Melbourne IT breach highlights need for security culture

Spearphishing attacks are cheap and will continue to be effective unless organisations — and those they deal with — develop a security culture.
Written by Stilgherrian , Contributor

Somewhere this week, a Melbourne IT reseller is wishing they'd never clicked on that link — and certainly wishing they'd never typed their Melbourne IT username and password wherever it was they typed them — because that simple mistake allowed the Syrian Electronic Army (SEA) to log in and take down The New York Times and big chunks of Twitter. Oops.

But we shouldn't be too hard on this unknown person. A simple mistake is all it was. Spearphishing attacks — those individually tailored for a specific human target — are getting very good indeed. So are the targeted emails that try to persuade their recipients to click through to a compromised website, which then attempts to install malware on their machine.

Even seasoned security professionals can fall victim, as Trend Micro's vice president of strategic markets, Blake Sutherland, discovered when the company's security researchers put him to the test.

As a university student, Sutherland had worked a summer job assisting a geophysicist measure the wobbles in the Earth's motion — which, unbeknownst to him, earned him a footnote credit in a research paper. But the Trend Micro staffers found that paper, and, using Google and LinkedIn, constructed an email supposedly from a Russian geophysicist, referring to the paper, mentioning the lead researcher by name, and asking to be linked to him on LinkedIn.

"There was a link there to look at his profile ... He knew so much about this. I certainly recognised the work when he described it. And curiosity will kill the cat every single time," Sutherland told the media in Sydney in March this year.

"It was very, very simple, and it was amazing that they dug up that information on me that I didn't even know. That wouldn't have even showed up on my resume."

Sutherland said the whole process of researching and crafting that targeted email took only "a couple of hours". Even at full Western defence contractor rates, that'd cost no more than a few hundred dollars.

In recent years, far more elaborate spearphishing and targeted malware attacks have been seen in the wild. Emails have precisely replicated the email formats of an organisation with which the target does business, they're sent supposedly from a specific named individual known to them, and they're written in their personal style about a real, known issue, with an attached PDF file that's a genuine document from that organisation — apart from it being weaponised with malware.

"I have kids, a lot of folks have kids. How many times does their soccer schedule change? Here's [an email with] the map to the new field. The truth is, the map is correct, the schedule has changed. It's on a website," Sutherland said. "It comes from someone you know, it comes on a topic that is relevant to you, and it's just simple to accomplish."

And now that individuals are posting so much information about their lives on social networking sites and elsewhere, it's easy for an attacker to construct a plausible scenario.

There's talk of attackers with budgets of AU$10,000 or even AU$100,000 or more to penetrate specific organisations. That's ample funding to explore more indirect ways of penetrating the organisation — attacking through a partner, as in the Melbourne IT case, through the global legal firm that signs off the contracts, or through the translators who work on them. It's all about finding the weakest links.

Attackers have also been inventive when it comes to persuasive social engineering tricks. One attacker sent emails to the executives of the target company at 4pm on a Friday afternoon in the form of a subpoena, requiring them to give evidence at 10am on Monday morning — or if that time wasn't suitable, just click here to change your appointment time.

The apparent ease with which Sutherland and the Melbourne IT reseller were compromised contrasts with the experience of the Reserve Bank of Australia. There, one penetration attempt was reportedly thwarted by the organisation's security culture.

"There was an employee that went 'something's not right here', raised the flag, and by all accounts they seem to have done a good intercept [in terms of preventing data exfiltration]," IBRS security analyst James Turner told the media in April. '[There's] got to be the shift that we see across the entire industry in terms of the culture around security events."

Jason Brown, national security manager for defence contractor Thales, would agree."Every employee needs to be thinking about security the same way they think about brushing their teeth each morning," he told last year's Security 2012 conference in Sydney.

But developing such a security culture needs support from the most senior levels of the organisation. Brown recommended appointing a specific "security champion" so it gets the required focus and attention — because technology won't save your organisation from nation-state cyber espionage, he said; your corporate culture will.

Or, as a Gartner executive put it at last week's Security and Risk Management Summit in Sydney, "Why do executives keep getting compromised? They click on the dancing pigs."

Editorial standards