There is a large volume of public disclosures over the past several months involving sophisticated (and some not) with mature defenses being breached. The most visible ones are not from small startup companies that were lean on their defense, but instead these are being perpetrated against those organization’s with the resources and skills to muster a good defense.
The lessons of these public disclosures (note being public – as more are likely not being publicly released) is the need to reflect and adjust. A comment i made in February regarding the need to continue building and evolving security through risk assessments. Information protection is about conditioning and not about the latest fad. Certainly the latest fad requires attention, but so does historic attack methods. So, what is interesting of the recent compromises.
First off, sharing and depth of defense. Barracuda Labs had a breach, and they published very specifically what happened. What is positive about this breakdown is that they articulate precisely what was taken, and how they are CERTAIN that was it. Their technology and analysis do not have words of legal or marketing anywhere, and therefore are actionable.
Amazon AWS… this affected many more people and for many days the impact was unknown. This was more an operational breakdown for businesses than perhaps an information protection process. There is a decent timeline of the web services’ updates here, and from it one can tell that great effort was taken by Amazon to address the challenges. Unfortunately, for businesses trying to take action there was no clear point where clients using Amazon should activate their disaster recovery plans. Given processes were coming online incrementally I understand that decision is challenging. In addition, the plethora of terminology probably made all system administrators and CIOs review their deployment maps more than once. The take away here is – understand precisely what services are being provided and where (as much as you are able), and secondly have your own plan that depends on your own customer’s expectations. This is leading practice, but can get lost in these serious moments.
Admittedly the Amazon example is not a breach – though think of the potential if it was an attack on the infrastructure of Amazon’s cloud environment and how extremely valuable that landfall would be to criminals and nation-states.
Then there is Sony’s network that was attacked and required a complete shutdown of the service to extricate and stabilize the environment. Three separate posts by Sony on their blog here, here, and here. This attack highlighted that, despite the business model, sensitive data is sensitive data (PCI). In addition, an idea I have been discussing with colleagues is the potential for bot armies. Consider that playstation consoles have very strong computing platforms built-in and are used by graphic companies and military for high end computing (1,716 linked make 1 super computer!). Also consider that at least 77 million devices connect at some point to the Playstation network, receive updates, transmit data at high speeds, and are all likely not disconnected after a gaming session. The point being, a single hardware platform running basically identical firmware, connected on high speed broadband .. sounds like a perfect bot army to me.
There has been much written on these events above and I encourage all to deeply understand the executions. My intention above, as always, is to provide a different context to these events, their meaning, and perhaps some actions to be appropriate by you.
Best,
James DeLuccia