Before we begin, let me make a few things clear: I am not Anonymous, I am not Legion, I try to forgive, I am prone to forgetfulness, and you can expect me to defend them (in a way).
The rise of hacktivism over the past two years has changed the way information security operates, whether we like it or not. These groups have started and will continue executing their method of security awareness on the public at our expense – all the while creating a deeper awareness of security culture. Whether done for the Lulz or an ideology, the awareness is building and its making companies think first before acting.
According to the most recent ‘Verizon Data Breach Investigations Report’, hacktivists were responsible for 58% of all data stolen last year. That’s an incredible number that will most likely continue if we can’t open our eyes to what’s actually wrong; and many of these groups are doing just that – exposing the soft underbelly of security.
Yes it’s wrong that people are exploiting SQL injection for personal gain, but when are we going to learn how to fix the issues? This and other common vulnerabilities are a constant open palm to the face that need to be fixed now. As soon as we fix them, the slapping will stop.
There are also many security vendors that are thriving from the attacks and using them to increase sales. As the saying goes, ‘Let’s start a war, we could all use the money’, stands very true today. Now more than ever, information security professionals are in constant need, and companies are perpetually increasing security headcount and budgets. They wouldn’t be doing this if they thought they were secure. They’re starting to invest more in their security architecture thanks to hacktivists.
Every compromise, tweet, video, and Pastebin upload is thoroughly covered by the media ad nauseam. News of these exploits isn’t just reported in a small niche of information security publications, they are worldwide bulletins covered by major media outlets. The everyday person is aware of these groups in one way or another and its making them think, ‘How secure am I?’ or ‘How safe is my data?’. These thoughts are ground breaking views for the common user, stirred by the images of multi-billion dollar companies being compromised. This is a paradigm shift in thinking brought up by the constant reminder of hacktivism.
| "Yes it’s wrong that people are exploiting SQL injection for personal gain, but when are we going to learn how to fix the issue?" |
Behind closed doors in the corporate boardroom, upper management is terrified of these groups. The last thing they want their organization’s name associated with is hacktivism – causing reputation damage and unwanted publicity.
I don’t completely agree with the way these attacks are being brought about, but it is causing organizations to also ask the hard questions. Are we susceptible to similar attacks? What are we doing to avoid being the next media headline? This exposure to information security is allowing voices to be heard that were previously muted. You can use past compromises and prove to management that these attacks are real and people are very capable of exploiting vulnerabilities on your network.
There’s no one way to stop hacktivists from knocking on your front door, but we should all be prepared before they come to the doorstep. Yes, it’s embarrassing to get breached, and heads will most likely roll because of it, but if we were following proper security guidelines, then many of these hacktivists attacks would fail. You can love them, or hate them, but one thing’s certain: hacktivist exploits are bringing security awareness to the people on a large stage, and for that you need to respect them.
Matthew Pascucci is an information security engineer for a large public e-commerce company. He’s a frequently published author, reviewer, speaker and commenter on information security-related topics and events. You can read Pascucci’s other musings on his blog or his tweets @matthewpascucci. He holds a BS in computer information systems and has several networking, security, and computer-related certifications.