Security approaches called into question as Washington Post joins media hack victims

According to people with knowledge of an investigation at the Washington Post, there had been hacking attempts against the paper for at least four years, but none targeted the company’s newsroom. That changed in 2012, when “newsroom computers were found to be communicating with Web servers that were traced back to China.” 

The situation echoes that of the New York Times and Wall Street Journal, both of which are believed to have been targeted by hackers with ties to the Chinese government over politically sensitive stories that the two ran regarding Chinese officials.

SANS security trainer Alan Paller, who has trained 145,000 cybersecurity experts around the world, told Voice of America that more than 100 countries are involved in cyber espionage, and that these revelations are merely the tip of the iceberg.

"China is noisier, meaning their techniques are often easier to find so they get caught a lot and so you read a lot of stories about them,” he said. “But the Russians are just as prolific and much more clandestine."

The media hacks – and warnings like Pallers’ – have understandably sparked a discussion over the IT readiness of companies like news organizations, which have high-value sources and information to protect. In the case of the New York Times, for instance, anti-virus provider Symantec was called out for not detecting the hacks. Symantec has since issued statement claiming that “anti-virus software alone is not enough” and suggesting that it is up to companies to “make sure they are using the full capability of security solutions.”

In reality, a multi-dimensional defense is needed, security researchers say. “In today’s climate of highly sophisticated IT security threats, it is important that companies understand that anti-virus and other traditional security defenses are increasingly ineffective against advanced persistent threats (APTs),” said Jason Steer, EMEA product manager and architect at FireEye, in a statement to Infosecurity. “Advanced targeted attacks not only penetrate defenses, but also spread laterally and establish a long-term foothold in the network. The cyber economic advantage is therefore with offense – as the cost to launch an attack is often negligible, while the cost to defend against every possible attack is high.”

Paller agreed that current firewalls, AV and intrusion systems are not enough.

"Although you can build high walls, people build higher ladders,” he said. “So you have to catch the guys who are good enough to get over. The way you do that is not with tools, but with skills – and right now the media companies have not focused on this as a skill area. They figure they'll hire somebody after it happens.”

One first line of defense is to get innovative in the defense mechanisms, so that breaching the perimeter requires a learning curve.

“With the odds stacked against businesses, it is vital that companies – particularly those with intellectual property and other highly sensitive assets to protect – are taking into account the advanced, targeted nature of today’s threat,” Steer said. “As we can see, hackers of varying levels have become very adept at overcoming traditional forms of security. A comprehensive strategy that includes both traditional and proactive signature-less solutions is the only way to truly bolster defences against attackers.”

The hacking spree has some unconcerned, however: Daily Show host Jon Stewart questioned the value of hacking print media: “You send your elite hackers out and all they get is Maureen Dowd’s email address?” he asked wryly, on Monday night’s installment.

 

What’s Hot on Infosecurity Magazine?