All of the news on SC at the moment seems to revolve around the Google cyber attack last week.
Although that is what it is being called, it is not really justified to label it as just an attack on Google as it has now been revealed that Juniper was also affected. So while we seek out a general term (McAfee has labelled it Operation Aurora), I caught up with senior vice president of marketing at ArcSight, Reed Henry.
I asked him what was being targeted in this instance? Henry said that in China there are at least 250 known hacking groups, according to a US Congressional Report, and these groups go for valuable assets.
Henry said: “In the case of this cyber attack, they also had a political purpose in gaining access to the Gmail accounts of Chinese dissidents. The same skills and technologies are deployed by cyber criminals to perpetrate all these crimes, which in turn make these groups valuable weapons to be harnessed by nation-states.
“The cyber criminals have evolved their skills and sophistication to such an extent that they can breach the four walls of any company they target. So rather than just focus on keeping them out with defences they will breach, the focus needs to be on detecting and responding to an attack quickly before damage is done.”
As we have found with Juniper, and I am sure we will see with other companies who will reveal in time that they have been hit, this is more than problematic. I asked Reed, could this affect second and third level partners?
He said: “If this is truly a case of intellectual property theft, then all partners party to a portion of that intellectual property could be targeted as well via the same phishing technique or another tailored exploit, assuming the attackers knew who the third parties are.
“These targets would include both outsourced and collaboration partners who design, build, and manufacture portions of the products involved. It is also feasible that once malware gets inside a business, it propagates across the internal network and reaches a partner network and systems via a VPN or shared IT infrastructure.”
Further, could this lead to more hacking attempts? He said: “This attack is not unusual and similar attacks happen everyday against a targeted company. This attack showed off the sophistication of the attacker as a zero-day exploit was built against an undisclosed vulnerability. With cyber attacks it is just a matter of time before a company is attacked and breached, so what is important is that the breach is detected early and responded to rapidly.”
Should companies be prepared to secure themselves against vulnerabilities, both known and unknown?
“Businesses are in a precariously risky situation these days. Cyber criminals have evolved their skills and techniques to such an extent that they can breach the four walls of any company at will. Today's cyber attacks are well organised, sophisticated, and targeted, not random, aimed at specific businesses or organisations seeking to steal valuable information for resale or fraudulent use,” said Henry.
This story has now been around for almost a week, and it shows little sign of going away. I asked Reed how long he feels this will go on for? He said: “Companies will be vulnerable to this particular exploit until they patch their systems with the fix, when it is available. So expect it to carry on for months and months. There will be many more types of these attacks on the heels of this one. If cyber criminals want to breach a particular company, they simply can if they persist.”
Reed further claimed that there was nothing special about this breach, as these types of breaches happen more and more often and are not unusual or unexpected. As this was a zero-day attack against an unknown vulnerability in a ubiquitous software suite that was distributed to target companies via phishing emails with malicious files attachments, it is a complicated yet commonplace occurence with cyber criminals today.
He said: “The bottom line is companies are flying blind and unaware of what is happening in their networks, so certainly expect a lot more damage to occur without companies knowing about it. If the attack focus is intellectual property don't expect to hear about it in the news. There are no breach notification laws for IP theft. If personal data is stolen we might hear about it if the target company's home country has breach notification laws.”