Cyber-security, cyber-war and cyber-attacks all seem to be making headlines these days, especially in light of the hacker collective Anonymous publicly declaring 'cyberwar' on Israel, and Israel claiming that it has been hit with 44 million cyber attacks in the last week..
While cyber-security is very important, and should be taken seriously, it is imperative to understand the vast difference between simplistic cyber-attacks and sophisticated enterprise-security attacks.
As former Microsoft Program Manager for Active Directory Security, I thought I'd take just a few minutes to share a few thoughts in this regard with you, because undue attention on simplistic cyber attacks may detract organizations from protecting themselves from sophisticated enterprise-security attacks that could be far more damaging than basic cyber attacks.
Anonymous Cyberwar on Israel Seemed Simplistic and Israel's Claim of 44 Million Cyber-Attacks Seemed Overstated
The short of it is that Anonymous's 'Cyberwar' on Israel seemed rather simplistic, and Israel's claims of 44 Million Cyber-Attacks seemed over-stated, and that most organizations worldwide are in fact inadequately prepared to face and combat real, sophisticated enterprise-security threats.
In order to substantiate the claim, I'd like to humbly point out the difference between simplistic Cyber-Attacks and sophisticated Enterprise-Security Attacks, because this difference is rather important to understand, to comprehend just how much damage a real enterprise-security attack could inflict.
The answer is NO. (At least not exactly.)
Cyber-attacks, generally, are attacks targeted at organizational websites accessible on the Internet and for the most part, try to exploit inherent design deficiencies in TCP/IP, the protocol upon which the Internet runs.
This is a very basic form of a DOS attack that could possibly even be launched by amateurs with just a little know-how, and often be enacted using automated programs, from virtually anywhere in the world. A variation of this attack involving the use of bots involves using a large number of hijacked computers from all around the world to attack the same website, and the attack then becomes a DDOS attack, the first D standing for Distributed.
Most such attacks are mere annoyances, and easy to carry out.
Then you've got the free email (e.g. Gmail, Yahoo, Hotmail etc.), Facebook, Twitter account hacking, but that's relatively easy and inconsequential that almost not even worth mentioning. Why? To begin with, if you're trusting anything in the hands of a free service offered to millions/billions, realistically, you'd have to be really naive' to expect that any of that information you upload to it, or communicate via it, would be completely secure at all times. (At any point, any one of thousands of IT personnel responsible for operating that service could possibly obtain access to your information, plus, a variety of ways designed to help you regain access to your account could be (mis-)used by any one of billions of people to compromise your account.) That's kid-stuff, so I'm not even going to touch upon it.
For example, imagine if a payload were written to take out the very foundational systems within an organization's IT infrastructure that provide the means to authenticate an organization’s users and/or that provide the means to authorize secure access to the entirety of the organization's IT assets.
The impact of the compromise of the very systems that provide authentication and authorization services to the entirety of an organization’s IT assets, is that it would instantly expose the entirety of the organization’s IT assets to the risk of compromise.
Now, an IT security practioner might say that this is the reason we have layered security and that we deploy multiple layers of security above the platform. Well, the thing is that any layer of security that has a software component is running on the system too, and thus still relies on the system for its own trustworthiness.
For instance, anti-virus protection runs as a service on a computer. If you are an admin, you control the computer's system, and by virtue of that you can disable the anti-virus service on the system. By the same token, software running as system has complete control over the system, and thus on any applications/services running on that system. (Its called the Trusted Computing Base (TCB) of that system.)
An enterprise-security attack also often involves just one payload and a well-crafted payload only needs to be run once on a corporate computer, and there are numerous ways to get one payload to run once on any one computer within the organization.
This is why enterprise-security attacks also do not require that an organization's IT infrastructure necessarily be connected to the Internet, because payloads can be delivered in various forms, ranging from the use of social engineering to have an insider download and execute some code, to the use of legitimate fulfillment of IT needs, such as the delivery of a malicious payload disguised as an unsigned printer driver delivered as a software upgrade.
All in all, a targeted enterprise-security attack designed and carried out to take out critical components of an organization's IT infrastructure can have far greater impact, than any cyber-attack designed to temporarily bring down, deface or break-into and organization's customer-facing website.
