Steven J. Ross, CISA, CISSP, MBCP
In my last article in this space (“The Train of Danger,” volume 5, 2011), I wrote, “Perhaps it would be more accurate to say that, as of now, only governments or organizations sponsored by governments have those skills” needed to execute cyberattacks. Within days of sending in my submission, the news of the day showed that I was, ahem, not completely accurate.
In rapid order, the media announced that:
So, enterprises other than governments have the ability to do some serious damage electronically—my turn to eat crow. At the same time, this opens up a somewhat semantic, but nonetheless important, distinction among the terms “hacking,” “cyberattack,” “hacktivism” and “cyberwar” that I would like to probe a bit.
Hacking is a threat to all companies that have a presence on the Internet, which, in effect, means all companies. The list of companies whose web sites have been defaced or whose firewalls have been penetrated is too long to include here. Not to minimize the reality of such attacks, but the fact remains that they mostly fall into the category of nuisances, not existential threats to the organizations affected. I cannot recall a news story on the order of “Company X Hacked, Goes Broke.”
Moreover, the safeguards to protect against straightforward hacking are well known. Firewalls, access controls and encryption are the leading tools in security professionals’ armories. The fact that hacks succeed anyway indicates that many organizations do not take the threat seriously enough to implement the countermeasures adequately, or that perhaps they are not willing to invest sufficient funds to deter what their managements consider to be nuisances, a cost of doing business. Another factor is that, in too many cases, the controls are used with enough exceptions that their utility is questionable. How many times each day can a firewall be lowered to permit certain activities before it is more of a phantom safeguard than a real one?
Of course, there are attacks to information systems that go beyond annoyances. There are companies that have suffered real economic harm and whose security or lack thereof has created lasting damage. Some have been victimized by thefts. For example, earlier this year, hackers penetrated Sony’s PlayStation Network and brought the network down for at least five days.6 Worse, the hack exposed the credit card information of 77 million Sony customers.7 Credit card information has significant value in underground markets, thereby spreading the damage widely beyond the initial target of a hack.
Clearly, external misuse of information systems is a problem that has plagued businesses and governments since the advent of the Internet, if not computers themselves, and sad to say, it is a problem that is unlikely ever to go away. What seems to have changed is the ingenuity of the hackers and the power of the tools they employ. Organizations are being attacked by criminals. Just because the criminals use computers and networks does not make them any different from racketeers who have been undermining the safety of business for as long as there has been business.
It would be unfair, in my opinion, to say that no one is safe. There is always risk; there will always be bad guys seeking to exploit the vulnerabilities of the good guys. As a society, we need to recalibrate what “usual and customary” controls should be to make the odds better for organizations and individuals.
Hacktivists are a threat of a different order. They are not attacking organizations’ systems for the “fun,” such as it is, that lies in simple vandalism, nor are they necessarily stealing for economic gain. They have a cause that they are trying to promote, and they strike out at businesses and government agencies that they feel are doing harm to society. While criminals can be deterred when enterprises make the cost of an attack too high to justify the potential gains, hacktivists are spurred on by a sense of justice denied that seemingly has no economic barriers. One commentator has defined the difference: “With the rise of hacktivism, now the people who break into you tell you they break into you.”8
Members of the Anonymous group portray themselves as hacktivists. If there is any good to be found in the response to their exploits, it may be the improvement in security at security-related organizations. For example, security companies such as RSA and ManTech International have been victimized and have promised to tighten their own security.9
“Hacktivism” is a relative term. Those who undermine the information systems of corrupt regimes are thought by many to be freedom fighters. As I said in my previous column, I question whether individuals, no matter how tech-savvy, can successfully take on the power of a government. Similarly, I now believe that only governments have the technology and funding to attack other governments, and recent history has shown that they are preparing to do so.
Very few—if any—businesses are prepared to prevent losses incurred in a war. That is why acts of war are usually excluded from insurance coverage. Governments owe it to their citizens to protect their businesses and government agencies from warfare. One can only hope that those governments that are considered democratic (or if not democratic, at least just) are doing as much to protect their own interests as they are to attack the systems of other countries.
Security needs to be attuned to the actual and potential threats to assets at risk. I propose that there are different threats posed by vandals, criminals, rebels and war-makers, and that the level and content of preparedness and response need to be adjusted accordingly. No organization can claim to be immune from all these categories of information system misuse, but the reality of the risk does differ from business to business. IT managers, including information security professionals, need to think beyond technology and consider such arcane areas as sociology, criminology and geopolitics if they want to prepare their organizations for all the threats that they face.
1 Sengupta, Somini; “16 Arrested as FBI Hits the Hacking Group Anonymous,” The New York Times, 19 July 20112 Zetter, Kim; “Feds Arrest 14 ‘Anonymous’ Suspects Over PayPal Attack, Raid Dozens More,” Wired, 19 July, 20113 Bilton, Nick; “Lulz Security Says It Hacked News Corporation Sites,” The New York Times, Bits, 18 July 2011, http://bits.blogs.nytimes.com/2011/07/18/lulz-security-says-it-hacked-news-corporation-sites/?scp=3&sq=LulzSec&st=cse4 New York Times, “British Phone Hacking Scandal,” Topics, 6 September 2011, http://topics.nytimes.com5 Hosenball, Mark; “WikiLeaks Publishes Tens of Thousands More Cables,” Reuters.com, 25 August 2011, www.reuters.com/article/2011/08/26/us-wikileaks-idUSTRE77O7PZ201108266 Bilton, Nick; “Sony PlayStation Network Still Down After Attack,” The New York Times, Bits, 25 April 2011, http://bits.blogs.nytimes.com/2011/04/25/sony-playstation-network-hacked. There is some indication that the attack may also have come from the Anonymous group or one of its members.7 Bilton, Nick; “How Credit Card Data Is Stolen and Sold,” The New York Times, Bits, 3 May 2011, http://bits.blogs.nytimes.com/2011/05/03/card-data-is-stolen-and-sold8 Sengupta, Semini; “Guardians of Internet Security Are Targets,” The New York Times, 4 August 20119 Ibid.
Steven J. Ross, CISA, CISP, MBCPis executive principal of Risk Masters Inc. Ross has been writing one of the Journal’s most popular columns since 1998. He can be reached at firstname.lastname@example.org.
Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2011 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.