Can Companies Defend Against Targeted Attacks? (Part 1)

The story with all the interesting details about how security company HBGary was hacked earlier this month, published by Ars Technica last week, has made quite some noise with people concerned about IT security. It is a perfect – by the book – example of how to find and use weaknesses in a security system to bypass it.

In short, what happened is the following: the CEO of HBGary Federal wanted to increase publicity around his company by exposing the real identities of the leaders of a well known group of hackers called Anonymous. For this he infiltrated into their IRC chat rooms and researched profiles from social networks like Facebook, LinkedIn or Twitter. When he thought that he found what he was looking for, he started to make noise about his achievement by publishing articles on newspapers, setting meetings with FBI and revealing his true identity to the Anonymous. This made the group of hackers very angry and their response was devastating for HBGary, which had its servers broken, email messages published on the Internet and websites hacked. Additionally, the results of the research that generated all this trouble were revealed as not reliable.

The next, equally bad or even more disastrous, hit for HBGary were the details from the story presented by Ars Technica. Anonymous revealed how they managed to bypass their security. And what is shocking is how easy it seems to be to penetrate the security of the company that is, after all, an expert in security.

The story raises a lot of questions:

Why was their security so weak? Aren’t security companies supposed to know how to defend against these types of attacks?
Would have better security really saved them? Or would the attackers have adapted and used more ingenious ways to get in?
How likely is this to happen to a small or medium-sized company? While you can imagine it happening to big players like Microsoft or Google, can it happen to small companies that did not upset the “wrong guys”?
How prepared are companies for targeted attacks? How many of them would remain standing after such an assault?

An important thing to mention is that the standard suite of security software (firewall, antivirus, antispyware, anti-spam, anti-phishing, patch management, etc.) does a decent job to stop 99% of the attacks: non targeted ones – the pieces of malware that are randomly scanning the Internet for vulnerable machines and infecting them, the emails with malicious attachments or those pointing to dangerous sites, the sites that simulate well known services to trick you and get your passwords, etc. They are indispensable for targeted attacks too, but here things are much more complex and they are far from being enough.

What can be done to ensure well enough security? (Well enough is the maximum you can get, there is no such thing as a perfect security system.)

It is extremely important to keep the security system defenses aligned with the potential damages that a security breach will cause.

For a small startup that is still in its early stages with just a few computers it usually makes no sense to invest massively in security. This is not only because the costs will kill the business faster than any hacker, but also because the company simply doesn’t have enough valuable assets to make the effort worthwhile. However as the company starts to have a history, they also start to have more and more sensitive data: financial data, customers’ and partners’ data, development strategies, etc. Now it becomes more dangerous to lose data or to have confidential data stolen.

The key is to keep the balance between security enforcement and the risks that usually increase over time, and this is the point where a lot of companies fail. Some common reasons for this are:

The company is not aware of the risks simply because they don’t have the necessary expertise to evaluate them.

The risks are underestimated. In this case the security enforcement is seen as an unnecessary cost.

The company is aware of the risks and their efforts in the area give them a false sense of security, while they actually have a problem in applying policies.

Usually a security incident is what makes these companies realize where they really stand.

In the second part of this series I’ll talk about what happened to HBGary and what we should learn from it.

Chris O'Brien February 24, 2011 at 10:14 pm
I think it’s funny how it seems the safest thing to do with your documents these days is to have physical copies only of any memos or communications. At least getting at those would take a physical break-in, accidental internal leak, or a subpoena.
The efforts of HBGary and other security firms against groups like anonymous always remind me of those Spy Vs. Spy cartoons from MAD Magazine. When two groups dabbling in security and secrets butt heads, it always ends with somebody holding the bomb when it goes off.
Bruce Roberts February 25, 2011 at 9:13 pm
These guys got a real-life test of their security. You can never be sure that your network and system is hacker-proof but such attacks prove how vulnerable the system of a SECURITY company is. A targeted attack done by pros leaves a company no chance to defend itself. What the company can do is minimize the damage – that’s all!
George Wilsons February 27, 2011 at 12:38 pm
Companies should not only defend itself against external attacks. They should also protect their resources from within.
Remember when the ESPN website was hacked in 2009? The hack was not dangerous in any way. The website’s design was replaced by rainbows and a unicorn.
Most security experts and bloggers(and people from within) believed said that the hacker(s) might be an employee of ESPN. It’s an inside job.
This situation should be focused both by the HR and IT departments of any company.
1. Chevy Z. March 10, 2011 at 3:34 am
  I agree with you George.
  Internal targeted attacks toward businesses should be the main priority of companies.
  First, an inside job attack can do more damage. Information and all sorts of data can be stolen and sold to competing ventures or a third party vendor.
  Second, an internal attack could lead to industry instability. The targeted company will shut down its operations, employees will lose their jobs, people will be in great debt, and so on and so forth.

Comments are closed.

If you have used this form and would like a copy of the information held about you on this website, or would like the information deleted, please email privacy@gfisoftware.com from the email address you used when submitting this form.

Can Companies Defend Against Targeted Attacks? (Part 1)

About the Author: Cristian Florian

4 Comments

Can Companies Defend Against Targeted Attacks? (Part 1)

Get your free 30-day trial

Get your free 30-day trial

About the Author: Cristian Florian

4 Comments