Rising tide of cyberattacks threatens all boats
If we're to have any security, the user experience might have to change
- By Kevin McCaney
- Jun 10, 2011
Just by scanning recent headlines, you might come to the conclusion that the Internet has gone from risky to flat-out dangerous. And you might not be wrong.
RSA Security, one of the world’s leading security companies, got hacked in a phishing attack that netted information on its security tokens, leading to hacks of defense contractors Lockheed Martin and, apparently, LG Communications.
Oak Ridge National Laboratory, an Energy Department research site and home to one of the world’s fastest supercomputers, shut down Internet access for more than a week after a phishing attack.
A targeted attack on Google got to the Gmail accounts of hundreds of users, including those of some high-level U.S. government officials.
Entertainment giant Sony can’t stop getting hacked, suffering breaches of its PlayStation Network that exposed personal information on 100 million users, followed by successful hacks of its European network, Brazilian music website and Sony Computer Entertainment system. Sony, whose stock prices have taken a hit, says the attacks could cost $174 million this year.
The last of those hacks has been claimed by a group called Lulz Security, which also recently hit the Atlanta chapter of InfraGard, an FBI-affiliated, public/private partnership that shares information about threats to the U.S. cyber infrastructure. Lulz said it was protesting the Pentagon’s position that a cyberattack could constitute an act of war.
We could go on, but the variety and impact of those attacks illustrate the seeming ease with which attacks can get inside networks. Whether the motivation is espionage, cyber war, extortion, business disruption or old-fashioned hacker fun, the attackers certainly seem to have the upper hand.
What to do? Short of giving up and returning to the pre-Internet days, users and admins can start by making security awareness a way of life. Yes, that. The most useful advice is the most boring: patch software, monitor networks and treat links in e-mail and requests for personal information as if they came from a serpent in a tree.
A lot of these attacks are rooted in phishing e-mails, often delivered with an air of authority, telling users they need to update this or that and directing them to a place where they can give up their passwords or other information. Education on that front would help, as the Energy Department is doing with internal phishing drills designed to teach users about the types of lures phishing uses while at the same time educating admins about what types of attacks are most likely to hook someone.
Digital certificates for everyday communications might also have to become more common; any site asking for your information should first have to prove that it’s legitimate.
Raising awareness won’t be easy, especially when people are used to doing whatever they want online, oblivious to matters of security or privacy. Even elected officials with public images to protect do nutty things on a public forum like Twitter, apparently thinking no one will notice.
But considering the recent onslaught of attacks — and as bad as they are, they’re only the ones we know about; others could be worse — things have to change.
Better security will be a pain. It will slow things down and might even eliminate some things people are used to. The Internet experience might have to start resembling life in New York apartments in movies from the 1970s, with about 12 deadbolts on every door. It’s not perfect — it might take a while to open the door — but you can get used to it.
Kevin McCaney is a former editor of Defense Systems and GCN.