The state of the country’s cybersecurity is in peril. The very thought of the extent of the latest reports in this “Cyber Rat” case should make us all cringe. It just screams pathetic. Gone are the days of fun and Lulz. The tsk tsk of Sony’s problems executing even the most basic of security. While those things were distracting the public, calls to attention were left unheeded for quite some time now from throughout the community.
Since early in the year, I have been standing on my soap box and writing about the importance of security, and cases like the Lush credit hack, the forecast of the looming security crisis, and the CSIS CyberSecurity report were all examples of harbingers of the increased security situations just in this very year. As the season of insecurity dawned upon us earlier this year, it became clear that these days were upon us. In the wake of Stuxnet, Sony, Citibank, and other security stories of the recent past, it is absolutely deplorable that our nation’s infrastructure remains in this state of crisis.
A Reuters story on the “Cyber Rat” attack echoed the sentiments in the CSIS security readiness both two and a half years ago and then again six months ago and further the lack of any substantive actions in light of the current climate.
The federal contractor hacks that started to be reported in late spring were certainly serious and disconcerting in that they clearly indicated a pattern of sophisticated, coordinated attacks that started with the RSA hack, which later led to a recall.
Back to Cyber Rat, it is reported that these attacks were discovered by McAfee, not the feds themselves – adding further insult to the injuries. And they went on for years. It seems as though there is at minimum, disarray amongst the entities placed in charge of protecting the national security infrastructure. The U.S. Computer Emergency Readiness Team, also known as US-CERT saw its director Randy Vickers, quit two short weeks ago, adding to the departure of Rod Beckstrom back in 2009, and adding to the list of significant resignations from throughout various agencies such as Department of Homeland Security (DHS) , and White House positions in the security space within the last two years. It has been surmised that this attack may be the work of China.
“McAfee said it believed there was one “state actor” behind the attacks but declined to name it, though one security expert who has been briefed on the hacking said the evidence points to China. There was no comment from China on the report.”
Well, duh. We got hacked, let’s ask China if it was them! Brilliant..
There are also elements in the reports that suggest the series of attacks appear to have launched by the vector of “spear-phishing”. Phishing attacks were also the reported vector in the initial RSA compromise earlier this year. Ah the human element. Back to a theme visited in report after report that despite whatever technical means in place, people are the biggest weakness in the security chain. Constant education on security, practices, and technology behavior should be required and practiced in every organization, especially in the government.
Now the NCCIC (National Cybersecurity and Communications Integration Center) is warning that LulzSec and Anonymous could “up their game” in light of arrests and further investigations. Sounding awfully familiar to analysis posted here last week, it seems like maybe they are starting to get the message. Maybe the latest on Cyber Rat means that it all ends here. Maybe.
Stepping down from my soap box, for a moment, let me say at least we have a chance to fix this now. Technology has the ability to deliver a number of leading solutions that lead to a more whole security posture. With technologies like Intrusion Detection Systems (IDS), PKI, Encryption, multi-factor authentication, SIEM, amongst many, many others, an organization can build the toolset required to build a better infrastructure. With the right policies and procedures in place, an organization has the capacity, practice, and verification that the technology and security procedures are valid and extended to their full effect. Services and operations like regular penetration testing, baseline assessments, and auditing also serve as tools serving towards useful constructs such as gap identification and validation. With the right training, communications, and strategies the weakness of human failings can be minimized. These are parts of the secret formula to a better security posture for an organization, regardless of the size.