Blog

Another security breach is in the news today.

This time a supposed attack on the International Monetary Fund (IMF) has resulted in it network connections being suspended by the World Bank as a precautionary measure. This is a sensible move by the World Bank, as if the IMF has been hacked, then measures have to be taken to make sure it cant be used as a springboard to attack others – and relying on the IMF to do this could be catastrophic.

From SC Magazine UK:

The International Monetary Fund (IMF) has confirmed that it was hit by a large and sophisticated cyber attack.
While the IMF is without a leader following scandal surrounding former managing director Dominique Strauss-Kahn, a spokesperson confirmed that there had been ‘a very major breach’ of its systems recently.
According to media reports, cyber security officials said the hack was designed to install software to create a ‘digital insider presence’. It was also reported by Bloomberg that according to one IMF memo, the fund’s network connection to the World Bank was severed ‘as a precautionary measure’.

As always we will probably never know the full details, however “large and sophisticated” attacks frequently turn out to be well known vulnerabilities exploited in (at best) a novel manner. Given the role and activities of the IMF, it is likely that there is a good security system in place, and there is certainly a full time response time that is able to react to this – so this may be one of those instances where it really is a sophisticated attack.

The reality for the IMF is the same as for every business or individual with a web presence. At some point, someone will try to get past your defences and either steal things, damage things or just vandalise. This is much more likely than someone trying to break in through your door so it makes sense to make sure you give your internet connected systems a proper security system.

More worryingly, is the growing trend to say every major attack is sponsored by a national agency. This is bad in many ways. From the SC magazine article:

Bloomberg also reported that according to a person familiar with the incident who chose to remain anonymous, the intrusion was nation-sponsored.

and

Stewart Room, partner at Field Fisher Waterhouse, called the news ‘deeply troubling’, as it provides further evidence of systematic attacks on critical infrastructures and systems.
He said: “How long will these attacks be tolerated before politicians react to pass general legislation for cyber security? Legislation is desperately needed. The first priority is to protect critical infrastructures, but we should be cautious not to end there.”

There are several problems with this:

1. Unless the attackers are woefully inexperienced or criminally negligent, it is almost impossible to determine with any level of confidence where the attacks have come from. Spoofing IP addresses and compromising hosts en-route is just too common.
2. The “evidence” for these claims are invariably anonymous individuals who can make any claims they want safe in the knowledge that no one will be able to disagree with them.
3. It acts as a cheap “get out of jail” for lazy security professionals and poor risk management teams. Rather than say “we got it wrong” the default option now appears to be to blow the skills of the attackers out of all proportion and claim it is a state sponsored (i.e. well trained, well resourced) attack.

It is likely that some attacks on some websites are the result of national agencies involved in espionage, but the reality is that this is fairly rare – resources are not unlimited – and unfortunately, most individual hackers are much better skilled than people give them credit. When it comes to hacker “collectives” (such as Anonymous or LulzSec) then the skills of individuals multiply massively and the impact of their attacks grows out of proportion with what people expect to face.

The take away lesson of this is that when it comes to working out what security you need, it is essential that you carry out a proper threat analysis workshop. Do not be fooled into thinking hackers are still using 1990s technology and more importantly do not be lulled into a false sense of security because your business is not at risk from nation-sponsored attackers.