Enterprise-security attacks are usually designed to target and take out critical components of the internal IT infrastructures of organizations, not the organization's pretty-looking external-facing websites places in DMZs.
Substantiating the Claim
In light of the above, I should perhaps substantiate my claim that Anonymous's 'Cyberwar' on Israel seemed simplistic, and Israel's claims of 44 Million cyber-attacks seemed over-stated.
If you read what the media has to report, it is virtually apparent that most of the cyber-attacks that were launched against Israel were mere DOS/DDOS attacks targeted at company websites.
As I indicated above, a majority of these attacks would have at most caused a denial-of-service (DOS) when legitimate users would try to browse the websites of the Israeli government organizations, and a minority may have been successful in getting modify access to the root web directory, thus defacing the website. In some cases, in order to bring the website backup online, the admins might have to reboot the systems and that could take a few minutes, so its quite possible that a few websites may have been down for a few minutes.
So, it doesn't seem like Anonymous was carrying out sophisticated attacks aimed at compromising the government's core IT infrastructures, which as I indicated earlier, may not even be directly connected to the Internet, or even so, they might be a few (router) hops out with intrusion-detection systems in place.
Anonymous certainly seems to have a lot of fervor but does not seem to have much in the way of the advanced technical sophistication required to enact a serious enterprise-security threat, at least just yet.
For instance, while they may be very good at good old fashioned network security attacks (i.e. exploiting inherent limitations of TCP/IP carrying out DDOS attacks, engaging in password guessing/brute-forcing etc.), which are an archaic science today, they don't appear to be very good at systems security (attacking Kerberos, engaging in Active Directory Privilege Escalation etc.) yet. Based on what we've seen thus far as a part of their latest performace in waging 'Cyberwar' against Israel, their capabilities seemed rather simplistic.
As for suggesting that Israel's Claim of 44 Million Cyber-Attacks seemed over-stated / mis-represented, well, in light of the nature of attacks that are believed to have been carried out, it appears that the actual number of attack attempts may have been in the 1000s and that 44 million may be the number of TCP SYN packets that their entirety of their government's web servers may have received as a part of these attacks. Alternatively, 44 million may have been the number of computers used as bots to launch these attacks.
So, in all likelihood, its not that there may have been 44 million attacks, but that there may have been 44 million TCP SYN packets received during the course of these few days on their web servers, or that 44 million Internet-connected machines were used (largely remote-controlled) to launch these attacks.
Israel's finance minister said that they are "reaping the fruits on the investment in recent years in the development of computerized defense systems." I suppose they've invested heavily in trying to protect their systems from cyber-attacks aimed at their public websites and the protection of their DMZs.
However, I wonder if they're adequately protected when it comes to protecting critical components of their internal IT infrastructures (e.g. their Active Directory deployments) equally rigorously. Perhaps that's what the finance minister may have been alluding to when he added that "but we have a lot of work in store for us" in a written statement.
All said and done, while the emphasis ad importance given to Cyber-Security is good, it would also be helpful if folks actually understood the difference between simple Cyber-Security attacks and sophisticated Enterprise-Security attacks.
In fairness to them, I suppose they might claim that they include Enterprise-Security when talking about Cyber-Security, and if they do, then I must say, that in the interest of the public service, they need to communicate the vast difference between attacks to organization's websites and attacks to organizational IT infrastructures.
Imagine a vast land with many fortresses.
Then imagine a little tent in front of each fortress designed to greet visitors to inform them about their fortress, provide helpful information, and possibly sell a few souvenirs.
Now imagine someone trying to shut down the tent, or change the poster that shows the fortress's name on top of the tent, or take the tent down. Doing either or all of the above would not materially impact the fortress a bit.
That is essentially your average simplistic cyber-security threat.
Then, fast forward to the use of advanced attack-vectors, and imagine James Bond skydiving into the fortress at night, then using electro-magentic radiation to disable all the metal locks on all the doors within the fortress and possibly to the fortress itself, making room for an army to invade the fortress overnight.
That is essentially your average sophisticated enterprise-security threat.
So, you see, there is a vast difference between taking the tent-out and taking the fortress out.
PS: I apologize if this wasn't written perfectly. I only had 15 minutes to put this together, given the sheer lack of time, given my responsibilities at Paramount Defenses. I trust that you'll get the drift.