Now this is BIG news, but, very little coverage in the MSM. Google was successfully attacked this past week. McAfee calls the attack "Operation Aurora" and describes it as "highly sophisticated" and also states "We haven’t seen encryption at this level.”.
So, what does this mean for enterprises without a solid defense-in-depth approach? Simply put, it means Big Trouble.
When Google AND Adobe publically announce in the same week that they were hacked, I can only wonder how many other big multinationals were also successfully hacked? If these two high tech companies with highly sensitive intellectual properties can be successfully hacked, what is the average law firm to do?
The answer is : Defense-in-Depth.
Let me give you an example of the need for a solid defense in depth approach to today's security challenges.
A company has a website that accesses data stored on a remote SQL server. Standard stuff, right? Now; if I were to tell you that, from that webserver, I can attack your SQL server. Once the SQL server is hacked, I can get into your domain controller. Once in your domain controller, I have everyone's names and passwords and I can easily access any server in your enterprise. Oh, and the best part is that I'm sending everything in an encrypted format that passes right through your firewall.
Really, Executives have way too much faith in their perimeter systems, and I say "Operation Aurora" will change a lots of opinions of where security investments should be made in 2010. Obviously Google had a firewall, Antivirus, IPS, SIEMs, Syslog, etc. So, with this in mind, did Google management put too much faith in their network defenses and paid lip service (aka: installed patches) to servers and workstations within their network?
It wouldn't surprise me at all if Google I.S. staff detected the breach within minutes. But, detection is 1/3 of the game. There is also Prevention and Response. Since these hacks were made during the Christmas -New Years vacation time frame, I can only assume response times were less than desired. As for prevention...in many cases, internal defenses, such as network zoning, system accounts, internal security assessments, etc, are just not given the attention they deserve.
So how can a company increase defenses from this type of attack? That is the purpose of this blog. In future Knowledge Transfer Notes, we will discuss the need for network zoning and securing system services .
Thanks for Reading!
Graham Thompson, CISSP
http://www.miw.ca/
No comments:
Post a Comment