Like a sleeper agent, it embeds itself in key industrial systems and waits, gathering intelligence and biding its time. It studies design documents to find weak spots for future attacks that could bring a nation to its knees.
This is not the plot of the new Tom Clancy novel (although it could be). It is the description by US security firm Symantec of the newly discovered Duqu worm in its report ‘W32.Duqu: The precursor to the next Stuxnet.’
Duqu is based on the sophisticated Stuxnet worm that shut down an Iranian nuclear fuel processing plant and set back its nuclear program by years. Duqu has so far infected industrial systems in eight countries: France, the Netherlands, Switzerland, Ukraine, India, Iran, Sudan, and Vietnam.
While at this point Duqu is only able to gather intelligence, Symantec judges that it is “essentially the precursor to a future Stuxnet-like attack” against industrial control systems. These systems are used to control everything from nuclear power plants and the electricity grid to oil pipelines and large communication systems.
The discovery of Duqu was a major security event in 2011; not exactly because of the effect that the worm has had, but for its potential. Duqu signals a growing trend of malware developed not to steal identities and profit financially, but to disable and destroy critical infrastructure – the life blood of modern society. News of Duqu was followed by a (now-mistaken) malware attack on a US water utility network that destroyed the industrial control system of a key water pump.
Destruction of critical infrastructure has been the elephant in the room for the information security profession. Many recognize the danger, but it is seen as too esoteric and remote to worry about. It is someone else’s (i.e., the government’s) problem. But if major critical infrastructure collapses from a cyberattack, whether your boss’s iPad makes the company’s network less secure is not going to matter all that much.
Having said that, information security professionals can’t ignore the mundane threats, of which there were plenty in 2011. From the mega breach at Sony to the annoying self-righteous breaches perpetrated by Anonymous et al., 2011 was a wasteland of data loss.
In March, RSA – the company that ensures its elite customers are water-tight – sprang a leak when it was penetrated by a spear-phishing attack that hooked one of its employees and resulted in a huge catch for cyberattackers.
In an open letter to RSA customers, executive chairman Art Coviello said that a sophisticated “advanced persistent threat” (APT) attack had extracted valuable information related to its SecurID two-factor authentication product used by remote workers to securely access their company’s network.
|"Destruction of critical infrastructure has been the elephant in the room for the information security profession"|
“While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack”, Coviello said.
Coviello, it turned out, was wrong about this assumption, as numerous SecureID token customers – including US defense giant Lockheed Martin – reported attacks resulting from the RSA breach. In an effort to limit the damage, RSA agreed to replace the tokens for its key customers.
In response to the RSA breach, APT became the new catchword for cyberattacks. “It’s not our fault our networks were breached and our data stolen, it was an APT. What could we do?”, whined many companies in the ‘year of the breach’.
April is the Cruelest Month
April was indeed a cruel month for Sony, which admitted that hackers had gained access to names, addresses, email addresess, birth dates, passwords and IDs for over 100 million PlayStation Network, Qrocity, and Online Entertainment customers.
The massive size of the breach, as well as the delay in informing customers, attracted the attention of the US Congress. A House Commerce Committee panel held a hearing on the breach, but Kazuo Hirai, chairman of Sony Computer Entertainment America, declined to appear.
Panel chairman Mary Bono Mack (R-Calif.) criticized Sony for the delay in informing its customers of the data breach and the manner of notification through its blog. “I hate to pile on, but – in essence – Sony put the burden on consumers to ‘search’ for information, instead of accepting the burden of notifying them. If I have anything to do with it, that kind of half-hearted, half-baked response is not going to fly in the future.”
Perhaps more disturbing than the notification delay, the huge electronics conglomerate revealed that it did not have a chief information security officer at the company. To rectify the situation, Sony enticed Philip Reitinger away from the US Department of Homeland Security (DHS) to take over the newly created role in September.
The departure of Reitinger, as well as the exits of Sean McGurk, head of the National Cybersecurity and Communications Integration Center, and Randy Vickers, director of US-CERT, lead to a major restructuring at DHS’s National Protection and Programs Directorate, which oversees the agency’s cybersecurity operations. Reitinger’s job as deputy undersecretary was split in two: one in charge of cybersecurity, the other in charge of everything else.
