throughout the year with Stuxnet and its derivatives, like Duqu,
It goes without saying that a successful attack on a grid would severely compromise a country and one thing that became clear was that no system is safe. Even the “airgap” systems, those that are not attached to the Internet, can be jumped if USB storage is used without due precautions.
The proof of the vulnerability of systems was proved primarily by the continued success of the Anonymous hackers. 2011 saw many facets of vulnerability from the theft of Secure Sockets Layer (SSL) certificates, through Sony’s public debagging, to the hacking of military and policing authorities.
It is true that numerous arrests were made in the wake of these exploits but that is akin to blocking two or three holes in a colander – and even those blockages will only last until new recruits are found. According to reports, the majority of Anonymous’ successes stem from poor security practices. Members of the group don’t have to be anything more than “script kiddie” level hackers to penetrate weak password protection or to mount a SQL injection attack.
Rather than trying to herd cats, which is the authorities’ apparent offensive, it would be far better to have better education. EMC’s security subsidiary RSA, in the aftermath of its embarrassing announcement last March, made some moves towards establishing a useful forum for debating the state of security by holding meetings behind closed doors where companies could bare their souls without fear of adverse publicity.
Action is what is needed but major attacks have been with us for over two years and little actually appears to have been done. As Daniel Cuthbert, assessment manager at SensePost, pointed out at a SecureData conference last November, $500,000 (£325,000) would buy a team that could hack their way into 90 percent of the world’s IT networks.
Because of this slow reaction, 2012 is set to be more of the same. Exploits are becoming more sophisticated to penetrate the top 10 percent of “secure” organisations and the rest will suffer from overlooked loopholes. Overall, it appears that Anonymous will flourish and the exploits keep coming. Organisations have to accept that an Internet presence means that they are potential targets and that a second level of protection is needed because the top level is no guarantee of safety.
Unencrypted data is the most vulnerable but organisations seem to be reluctant to spend the money required to offer this added degree of security. It all reminds me of the old days when nobody would buy backup systems to protect their data from disk crashes and worse disasters. Eventually, they caved in when they grasped the enormity of the situation. How long before management and IT departments once again realise what the consequences of inaction means to them?