It’s every chief technical officer’s worst nightmare. When Bruce Tonkin, CTO for the world’s sixth largest domain registrar, Melbourne IT, woke in Melbourne on Wednesday, August 29, to learn some of his biggest clients, including the New York Times and Twitter, had been hacked, it was not a good start to the day. And a US-based reseller was responsible.
Staff of the un-named reseller “unwittingly” responded to a spear phishing attack which allowed attackers to access sensitive information, including usernames and passwords. This was used to access the reseller’s account on Melbourne IT systems.
As a result, the global media were banging down Melbourne IT's door. “It’s the worst nightmare when I hear that there has been a security breach, but it’s an even bigger nightmare for the CIO of the company that has been breached,” Tonkin said. “I feel for the customers more than anything else. The CIO would have been frantic. They were probably looking for someone who had accessed their website.”
The New York Times and Twitter had been the victims of an elaborate spear phishing attack from pro-Assad regime “hacktivists”, The Syrian Electronic Army.
Spear phishing is a term for a targeted phishing-attack where hackers zero-in on individuals they have identified as having access to sites they want to infiltrate.
In this case, they spoofed the email address of somebody who was familiar to the reseller’s staff, and sent out an email with a link to what looked like a news story.
Staff then “unwittingly” entered log in details.
Tonkin said he was made aware of the breach through a US reseller partner. “The reseller said a change had been made to the DNS record and that they were having trouble changing it back,” Tonkin said. “It was flip-flopping. We saw it was modified and moved it into a registry lock. It took an hour or two to analyse what was happening and we identified a spear phishing email.
“We are now going to make a couple of changes on the security side, but the big thing is educating our staff to be very aware of spear phishing types of emails.”
Tonkin said commonly targeted websites, such as big IT companies, banks and government, were already on permanent registry lock. This is effectively puts the domain in manual mode and requires staff to make changes. It also costs more.
“The issue is if names were on registry lock the changes would not have been made,” he said. “Unfortunately, it’s often when people are attacked that they take up higher security.”
For the Australian ICT chain the message is stark: It could happen to you, and to your customers - big or small.
The recent Ponemon Institute 2013 report showed that on average, Australian and US companies had data breaches that resulted in the greatest number of compromised records (34,249 and 28,765 records, respectively).
Kiandra IT security specialist Daniel Weis said it was a “wake up” call for the industry.
“This incident has reinforced that integrators can no longer maintain the ‘It won’t happen to us, why would we be a target” mentality?” he said. “Every company, not just resellers, should be concerned about this. Resellers in particular have to take an extremely proactive approach, because we are a prime target.”
Threat on the rise
Weis said the threat was “definitely” on the rise. But despite that, most organisations have a major lack of awareness training, monitoring and protection mechanisms, he said.
“No one wants to do business with a company that has been hacked. Sometimes a breach is all it takes to completely destroy a company’s reputation.
“The scary reality is you can’t stop a hacker, but you can make it as difficult as possible for them to compromise your organisation with a multi-layered approach to mitigate security breaches, including intrusion prevention systems, security assessments in addition to the more traditional anti-malware and filtering solutions. Incident Response and containment should also form a major part of IT security policies.
IDC analyst, Vern Hue, said, while there was bound to be “finger-pointing”, now was a time for the industry to examine its security posture and to make sure the relationship between vendors and resellers remained a stable and co-operative one.
“Needless to say, Melbourne IT has a lot to answer for and it will need to re-examine a lot of its policies,” he said. “However, there is a lot of reputation at stake here and attacks like these are not unique to Melbourne IT and it won't be long before there is a similar case so we really need to be vigilant here. Remember, your IT security is as strong as your weakest link.”
However, in the information security domain, vendor/partner security has always been a weak point in overall security, according to Southern Cross Computer Systems, consulting services general manger, Ashutosh Kapse.
“The partner is a ‘trusted’ entity by the target organisation and sometimes can work as an 'easy' point of entry,” he said. “This incident has resulted in highlighting the issue and giving it prominence. Resellers generally hold at least some critical customer data on their networks – this could range from customer network details, IP addresses, configuration details, architectural diagrams and so on. All of these could be used by hackers to perpetrate further attacks.
“The solution providers should also welcome independent audits of their security by the client.”
Whitegold managing director Dominic Whitehand said the most prevalent threat was spear phishing, but that the most feared was advanced persistent threat (APT). He also likened hackers to drug cheats, alluding to the premise they would always be one step ahead.
“Organisations are facing APT’s which are a whole new level of attack,” he said.
“With APT’s, the hackers are usually large, organised groups that have the wherewithal to use a wide variety of intelligence-gathering techniques to access sensitive information. The use of APT’s is often referred to as ‘Hactivism’.”
He said APT’s were a “massive, growing problem” and that recent cases had involved small businesses, including dentists and legal practices, being held to ransom with stolen patient of client information.
Websense managing director A/NZ, Gerry Tucker, said many companies had previously looked at security as just another compliance measure to tick off at minimum cost.
“We are now seeing organisations looking at security in a very different way,” he said. “Modern companies today are those that are saying security is driving a competitive advantage.”
Top 5 security practices
1. Awareness training is key. Ensuring that your staff have the right knowledge to protect themselves both at work and at home goes a long way to mitigating these attacks. - Kiandra IT’s Daniel Weis
2. Speak to distributors who are knowledgeable in IT Security issues and who hold a good range of security technologies. Companies should also consider having some of their IT engineers/consultants (if they have any) trained to industry standards such as Certified Information Systems Security Professional[CISSP) and others. - Whitegold’s Dominic Whitehand
3. Have a holistic approach to information security which includes the three dimensions: people, process and technology. solutions provider could best achieve this through complying to a standard such as ISO27001. - Southern Cross Computer Systems’ Ashutosh Kapse.
4. The key is to ensure that a breach in one system will not be able to bring an organisation down on its knees as there will be other layers of protection. - IDC’s Vern Hue
5. One of the major hurdles to IT security has always been funding. If companies start to plan and allocate budget for testing, and combine this with consistent review and improvements on the IT security side of the network, it will reduce risk and greatly improve their security stance. - Kiandra IT’s Daniel Weis