But wait, there’s more. Marketing firm Epsilon had a breach of its extensive database, which contained the names and emails of customers at such high-profile partners as BestBuy, Walgreens, Marriott, Lacoste, Marks & Spencer, JP Morgan Chase, Barclays, Citibank, US Bank, and Capital One.
While Epsilon initially downplayed the breach, its partners could not. They began issuing warnings to millions of their customers about the breach, cautioning them to be on the lookout for subsequent spam and phishing attempts as a result of the compromised email addresses. Reuters put a $100 million price tag on the incident, which falls directly on Alliance Data Systems, Epsilon’s parent company.
And for much of 2011, Anonymous and its offspring were claiming credit for what seemed like a breach a week – in the name of improving security by showing how incredibly bad many organizations’ information security really is.
Not with a Whimper, but a Bang
In the arena of mergers and acquisitions, 2011 started off with a bang, with Dell’s acquisition of SecureWorks, an Atlanta-based security-as-a-service provider with 3,000 clients worldwide, and Verizon’s $1.4 billion purchase of Terremark, a Miami-based managed IT infrastructure and cloud service provider with advanced security offerings.
Also early in the year, Sourcefire bought Immunent, a cloud-based anti-malware startup, for $21 million, and Google agreed to acquire Zynamics, a Germany-based forensic specialist, for an undisclosed consideration.
In April, storage giant EMC² acquired NetWitness, a Herndon, Va.-based network monitoring specialist, and added it to RSA. While the purchase price was not disclosed, some estimates put the price tag as high as $500 million. Too bad RSA did not have network monitoring in March!
After the April showers, there was a spurt of acquisition activity in May. In that month, Symantec acquired Clearwell Systems, a provider of e-discovery, data archiving, and data backup products, for $390 million, augmenting its information management and governance portfolio.
In addition, cloud provider VMWare purchased Shavlik Technologies, a Minnesota-based patch management and cloud-security firm; Thoma Bravo bought Tripwire, a Portland, Ore.-based network security firm; and Sophos acquired Astaro, a Germany-based private network security firm.
Other noteworthy information security acquisitions in 2011 included: IBM’s purchase of Q1Labs, a Waltham, Mass.-based provider of security event and log management software; McAfee’s purchase of NitroSecurity, a Portsmouth, N.H.-based security information and event management firm; and Check Point’s acquisition of Dynasec, an Israeli-based governance, risk, and compliance firm.
"Anonymous and its offspring were claiming credit for what seemed like a breach a week"
On the military side of the cybersecurity coin, US and UK defense firms have been trolling the waters for cybersecurity catches, spurred by governments’ plans to spend billions on technology to secure their networks.
For example, UK defense firm BAE Systems acquired Norkom Group, a Dublin, Ireland-based cybersecurity firm, for around $344 million, after buying a slew of cybersecurity companies the previous year.
Also in 2011, Raytheon completed its acquisition of Applied Signal Technology, a Sunnyvale, Calif.-based provider of cybersecurity and intelligence services to the military, for a hefty $490 million.
Defense contractor ManTech acquired two Virginia-based cybersecurity firms with US Department of Defense IT contracts this year: TransTech in February and Worldwide Information Network Systems in November.
As physicist Niels Bohr once said (or was it baseball manager Casey Stengel?), “Prediction is very difficult, especially about the future.”
Despite the wisdom of those great minds, I will venture to make some predictions for 2012. First, I predict that the world will not end. If I’m wrong about that, then no need to read further.
Certainly, Stuxnet, Duqu, and their heirs will increasingly plague governments, critical infrastructure operators, and information security professionals. It’s time to take these threats as seriously as the mundane security problems of everyday life in the 21st century.
The explosion of mobile device use, particularly in the workplace, will increasingly concern information security staffs for years to come. Malicious mobile malware has become widespread, and this trend is likely to accelerate.
Enterprises will have to come to grips with social media, particularly as cybercriminals find it a fertile ground for mischief. Should employees be banned from using it at work or is it the next great efficiency tool? The answer is: Yes.
Of course, the cloud – companies will likely accelerate cloud adoption to improve the bottom line, while security professionals will struggle with the implications of giving up control over key corporate information assets.
And the boldest prediction of all: there will be more data breaches in 2012. Stay tuned.