Last week we reported on how the new Flame virus seems to be the work of the National Security Agency and Israel.Following the Obama Administration’s admission that the Stuxnet virus was a joint U.S.-Israeli attack on Iran’s computer networks and that they’ve been working on similar cyber weapons since 2006.
Dr. Mike Lloyd, Chief Technology Officer at Red Seal Networks, spends his days doing penetration testing to help organisations understand their security defenses and how they can be attacked.
Lloyd said that while it’s interesting to find out who is behind the newest and most sophisticated cyberattacks, the important thing to recognise is that cyberweapons are growing in number and the U.S. is already vulnerable.
Successful attacks — including ones that steal directories of credit numbers, patient records and social security numbers — are occurring every day.
“It’s not about whether these fancy weapons, that look like we built, could be used on us,” Lloyd said. “We need to take a step back and think, ‘What kind of weapon would it take to hurt us?’ And the answer is that simple weapons work today.”
To understand why it’s so easy to hack America right now, one must recognise the immensity of the U.S. cyber infrastructure and the consequent due diligence required to secure it.
“The difference with America is that we are so interconnected, we’re so networked,” Lloyd said. “All of our systems are connected together — our finance systems, our power generation systems, our social media sites, and so on. We’re interconnected here much more than anywhere else in the world and that means if this stuff is fragile, it is much more fragile than everywhere else.”
Lloyd, whose job is to study the fragility of U.S. networks, posits that it is indeed fragile.
Last year in the U.S. there were 855 incidents of corporate data breaches that involved 174 million compromised records, according to Verizon’s 2012 Data Breach Investigations Report (DRIC).
“People in glass houses shouldn’t throw stones,” Lloyd said. “Well unfortunately, it’s not just that. Very simple stones can break our glass windows. We have very thin defenses.”
However, Lloyd points out that it doesn’t have to be this way.
While 2011 saw the second-highest data loss total since Verizon started keeping track in 2004, 96 per cent of attacks were not highly difficult and 97 per cent of breaches were avoidable through simple or intermediate controls.
“Now that’s really interesting,” Lloyd said. “It’s about the thinness of the glass… We’re at the level where it is far too easy to break in.”
Lloyd said that the members of LulzSec or Anonymous — the loose hacker collectives that have shut down websites and stolen sensitive information — exploit weak defenses of companies by being “doorknob twisters” at the “side doors” of a company’s network.
“The vast majority [of cyberattacks] don’t take the complexity of a Stuxnet — it just takes rattling all the doorknobs,” Lloyd said. “What they’re doing is rattling all of the doors, and they find one or two that are open.”
So why aren’t companies using simple and intermediate controls to make sure their networks are secure?
Lloyd said that things that companies must do are simple, but they must be constantly done everywhere (i.e. make sure all side doors are locked). The issue becomes that “if you’re an American corporation, utilities industry, government agency, you have to be amazingly consistent and that’s what we’re bad at… because our infrastructures are so big and so complex… we can’t secure effectively these days.”
Furthermore, it’s not even good enough for a single U.S. company to be properly secure because the huge mesh of interconnectivity means that if one company has a problem then the companies with which it interacts also have a problem.
And although it’s not easy to get companies to collaborate with their competitors when they’ve had a breach, Lloyd remains optimistic because disclosures have been going up, companies are recognising weaknesses and tools are available to implement a stronger collective defence.
What is required, according to Lloyd, are “established standards of due diligence” — as defined by the cybersecurity industry — that will “demand good practices out of the people that look after our data.”
Because the vast majority of attacks can be avoided if the easy attacks are deterred through established practices (as opposed to being invited by shoddy practices).
Things like implementing disclosure laws, requiring consistent measurement of cyber defenses, and using automation to better understand the complexity of the U.S. grid will hold companies accountable while also generating greater discussion about the requirements for acceptable cybersecurity.
The bottom line is that we’re all part of the same infrastructure, and right now we’re not ready for attacks.
“Attacks are going on, our defenses are weak and it’s time to wake up and smell the coffee,” Lloyd said. “Given that we have this spyware [e.g. Flame, Duqu], and the data-destroying [e.g. Skywiper aspect of Flame] and the physical machine-destroying stuff [e.g. Stuxnet] rattling around the globe, we have to take this stuff more seriously.“
Below are recommendations for smaller organisations from Verizon’s 2012 Data Breach Investigations Report. The DRIC states that “all the evidence at our disposal suggests a huge chunk of the problem for smaller businesses would be knocked out if they were widely adopted.”
NOW WATCH: Briefing videos
Business Insider Emails & Alerts
Site highlights each day to your inbox.