LulzSec RIP: But who'll have the last laugh?

The hacktivist group may have disbanded but there's still much to learn from their damaging spree, says Rik Ferguson

What have hackers ever done for us? In among the painful lessons they deliver, hacking groups such as LulzSec help reinforce the importance of a number of security fundamentals, says Rik Ferguson.

In the wake of recent publicity surrounding LulzSec's 50-day hacking spree and its subsequent disbandment last weekend, businesses around the world need to begin re-examining their approach to security architecture, planning and policy.

The apparent ease with which high-profile networks such as Sony, Nintendo, Fox and many others were breached was startling and disconcerting. The success of attacks against the government, security and law-enforcement community was unexpected and extremely worrying.

In a few cases the hackers reported only that holes in network and server defences had been uncovered. But in far too many cases sensitive personal and corporate information was posted for all to see, download and abuse. In the case of the attack against the Arizona State Police, it could certainly be argued that the hackers' activity put the lives of serving officers at risk.

So, the question remains, what did the hackers ever do for us? Well, hopefully they have taught us some painful lessons.

Relatively simple hacking

As far as can be ascertained in the absence of detailed information on how many of the intrusions were perpetrated, the tools and techniques employed by LulzSec, and many other hacking groups besides, were relatively simple.

LulzSec logo

Hacking groups such as LulzSec help reinforce the importance of a number of security fundamentals. Photo credit: LulzSec

Distributed denial-of-service (DDoS) attacks brought down high-profile websites, and SQL injection attacks were the technique of choice for the theft of information. There is also strong suspicion that in at least one case one or more insiders may have been involved in the leak, rather than direct theft, of information.

The tools exist to enable companies to overcome, mitigate or simply avoid much of this low-level threat. The shame is these techniques are woefully underdeployed.

In the case of the theft of information from corporate databases, we must start with strategy and implementation. Never store sensitive data in clear text. Solid encryption would have avoided much of this damage. Regularly pen test your databases, servers and application platforms, from the inside as well as the outside. Use strong authentication if you are only serving a limited user population or if the data you are holding is particularly sensitive. Avoid cookies, which can lead to session hijacking.

Never store sensitive data in clear text. Solid encryption would have avoided much of this damage.

Bounds checking of input data helps avoid buffer overflows and SQL injection attacks. Provide access to information on a need-to-know basis and always provide it with Least Privilege. Don't give detailed error information to browsers. You don't expect your customers to debug your application, so don't give out that error message.

Enterprises should also start investing in technology that looks beyond the traditional firewall, intrusion-protection system, server and host layers on which we have historically relied. Security ideally should be run in a different context to the asset that is being secured.

Closer attention should be paid to internal network activity from the perspective of spotting anomalous behaviour such as exfiltration of large amounts of data or one compromised system being used to burrow deeper into the network.

Run security in a different context

The final job of any accomplished hacker is always to clear the logs and traces of activity from compromised system, to avoid detection. If the security runs in a different context, we make this task much more difficult.

Finally, we must stop building security systems from the outside in, leaving the soft chewy middle at the heart of our network. Every server and every discrete item of data should benefit from its own secure perimeter and the layered security model should be built inside out from there.

In your personal life, live every day as if it's your last. On the network, secure every asset as if it's the only one you have, otherwise it just might be.

Rik Ferguson is director of security research and communications, EMEA, at Trend Micro. He has over 15 years' experience in the IT industry with companies such as EDS, McAfee and Xerox.


Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All