At the beginning of the month, the New York Times revealed that it had been under a systematic and sophisticated attack by hackers for the past four months, and that they believed it was coming from China. Then, just a day later, the Wall Street Journal came out saying that they, too, were under constant attack by very similar hackers, again coming from China. Of course the Chinese government denied the allegations, but this is hardly the first time that U.S. corporations have suspected Chinese hackers from breaching in their systems. In 2010 Google had the first high profile attack, and more companies came out in the following years also claiming having been attacked or breached.
In this case the attack was fairly typical. After finding a hole in one of the NYT’s edge servers in mid-September, they went in and snooped around until the hackers found a domain controller. From there, they could gain access to the usernames and passwords of every employee, and they then proceeded to infiltrate the personal computers of over 50 different employees. According to their investigation, the security experts realized that the hackers were after very specific information, namely the sources used in the investigation that the Times did of Wen Jiabao, China’s prime minister, and how he managed to accumulate a large amount of money. It seems likely that the hackers were motivated by this story and wanted to get back at the Times.
Presidential executive order
This report obviously made the news worldwide, and even President Obama spoke last week of the increasing need for cybersecurity protection. In his State of the Union address, he told Congress that the time had come to pass legislation giving the government a greater capacity to secure networks and deter attacks. This is not just a symbolic statement; he was actually referring to a project that has been progressing for several months now. This new Executive Order issues a mandate to the National Institute of Standards and Technology (NIST) to create a set of standards that would guide organizations considered to be part of the country’s “critical infrastructure” to secure their networks, along with incentives for them to meet these standards.
What does this mean for you?
These voluntary standards and best practices might mean that, if a company does not meet these standards, they may find themselves barred from getting government contracts, for example. The targeted organizations include public utilities and companies in the financial and defense sectors. So what does this mean for businesses, or even for IT pros who may be looking at this? Well in the immediate future, not much. Like any legislation, this will not happen overnight. It will take months, if not years, before this new set of standards is drafted. However, once the process starts, it will likely be in your interest to keep a close eye on what gets included.
Just like standards created by the W3C for web developers, or IANA for network engineers, security professionals will likely have to start working with these upcoming NIST standards soon enough, and you can thank China for it. But with that said, security should not be something that is forced upon you. Any network that lacks basic security measures is a potential target, and these attacks prove that the risks are too high to be ignored. There are many standard practices everyone should take without having to wait on government standards.
Phishing emails remain one of the most popular way for hackers to start targeted attacks. While basic malware will look at known vulnerabilities in an unsophisticated way, someone who wants to get into your organization can go to great lengths to do it. There are countless examples of a secretary receiving a payroll document that seems to be coming from a colleague, but instead contains a specially crafted document with malware in it. Or a phone call sent to an employee claiming to be from the helpdesk and requesting the user’s password. Or simply a server getting scanned repeatedly until a hole can be found, even if you were late by just a day in applying a critical patch.
The point is that targeted attacks are very effective, and standards are not going to change that. Vigilance is needed, along with several layers of protection. This includes things like whitelisting, sandboxing, and good policies and training for your employees. These are all measures that can be employed right now without waiting for Congress, and only a lack of care or the thought that saving money now by skimping on security will somehow be more beneficial than what the cost could be in the long run when you get hacked.
Despite all the standards and security measures in the world, networks will still get hacked, so it’s important to have a good policy of what to do when this happens. In the case of the NYT, they took the necessary time and effort to find out exactly what they were dealing with. While the attacks came from US universities, by doing proper forensics they noticed patterns that were similar to previously seen attacks, with the Chinese hackers likely using the same compromised servers to launch their attacks. Shutting down your attackers too quickly could make you miss a backdoor or another entry that they have set up. And just like the NYT did, revealing that you were compromised may help raise awareness of the situation, and help others realize how large the threat is.