Attack of the Gray Hats

As a card-carrying member of the information security establishment, I’ve got to admit that these past few months have been more than a little embarrassing—for the profession and the entire industry. Like a row of blue-chip dominos, Citigroup, RSA Security, Lockheed, Sony, NASDAQ and Epsilon Data Management have all suffered major data breaches that compromised intellectual property, exposed personal data to criminal exploitation, and left the companies open to massive financial liabilities. The serious black hats have been on a really serious tear.

Cybervandalism Just for the Lulz

But they’re not the only ones wreaking havoc behind our firewalls. There has also been a huge spike in hacktivist exploits by a menagerie of loosely-organized groups bent more on political statement-making and recreational mayhem than monetary gain. LulzSec, an unknown entity just two months ago and already reportedly disbanded, successfully attacked the CIA, the U.S. Senate, Sony, Nintendo, and both the FOX and PBS television networks among others—then crowed about their accomplishments on Twitter.

Anonymous, a marginally more sober group that’s been active since at least 2008, claims a hit list that includes the U.S. Cyberterrorism Defense Initiative; the governments of Malaysia, Tunisia, Egypt and Zimbabwe; the Spanish national police, Sony Corporation, Bank of America, Koch Industries, Westboro Baptist Church, the Church of Scientology, HBGary Federal, Amazon, PayPal, MasterCard and Visa.

Both groups are creatures of online social networks, with no apparent leadership or formal structure. Their self-proclaimed social agendas range from freedom of speech to personal data security to the uncomplicated joys of adolescent vandalism. The porous state of their victims’ defenses is sometime astonishing.  Just two months after multiple major data breaches forced Sony to shut down its PlayStation Network and Sony Online Entertainment services, LulzSec hackers found another million customer records sitting unencrypted on an easily accessible server. Try explaining that to your compliance auditor.

Security Auditing by Unauthorized Entities

The gray hats at LulzSec and Anonymous are showing us that in too many cases our systems and data are fish in a barrel when the real black hats come probing. It may not feel like it, but there’s probably a public service in there somewhere. Think of it as a security audit by unauthorized entities.

The point is to not be the next subject of public humiliation. Spend the time and effort to make sure your systems are safe from the script kiddies and you may have a fighting chance against the really scary types when they converge at the gates.

And it’s not rocket science. Manage identity and access centrally. Build your workloads with identity- and policy-awareness. Invest your environment with the intelligence and automation to detect and identify non-compliant events and respond proactively.

If our systems fall victim to criminal syndicates with Ph.D. skillsets, shame on them. If they give up everything to persistent amateurs with a handful of bulletin-board scripts, shame on us.

–Richard