Bob Eisenhardt sees the GoDaddy outage as the tip of iceberg for vulnerable networks from banks to infrastructure. His take is pessimistic. Do you disagree?
It was hard to imagine — the total collapse of the GoDaddy service for six hours on September 12, 2012 by an outside attacker (perhaps) — a single hacker associated, (perhaps) with Anonymous. The CEO of GoDaddy promptly indicated it was caused, rather, by a "series of internal network events that corrupted router data tables." The stories are bad no matter which version you pick. Accompanying this failure was the thousands of small business websites that produce genuine commerce also collapsed. (One customer was out $50,000). With those failures, an untold amount of raw data also was put, potentially, at severe risk of security theft. With theft can easily follow lawsuits and lawyers get rich.
The GoDaddy incident could be viewed as a staggering breach of web-based commerce, and Steve Wozniak has it precisely correct when the guru-savant of Apple predicted the security risks of storing data "in" the cloud. A partner of mine (a certified BCP/DR planner) feels precisely the same way about the inherent dangers of cloud-based storage. The list of consequences is actually endless if you ponder the imponderables of it all.
The precise cause of the GoDaddy attack remains vague for, obviously, the hacker (or as Cliff Stoll might say, a piece of human slime) is not going to reveal his methods or, worse, location, though doubtless the IP security trace is after his data packets. Anonymous rarely takes credit for attacks it does not commit but the stories on the GoDaddy account do not add up under verification. Thus the internal network story gains credibility or at least makes for better PR. It is far better to admit it's an internal error than an external invasion which frightens everybody away.
Big Data reports that "web-facing databases have a huge target on their backs. The easy way to secure these databases would be to take them off the web." Easy concept, but nobody buys it, at least those infused with the Religion of the Cloud. On a smaller scale, a medical office I support uses a web-based product for patient management. If the Internet goes down (something that we all know never ever happens), their business does not exist, patients do not exist, and if a medical emergency should enter the office in a rush, a potentially life-threatening situation can develop. Worst case scenario would be a lawsuit and, again, rich lawyers.
On September 18, 2012 the Bank of America website encountered periodic outages by cyber attacks launched to protest the Islamic issues boiling over in the Middle East. A message posted to Pastebin.com from "Cyber fighters of Izz ad-din Al qassam" (referencing the military wing of Hamas) said that the New York Stock exchange would suffer a similar assault. The consequences of THAT scale attack are truly frightening and it has already happened overseas.
Inside Saudi Arabia's largest oil company, over 30,000 computers were wiped clean by an Al-Qaeda attack reported as an inside job. Last month the Shamoon virus spread throughout their network, the largest corporate attack in history! Shamoon was not a high level monster, just aimed at normal business computers, and once inside, attempts to infect everything it can find, steals whatever data it can touch, and then simply wipes hard drives clean. Liam O. Murchu of Symantec said that it has been "10 years since we saw something so destructive."
In response to Shamoon, the Department of Homeland Security reported that our domestic systems have no cause for concern. We must remember that In February of 2012, their domestic website was hacked by Anonymous.
Bill Pennington, chief strategy officer at White Hat security, said that companies "have to be aware that cyber attacks are part of the landscape we live in today." I have to wonder if this is NEWS to anyone who has not lived on the Internet for any length of time? Only the perpetrators and the victims will fully comprehend what happened at Bank of America. Pennington added that businesses should expect more attacks.
Like a waterfall, the news continues to run fast and cold. Recently, computers manufactured in China shipped with malware pre-installed in an infected version of Windows. A few years ago, laptop computers that came back from China during the Olympics carried malware. A few years ago my small server was being FTP password blasted from an employee with the Beijing Railroad.
We must be blind to the obvious. The above examples, far from technical in nature, showcase SECURITY IGNORANCE 101. Forget searching for the IP addresses of Officejet printers, we are missing so many basics in security protocols, I am surprised our infrastructure is not wrecked already. Or perhaps it already is shattered only we have not discovered it yet.
In my view, rethinking our dependence on cloud storage, web based backup, and disaster recovery is essential. Only under certain limited conditions do I even consider cloud storage a viable option. For any secure data, I firmly believe that companies investing in the secure cloud environment are, in fact, buying pallet loads of snake oil from Professor Eustace McGargle (an early role of W.C. Fields). The outside world is coming in and all I read in the above tales is general astonishment mixed with the age old line, "It can't happen here." Truth be told, it already has.
Our network infrastructure is enormously vulnerable because we believe our security protocols to be satisfactory. History proves us as Americans to be enormously naïve. In December of 1941 the secure waters around Ford Island became stained with blood and oil. The title of Gordon Prange's book At Dawn We Slept is a perfectly apt title that carries into the future. I remember having that feeling of security when I was on the 101st floor of the South tower about eleven Septembers ago. At 8:46 a.m. my ignorance came to a shattering end.
Whether a physical attack or a network penetration from within or without, I feel that the future bodes ill for our secure networks.
Are you more optimistic about the security of big networks? If so, share your thoughts in the discussion.