The CIA joins the ranks of recent online victims of attacks that could and should be prevented, as spies, criminals and hacktivists use blended attacks to exploit known vulnerabilities.
The CIA has become a member of a less-than-exclusive club of high-profile targets hit by online attacks, falling victim to a denial-of-service attack that temporarily took down its website.
The outage was reported June 15 and the LulzSec hacker group claimed credit. Other recent victims of a variety of attacks include defense contractors Lockheed Martin and L-3 Communications, the website of the Atlanta InfraGard chapter, the International Monetary Fund and the U.S. Senate.
Some of the attacks were targeted, using data stolen earlier this year from EMC’s RSA security division, some involved webpage defacements and others were simple denial-of-service attacks.
“They all have one common denominator,” said Eric Giesa, vice president of product management for F5 Networks. “All of them are preventable.”
RSA confirms its tokens used in Lockheed hack
Giesa blamed the cybersecurity industry as much as the users for the lack of preparedness. “Shame on the industry,” he said. “We haven’t been doing a good enough job of educating people how to protect against these things.”
“A lot of this stuff we should be able to stop,” agreed Kevin Haley, a director of Symantec Security Response. “But we’re not. People haven’t been doing the easy things to stop the attacks.”
The most recent attack, against www.cia.gov, does not appear to be particularly sophisticated. LulzSec described that attack as a simple packet flood, which overwhelms a server with volume. Analysts at F5, which focuses on application security and availability, speculated that it actually was a Slowloris attack, a low-bandwidth technique that ties up server connections by sending partial requests that are never completed. Such an attack can come in under the radar because of the low volume of traffic it generates and because it targets the application layer, Layer 7 in the OSI model, rather than the network layer, Layer 3.
“My guess is that [the CIA] had adequate Layer 3 DOS protection in place, but they were blind to Layer 7 attacks,” said Mark Vondemkamp, F5 director of product management for security.
Regardless of the motives of the attacker, the exploits being used in the current wave of attacks usually are well-known, Giesa said.
“All of these things have been around for some time,” he said. “What is new is that they are blended” in a single attack. Once a vector is found to deliver an attack, a variety of exploits can be used in quick succession to find one that will work.
Haley said that several unrelated currents have merged to create the recent spate of high-profile events. There has been an uptick in massive attacks, such as rouge antivirus, which is enjoying a new popularity. Targeted attacks, which are not new, recently have taken a new turn with the use of social engineering to breach specific high-value targets. And hacktivism, a variant of old-fashioned vanity hacking used to gain attention for a cause or issue, also is on the rise.
“If we stop talking about it, it will stop,” Haley said of hacktivist attacks. But he does not condemn the coverage of recent events. “In the end this is a good thing,” because it raises awareness of the problem.
Fixing the problem must be done at several layers. Enterprises need to rethink security programs, Haley said. “It’s no longer about protecting the computer,” he said. “It’s about protecting the user and the data.”
No one suggests abandoning defenses at the network layer, but the recent attention to application layer vulnerabilities means that these attacks often can pass through network defenses. Using application firewalls and paying more attention to security during application and Web development can mitigate threats that are not stopped at the perimeter.
The underlying technique for many attacks exploits the user, through the use of social engineering. “The user is a layer as well,” Haley said. Protection at that layer requires increased education to inform users of risks, policies and the reasons for those policies.
NEXT STORY: Continuous monitoring has some growing up to do