Attacks/Breaches
6/13/2011
01:08 PM
50%
50%

What Do IMF, Citigroup, And Sony Hacks Share?

Many organizations have been focusing on complying with regulations, rather than taking a top-down look at what most needs to be secured, security experts say.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
To the non-stop list of organizations suffering hacking attacks, now add the International Monetary Fund (IMF). Over the weekend, the organization confirmed to multiple news outlets that its systems had been breached in recent months by a sophisticated attack.

"This was a very major breach," an unnamed official told the New York Times, indicating that the attack had occurred or at least begun several months ago. Accordingly, the attack would have predated the arrest of Dominique Strauss-Kahn, who resigned as managing director of the IMF last month after being arrested in New York and charged with sexual assault.

Meanwhile, an unnamed source told Bloomberg that the attack was state-backed, though declined to name a suspected government. That could be an attempt to avoid riling a country that's also one of the IMF's 187 member countries.

Additional details about the IMF attack remain scarce, however, and a spokesperson for the IMF was not available for immediate comment.

Why target the IMF? "These attacks are particularly dangerous because now the hackers have potentially obtained sensitive information on developing nations and their fiscal conditions," said information security expert John D'Arcy, assistant professor of IT management at the University of Notre Dame, in an email. "The value of such information is arguably higher than, say, someone's credit card number or social security number."

The IMF hack follows recent attacks against numerous organizations, including Citigroup and Sony. Earlier this year, attackers also broke into the systems of EMC's RSA security division, stealing data related to its two-factor SecurID authentication system. That led to worries that the attackers might be able to compromise any organization that uses SecurID, and RSA confirmed that attackers had attempted to do just that in a failed attack against Lockheed Martin in May.

Interestingly, according to new reports, the IMF uses RSA SecurID tokens. But there's no indication that attackers exploited the devices.

Instead, most security experts suspect spear-phishing to be the cause. This technique, which uses personalized but fake emails to entice recipients into installing malware or visiting malicious websites, has lately been on the rise.

Earlier this month, for example, Google warned Gmail users about a spear-phishing attack that was targeting high-ranking politicians, among others, and alleged that the attacks had originated in Jinan, China. According to news reports, the city's Lanxiang vocational school may train computer engineers for the People's Liberation Army. Both the Chinese government and the school have denied any involvement in the Google attacks.

With hacking attacks on the rise, what's interesting is that more businesses do seem to be aware of when they've been attacked, and also ready to confirm it. "What's encouraging is to see organizations such as the IMF making public announcements about successful attacks on them, when we know that many more such incidents go unreported--and an even larger number go undetected," said Henry Harrison, technical director at Detica, a business and technology consulting firm owned by BAE Systems, in an email.

But why are so many organizations now not only suffering hacking attacks, but also seeing their systems get breached? "The question with all of these breaches, such as the Sony breach--which encrypted the credit card data, but nothing else--with the IMF, Epsilon, ... goes to, why weren't solid data security practices being implemented at these organizations?" said Gretchen Hellman, VP of product management for data security vendor Vormetric, in a phone interview.

The answer, she said, is that many organizations have been focusing on complying with regulations, rather than taking a top-down look at what most needs to be secured. Indeed, most of the information stolen in recent attacks hasn't been regulated, and likewise wasn't encrypted. "Security has been driven by compliance for the past seven years, starting with Sarbanes-Oxley and going to PCI," she said. "So there's been a focus on complying with regulations, and not focusing on a strong, holistic, layered security program--everything from end user awareness training to encrypting and controlling access to data with a strong separation of duties program, to monitoring activity to ensure that you can capture malicious activity as soon as it starts."

Security concerns give many companies pause as they consider migrating portions of their IT operations to cloud-based services. But you can stay safe in the cloud, as this Tech Center report explains. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Join Dark Reading community editor Marilyn Cohodas and her guest, David Shearer, (ISC)2 Chief Executive Officer, as they discuss issues that keep IT security professionals up at night, including results from the recent 2016 Black Hat Attendee Survey.