Are hactivists doing a good job in exploiting security holes, or is this down to poor security practices by organisations?
Hactivists' motives remain unchanged, however the broader skill set among the hacking and criminal community continues to advance, making it critical that security evolve in response.
At the Cloud Security Alliance Summit, there was general consensus that organisations should anticipate that they've already been compromised, and that responding securing user credentials and providing additional trust factors are mandatory, and that shadow IT and unscrupulous SaaS properties need to be controlled.
Alongside this, it’s important that privileged access be controlled more tightly and user accounts managed more effectively; it’s the escalation from one app to the wider network drives the ability for activists and cyber-criminals to get access to data once they get a foothold.
How are hactivists evolving their attack techniques? How are they successful?
Hactivists are getting more sophisticated just as technologies get more advanced and sophisticated. Complex attack campaigns are being planned and executed, and end users still prove to be a weak link into an organisation.
Additionally, organisational weak points remain targets- think social and web properties that are vulnerable or mis-configured. So it’s important to get the basics right across the whole organisation and all of its digital assets.
The challenge is that there are many more public-facing applications in use today, some of which are not under the control of IT. This means company data exists in many locations, and it makes it more difficult to ensure that all the rules are followed. If only passwords are used to authenticate users, any basic credential theft could easily be leveraged to gain access to countless sources of information in the cloud.
One approach that companies can look at is their identity management strategy – how do they control access to applications across the organisation? Are strong password policies in place, and more importantly, are strong or multi-factor authentication factors used to provide more controls at the access level? Getting identity management right can ensure that trust can be established with confidence thus removing an attack channel from the cycle.
Verizon’s DBIR report shows how important identity management is. End-user devices were a factor in 82% of web app attack incidents, while 95% of incidents involved harvesting credentials stolen from customer devices, then logging into web applications with them.
What are the best steps to take in preparing for any kind of hactivist attack? What should you do if an attack succeeds?
It’s important to bear in mind what is the primary goal of hactivism besides basic defacement of web sites is to steal information or destroy infrastructure with the intent to deliver a message. How they do this is often to insert malware via a weak user system, through social engineering or phishing.
Following this, they will establish a bot–net to communicate stolen data (ie. login credentials back to command/control centre systems) and then use this to begin attacks against weak websites, including brute force strategies to escalate privileges to resources inside the firewall.
There are several steps that companies can take to defend their IT assets, whether these are hosted internally or delivered from cloud providers.
First, audit all application usage so that you can check that everything is being managed centrally by IT, and reduce what is called the 'shadow IT' problem. If external services have been bought by engineering, marketing or finance teams, these can be added vetted by IT and incorporated into the broader IT catalog of supported services, and integrated into a centralised management framework. Providing greater visibility into activity across the entire IT service environment will help you better understand the scope of a problem when it occurs.
Next, consider how identity is managed across the business. For internal apps, use of Active Directory will often provide control over application access; however, this will very likely not be the case for cloud applications.
If you are not already using multi-factor authentication, then start using this, at least for sensitive applications and those that are public-facing. It’s not expensive when combined with identity management, and can provide additional step-up security capabilities to block attackers from business critical services and information.
You should also update any security and continuity plan with help from the legal and communications department on what will be published and sent out publicly – if an attack on web assets or social accounts does take place, then you have the work already done and can communicate accordingly.
This can help customers understand your company's actions and the implications of an attack, and retain trust through transparency with your users and customers. This can be in two stages: the initial phase to let people know that you are aware, and then a fuller statement when the audit is completed and there is no more access to those systems.