Protect Your Organization:
Lessons Learned From Operation Aurora
In one of the largest coordinated attacks in recent history, several large companies, including Google, Adobe Systems, and Juniper Networks, were hacked recently, placing their networks and their data at risk. The hackers exploited a vulnerability in Microsoft® Internet Explorer® known as a zero-day vulnerability. 1 Since the vulnerability was unknown to the security community at large before the attack, system patching could not prevent the hack, and the intrusion-detection systems that rely solely on matching a predetermined attack pattern (called a signature) were also largely ineffective. The attack, labeled "Operation Aurora" and believed to have originated in China, actually consisted of multiple attacks that began in December 2009 and continued into February 2010. It is believed that the main target was intellectual property, specifically companies' systems that house application code.
The Attack
Here is a summary of how the attack was conducted:
* Social engineering.
Employees of the attacked companies were unknowingly coerced (that is, used social engineering) by the hackers, who, via an e-mail, directed recipients to a malicious Web site. Access was gained to computer systems when users visited the Web site, which contained malicious code.
* Remote connection and internal network access.
Once a user accessed the site, a remote encrypted connection was made between the employee's computer and the hackers' computers. The connection was used to download malicious software or malware onto the user's workstation. The hackers then used the compromised computer to explore the internal networks to which the computer was connected and download sensitive information, including company secrets, user names, and passwords.
* Detection and response.
Because traditional intrusion-detection systems often didn't detect the attack, many companies had to rely heavily on security logs and forensic techniques to identify systems that had been accessed during the breach. Many companies put their internal incident response processes into effect so that they could respond swiftly and effectively to the breach once it was detected.
Prevention Lessons Learned
If giant companies such as these can be broken into, can your company be at risk? All security-conscious companies should take these steps:
1. To help prevent social engineering, educate end users.
Security awareness training is the most important line of defense. In most attacks, the attacker gains initial access to the network by persuading an employee to click on a malicious link, visit a malevolent Web site, download a virus, or even insert a malicious CD that has been mailed to the employee. Training users in best security practices and common social engineering tactics can be the first step toward preventing and limiting successful attacks.
2. To prevent remote connections, put adequate outbound restrictions in place.
Proper network restrictions that prevent data transfers and remote connections to unauthorized external networks should be implemented. Often, attackers will attempt to transfer sensitive data from a company network to systems outside of the company network. Having restrictive firewall rule sets and web proxies, in addition to intrusion-detection systems, in place can identify such activity and stop it from occurring. Attackers also are becoming more sophisticated and are encrypting data sent from a compromised host as secure sockets layer (SSL) network traffic. Performing SSL decryption at the perimeter of a company's network can help identify an attacker as well as the potential for any sensitive information leaving the corporate network.
3. To detect attacks, configure logging and alerting appropriately.
Proper logging and real-time alerting about important events (known as security information and event management) are critical to defending a company's network. Having the ability to analyze log files can assist in both determining if an attack is occurring or if a breach has already occurred. Real-time alerting is also important, so that the appropriate staff learns of malicious activity as it occurs. In addition, log files can play a vital role in a data forensics review or legal action against an attacker.
4. To respond swiftly and effectively, be prepared.
If a breach or other incident does occur, having a proper and practiced incident response plan (IRP), in addition to trained employees, in place can help limit the impact.
A good IRP should include:
* A procedure to triage all events to determine if they can be classified as an "incident" and to identify the severity level of the incident;
* Guidance about who should be contacted if an incident occurs (that is, who is on the incident response team);
* Investigation responsibilities and procedures, including procedures for forensics activities that preserve evidence appropriately;
* Procedures for conducting an impact analysis to determine the significance of the breach;
* Guidance for notifying the public, regulators, and public officials of a breach;
* Plans for continued monitoring to detect subsequent attacks; and
* Procedures for an incident review/debriefing and postmortem activities to correct the weaknesses that caused the breach.
As cyber attacks continue to become more sophisticated, companies can prepare for an attack by taking the actions described above. Because new vulnerabilities are discovered daily, however, security is an ongoing process. Companies should never stop either conducting security self-assessments or undergoing outsourced security assessments on a regular basis.
Contact Information
To learn more about minimizing your company's security and IT risk with effective prevention strategies, contact Raj Chaudhary or Ryan Reynolds:
* Raj Chaudhary, PE, CGEIT, 630.586.5127 or
raj.chaudhary@ crowehorwath. com
* Ryan Reynolds, 630.706.2059 or ryan.reynolds@ crowehorwath. com____________ _________ ______
Belum ada komentar untuk "[LeadersWorkshop] Fw: ~~~~~. HOW HACKERS ATTACK"
Post a Comment