During the past few years, there has been an increasing number of companies targeted by malicious entities around the world seeking to obtain their data. That in itself is no surprise, given that nearly all companies have valuable data from which someone else could profit, plus the sheer volume of methods available to today’s attackers-for-hire.
However, there are some attackers driven by factors other than money, be it social causes, patriotism or even anarchism. These digital hacktivists can be more dangerous than attackers seeking profit, as they may have no objective other than to contribute to the downfall of your organization, if they believe it conflicts with their agendas.
In this tip, we’ll discuss how hactivists may play a role in certain high-profile attacks, how security teams can begin to assess whether an organization may be a likely hacktivist target and precautions to take to avoid catching the eye of these highly motivated digital miscreants.
For example, some of the Night Dragon (.pdf) discussions from McAfee Inc. and the specter of advanced persistent threats (APT) initially raised by the Christian Science Monitor in 2008 suggest attackers are targeting oil and gas companies with the intent of stealing intellectual property, including oil-field exploration data, processing secrets, etc. While it may seem obvious that the attackers were seeking sensitive data from which they could turn a profit, some might speculate the more aggressive environmentalists would be enticed to perpetrate such an attack to advance their own agenda and harm the oil and gas companies or their stakeholders.
In another example, Google Inc. and other large companies were attacked under the guise of Operation Aurora. The primary motivation of this attack seemed to be financial given the number of companies involved. However, according to a New York Times report based on data revealed by Wikileaks, the attacks were directed by the Chinese government not to steal Google's data, but to obtain access to email accounts belonging to advocates for human rights in China.
The point is, any enterprise could be subject to an attack that results in data theft or exposure. The motives may be clear-cut in some cases, but in others they may not be clear for some time, if ever. Still, since hacktivism is a growing concern, enterprises should seek to reduce the likelihood of a hacktivist-driven attack.
Inside the mind of a hacktivist: Corporate profiling
So, what does an organization need to consider when determining if it’s a high-value target for hacktivists? Really, this comes down to whether the organization handles, possesses, manages, stores or otherwise has information that could be of interest to another government, competitor, entity, hacker, insider, etc. If, as discussed above, the company's data could be of interest to someone, then it is a possible target.
A simple, single metric to help enterprises figure out the value of data risk is the Ponemon Institute annual data cost figure. For 2011, Ponemon announced the cost per compromised record was $214, with an average of $7.2 million per data breach event. So, a simple way to calculate risk would be to determine the number of records in the company's possession that, if breached, lost or exposed, would require customer notification, and multiply that number by the $214. Odds are, these numbers will add up fast.
However, even if the company perceives with the value of specific data as negligible, a high-profile company should be vigilant against the hactivists' intentions to cause harm and disruption. If you look at some companies, such as HBGary Federal, which decided they would fight back against the Anonymous hacker gang, the end result was a fairly aggressive push by Anonymous that resulted in some challenging times for the company in question. Hence, a lesson learned is to not position a company in an overtly hostile stance against less-than-friendly cyberplayers.
Thwarting hacktivists: Ensuring basic data protection
If you have ascertained your organization is a high-value target, then it's important to raise the focus of your information security risk profile and take actions to protect the data. Besides the usual infosec protection schemes -- such as employee awareness and encryption of data in transit and at rest -- consider how your data is handled at the end of life.
Here are some instances for your consideration:
- Are your paper records shredded using a confetti shredder, and is the destruction witnessed by trusted staff?
- What happens to old hard drives from computers and copier/printers? They could contain data you would not want to have released to the public.
- How is the office trash handled? Is it handled by a trusted service with background checks, or a casual vendor?
- Are laptops encrypted? What about a policy for use and handling of USB drives and portable media? Don’t forget the Stuxnet worm was launched by some sort of USB drop.
- How are you protecting your key executives and their staff assistants from spear phishing attacks? Are you raising awareness about the hazards of social networks, where a casual presence can be used by an attacker to his or her advantage?
Thwarting hactivists: Media monitoring and management
The tone your company sets in the media -- including any information posted on social networks -- can certainly raise the interest of hactivists. For instance, quotes and news articles should be examined to ascertain how inflammatory they could be to hactivist groups. Similarly, consider the tone of postings on social media sites such as Twitter, LinkedIn or Facebook. Particularly, as the comments in those outlets tend to be less sophisticated and less well vetted than those to standard media outlets.
Therefore, here are some points of consideration for your company’s profile in the media:
- Closely monitor the social networks for themes and hostile comments about your company. Look for trends around particular work locations or events local to your corporate locations. If a certain business activity or topic of conversation about the company draws a high volume of responses, that may be worth flagging and studying more closely.
- Avoid hostile responses in the media, especially after a cyberevent (such as a breach) at one of your corporate locations or at a competitor's.
- Remember, your media presence can reveal your vulnerabilities. For instance, even want ads for IT personnel can reveal too much about your corporate computer presence, thus giving attackers an idea of where to attack and what vulnerabilities they can potentially take advantage of.
The point to be made is that any organization can be the target of an attack -– by a government, angry employee or hacktivist. The reasons for the attacks may not always be known, but, whatever they are, your job is to protect the data.
About the author:
Ernest N. Hayden (Ernie), CISSP, CEH, is the founder and owner of 443 Consulting, LLC, an enterprise focused on providing quality thought leadership in the areas of information security, cybercrime/cyberwarfare, business continuity/disaster recovery planning, and research. Most recently, Ernie was Information Security Strategic Advisor in the Compliance Office at Seattle City Light. In this role he was the primary leader of utility-wide efforts focused on complying with the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Standards.