According to the Los Angeles Times, malicious users got close to disrupting the flow of power in California during the rolling blackouts that occurred on May 7 and 8 of this year. The attacks were routed through China during a time when Chinese hackers had announced a cyberwar against the United States in retaliation for the death of Chinese pilot Wang Wei, who was lost at sea when his plane collided with a US spy plane April 1.
Whether the attack was based in China is moot, in my opinion. Malicious users worldwide have graduated beyond interrupting the bidding at eBay with distributed denial-of-service attacks--that's just low-hanging fruit. These days, hackers are more sophisticated and much more ambitious. They're gunning for the very infrastructure of our society by targeting government agencies, here and abroad.
The White House and other high-profile government sites have already been hacked, but what concerns me are the less obvious choices for attack. Are we able to defend our local water utilities? Is the Department of Motor Vehicles safe? Any low-level government agency could be a back door into the larger state or federal system.
The Cal-ISO breach occurred on a development server that was not behind a firewall. Ports were left open on the server, files were exposed, and more importantly, log files were nonexistent because the server had not be been hardened. Worse, workers at Cal-ISO rebooted the development server once they discovered something was wrong, eliminating some vital evidence that could help trace the break-in.
Cal-ISO, and any large corporation or government agency for that matter, really should have had an incident response plan in place--one with detailed instructions on what to do from the moment an intrusion is detected until it's stopped, and the evidence is handed over to a forensics expert for analysis.
Does your network administrator know what to do if someone has gained illegal access to your company or agency's servers? If it's the midnight shift, who should you call? And how do you make sure that important evidence isn't deleted or overwritten while your IT department tries to confine and stop the attack? If you don't have a ready response to these questions, it's time you sat down with the rest of your IT department and some higher management folks and started mapping out a coherent strategy.
Here are some important tips and guidelines that should be a part of your incident response plan:
- Record every action you take. Include the date and time.
- Preserve evidence, no matter how small.
- Think prosecution--every action you take should help build a possible court case against the perpetrators.
- Notify key personnel immediately.
- Limit the scope of the attack as quickly as possible.
- Preserve all audits (disable any system log purges or overwrites).
- Implement additional security, if necessary or available.
- Review the incident response plan in light of the recent event and revise accordingly. Remember that any response plan is just a "work in progress."
In addition to ensuring swift and effective action against attacks, a well-thought-out incident response plan can also, to a lesser degree, mitigate possible public relations nightmares and/or the endless blame game that often ensues following a security breach.
Do hacks on government sites worry you? How equipped are you to contain and handle attempted hacks on your systems? TalkBack to me.