by Geoff Webb, director of Product Marketing at Credant Technologies
Hacktivism is hardly a novel concept but there continues to be a vocal debate over what hackers are after and why they pursue specific targets. Should organizations worry in an enterprise-wide holistic sense about how to counter hacktivism or instead focus on a single set of threats to keep their IT systems and information safe?
The first question you have to know the answer too is what fuels the motivations of the hactivist community and has them stealing data in the first place? How you answer this question is vital if you want to protect your company from becoming a headline.
I saw this recent interview with security pundit Ira Winkler, which raises some interesting points with respect to whether organizations should be concerned with hacktivism and take steps to reduce the risk of being a target. I don’t necessarily agree with Mr. Winkler’s assertion that the majority of what we think of as hacktivism is simply vandalism with a new flag.
I suspect that there is a somewhat more complex dynamic at play here. He certainly makes a good point that the folks who perpetrate such attacks would probably be out hacking anyway. That’s reasonable, but I also think that the target of these attacks, and the level of effort they put in to those attacks is directed by the same sort of activist impulse that makes people stand outside in the rain with signs or throw eggs.
On the other hand, he’s completely correct that organizations shouldn’t be worrying specifically about how to counter hacktivism per se because focusing on a single set of threats is entirely the wrong approach to keeping your systems and information safe.
If you think about the reasons hackers are likely to attack your organization, they really aren’t terribly complex. They are either there because they want to steal from you, they want to damage your operations, or they want to embarrass you in some way. Of course, studies show that a good proportion of attacks are in some way opportunistic. In other words, you may be under attack simply because the hacker stumbled on to your site and found a vulnerability that they could exploit. Indeed, unless you are a government agency with classified data being targeted by a foreign country, chances are that’s exactly why you’re being attacked.
For example, a hacker might look for a Web-facing application built on tools he knows have a vulnerability that is often left unpatched. The hacker keeps probing organization after organization until he finds one that has this app and is open to attack. It's then he -- or she -- begins to worm his way in.
They may not, at the time, know what data you have worth stealing, nor where it is. Rather, the attacker could simply be cruising your network looking for anything from CAD files (often the source of saleable IP) to credit card numbers to customer records. Anything, in fact, that could be sold to a third party.
And here’s the point: Although the attacker may not know what you have worth stealing -- you do. You probably already know what information is valuable, what information is potentially caustic and could be damaging if breached. You probably know where it is (in bulk at least), how to get access to it, who has access, and what measures are in place to control access to it. In fact, at a minimum you should already:
1. Understand where you hold and process sensitive information;
2. Ensure that security best practices are applied to those processes;
3. Train employees to handle sensitive information correctly, and to understand the value of the information they are dealing with;
4. Audit the processes and controls to make sure they stay operationally secure; and
5. Update the above as business processes change.
If, in fact, you don’t know all the above, then at least take solace in this thought: If the headlines are anything to go by, you are certainly not alone. And, second, maybe there’s still time to close the window of risk before an attacker comes calling. But, like everything else on your high-priority To Do, list yesterday was the day to start looking because tomorrow may be too late.
Geoff Webb has over 20 years of experience in the tech industry and is a senior member of the product marketing team at Credant Technologies. Geoff provides commentary on security and compliance trends for such journals and websites as: eSecurityPlanet, CIO Update, The Tech Herald, Compliance Authority, Virtual Strategy Magazine, and many others. Prior to Credant, Geoff held management positions at NetIQ, FutureSoft, SurfControl and JSB. Geoff holds a combined bachelor of science degree in computer science and prehistoric archaeology from the University of Liverpool.