Cyber Attacks: How Worried Should We Be?Holiday Hackers Victimize White House, Pentagon, NYSE Sites
"This isn't the last cyber incident we're going to see in the near future," says Amit Yoran, the onetime director of the Department of Homeland Security's National Cybersecurity Division. "We're likely to see attacks like this, perhaps even more sophisticated ones, and the more we learn from our current process, the better we can prepare ourselves for the evolving threat that we know is going to become more efficient and more malicious over time."
Starting over the Independence Day weekend and continuing into the week, hackers targeted government and business websites in the United States and South Korea, causing varying degrees of disruption of service. Among federal government websites reportedly assaulted: the White House, National Security Agency, Departments of Defense, Homeland Security, State and Transportation and Treasury; Federal Trade Commission and the Secret Service. Among business sites said to have been attacked: the New York Stock Exchange, NASDAQ and The Washington Post.
Scale of the Threat
How big of a deal were these attacks? The answer, for now, is in the eye of the beholder.
Shane Sims, director of PricewaterhouseCoopers forensic services practice, barely shrugged his shoulders. "When I hear something like that, it doesn't raise real alarm bells for me," says Sims, a former FBI agent who specialized in cyber crime. "Typically, the sites these guys are compromising are not sites that contain information that's detrimental to national security."
But Tom Kellermann, who chaired the threats working group of the highly touted Commission on Cybersecurity for the 44th Presidency, sounded alarmed about the website breaches, and believes hackers can penetrate websites to gain access to databases. Unlike in years past, hackers employing an SQL injection or cross-site scripting attack can push their way through the web applications and into the databases housed on back-end servers, and then into the network layer itself, he says. "That's a fact of life now because of Web 2.0," says Kellermann, vice president of security awareness at Core Security Technologies, a provider of IT security testing software. "And that's the real worrisome phenomenon here."
Kellermann suggests the website assaults may have served as camouflage to a more hideous attack that penetrated into the back-end server databases and networks. "Just because they burned your house down didn't mean they didn't infiltrate beforehand," he says. "The enemy could have very well infiltrated these systems beforehand, and then launched the denial of service to basically cloud it with a fog of war and cover their tracks for what had been done on front end."
Yoran, the former national cybersecurity director who heads the IT risk management firm NetWitness, agrees that it's possible to infiltrate networks and databases through a website, but contends it's much too early to come to that conclusion until experts analyze these attacks. "I'm not suggesting that is happening, but I don't think we're at the point where we can rule things out until we get all the forensic analysis done and we get enough data points, technical and otherwise, that we can start formulating conclusions," he says.
Origin of the Attacks
Reports have circulated that South Korea has accused North Korea and its backers as having instigated these attacks - finger-pointing Yoran isn't ready to accept until more evidence surfaces. "There's a natural desire to very quickly to develop theories as to who might be behind these events," he says. "Having spent a decade or two in the incident-response world, one of the things we have to be disciplined about is attack attribution. Unfortunately, in cyber, it's a very complex process to be able to ascribe attribution to an event, especially if it's done in a sophisticated fashion. ... We've learned over the years to stay very disciplined in our forensic analysis to make sure the facts develop the theory, as opposed to coming up with a theory that you're predisposed to."
Still, Kellermann says the way these attacks occurred suggests an organized group of hackers could have instigated them. "What's disturbing is that many sites were hit by what seems to be like organized target attacks, not a polymorphic worm or virus, for that matter," he says. "It looks like many entities - whether they were state governments or non-state governments - were using this type of exploit to target critical infrastructures and critical government agencies. What's most problematic from my perspective is the realization that maybe there are a lot of non-state actors serving as proxy, i.e. mercenaries, for state governments to launch such attacks and how hacktivism and the mercenary hacker-for-hire phenomenon have kind of coalesced."
Regardless of who's behind these attacks, they serve as wakeup calls not only for agencies and businesses to better defend against, but for the Obama administration to more aggressively safeguard federal IT and the nation's critical information infrastructure, including the naming of a White House cybersecurity adviser, an appointment President Obama promised in May.
"This incident clearly shines a light on the need for senior level attention and the presence of a security coordinator in the White House to help foster that," says Dan Chenok, chairman of the Federal Information Security and Privacy Advisory Board and senior vice president at IT services provider Pragmatics.
-- With Linda McGlasson, managing editor of BankInfoSecurity.com