SBA

Cyber Security Begins In The Boardroom

The festive season is behind us, and many network security professionals will be breathing a sigh of relief. The reality is that the major holidays, particularly Christmas and Easter, are prime time for hacking - who can guess whether this is because the script kiddies are out of school and have more time, or because professional hackers know that corporate IT teams will be undermanned and more relaxed, it is nevertheless a known phenomenon. As a CIO I have witnessed it myself, big serious network hacking attempts are more common at the weekend and most especially the holidays when system administrators are less likely to be working and spot unusual behaviour.

This wasn’t however the case at Sony. The massive hack which featured extensively in the news over Christmas took place well before then, seemingly in November, maybe also October, and contrary to the claims of the Sony CEO, who claimed “Nobody could have withstood a hack of this nature”, was clearly a case of the network security people having let down their guard - as is the case with most successful hacks.

How can I claim that? Simple arithmetic. Over 100 terabytes of data was stolen. If the Sony network was connected to the Internet via a one gigabit connection, and the hackers were similarly connected and had a gigabit of throughput all the way from their computers to Sony’s the minimum possible time to execute the theft would be 800,000 seconds - over 9 days if the hack was perfectly executed with no time wasted, during which Sony’s internet connections would have been pretty unusable. A gigabit connection to the Internet is rather fast, Manx Telecom will soon be launching their fastest ever broadband at less than a tenth of this speed. The probability is that the Sony hackers, calling themselves the “Guardians of Peace”, were inside the Sony network for several months surreptitiously extracting the corporation’s data. It was only at the end of the process that they revealed themselves by deleting the contents of Sony’s servers.

That’s not just my opinion, former hacker Hector Monsegur spoke with CBS News on the origins of the Sony hack, and told them:

“For something like this to happen, it had to happen over a long period of time. You cannot just exfiltrate one terabyte or 100 terabytes of data in a matter of weeks,” Monsegur said. “It’s not possible. It would have taken months, maybe even years, to exfiltrate something like 100 terabytes of data without anyone noticing.”

Sony’s hackers succeeded by being undiscovered for a prolonged period. Nobody noticed that Sony’s network was being used to export the equivalent of ten times the printed information stored in the USA’s Library of Congress - because they weren’t watching properly. If they had been watching, if they had asked themselves “why is so much data leaving our network?”, the network security administrators could have stopped this hack in the first 5 - 10 minutes.

The Sony hack reveals two of the most common flaws in network security; firstly that large amounts of data could leave the network, and secondly that nobody was looking hard enough to notice. These same flaws are repeated millions of times over in company networks all across the world, including the huge majority of company networks here in the Isle of Man.

I’m not about to give away any big trade secrets, I keep those for my paying customers, but to state the obvious most network security is designed to stop hackers and malware getting in, not to stop them getting out. It is a major flaw in the way that most IT people design network security systems and it is not difficult to overcome. Similarly most network security alert systems are called “Intrusion Detection Systems” for good reason - they detect intrusion not exfiltration. This is all a bit cart before horse, for most commercial hackers stealing information there is no point in breaking in unless you can get out with your ill-gotten gains, and if the network is set up properly it is much harder to get out than to get in. The hacker can infiltrate using many methods including social engineering, tampered devices such as USB sticks, trojan emails etc., but without an accomplice on the inside getting information out means using the network. The old-fashioned attitude that leads IT people to focus on preventing intrusion goes back 30 years to when the bigger threat was data corruption and damage to systems by viruses instead of information theft.

Recent surveys have demonstrated that the value of the information held on computers in a company is typically around half the value of the company, obviously in companies whose stock in trade is information, such as those in finance, publishing, the sciences, CSPs etc., the proportion is generally higher. The exfiltration of information from these companies can be massively damaging, so it makes sense to prevent it.

The Isle of Man, in common with other so-called tax havens, is a prime target for professional information theft. Switzerland, Jersey, Luxembourg and the BVIs are amongst those recently targeted for the theft of customer data from banks and CSPs, so imagining that it probably won’t happen here is delusional - it already has. One well known local case is that of Paddy Power whose servers in the Isle of Man were raided by hackers in 2010, but the probability is that there are other island companies who have been victims of cyber-theft, and some of them won’t know about it until the stolen data comes to light.

Like the Sony hack, most information thefts can be prevented relatively simply. Company boards need to ask three questions of themselves and their IT professionals:

• Have we done all that can reasonably be done to prevent unauthorised access to our systems?

• Have we done all that we reasonably can to prevent data being taken out of our systems?

• Are we watching all the time to see if anyone is trying to steal data from us?

If the company can answer Yes to each of these then the probability of being a victim of cyber-theft, whether by hackers or malevolent employees, is massively reduced. The reality is that most can’t, the simple burdens of day to day business as usual preclude the consideration and effort necessary to keep the cybersecurity problem under constant review. There are more sophisticated and detailed checklists, for example those proposed by the UK Cabinet Office and GCHQ, but any company board that can honestly answer yes to these three questions each quarterly board meeting will have gone a long way to ensuring that they are not the next victim.