What Do IMF, Citigroup, And Sony Hacks Share?

Many organizations have been focusing on complying with regulations, rather than taking a top-down look at what most needs to be secured, security experts say.
10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
To the non-stop list of organizations suffering hacking attacks, now add the International Monetary Fund (IMF). Over the weekend, the organization confirmed to multiple news outlets that its systems had been breached in recent months by a sophisticated attack.

"This was a very major breach," an unnamed official told the New York Times, indicating that the attack had occurred or at least begun several months ago. Accordingly, the attack would have predated the arrest of Dominique Strauss-Kahn, who resigned as managing director of the IMF last month after being arrested in New York and charged with sexual assault.

Meanwhile, an unnamed source told Bloomberg that the attack was state-backed, though declined to name a suspected government. That could be an attempt to avoid riling a country that's also one of the IMF's 187 member countries.

Additional details about the IMF attack remain scarce, however, and a spokesperson for the IMF was not available for immediate comment.

Why target the IMF? "These attacks are particularly dangerous because now the hackers have potentially obtained sensitive information on developing nations and their fiscal conditions," said information security expert John D'Arcy, assistant professor of IT management at the University of Notre Dame, in an email. "The value of such information is arguably higher than, say, someone's credit card number or social security number."

The IMF hack follows recent attacks against numerous organizations, including Citigroup and Sony. Earlier this year, attackers also broke into the systems of EMC's RSA security division, stealing data related to its two-factor SecurID authentication system. That led to worries that the attackers might be able to compromise any organization that uses SecurID, and RSA confirmed that attackers had attempted to do just that in a failed attack against Lockheed Martin in May.

Interestingly, according to new reports, the IMF uses RSA SecurID tokens. But there's no indication that attackers exploited the devices.

Instead, most security experts suspect spear-phishing to be the cause. This technique, which uses personalized but fake emails to entice recipients into installing malware or visiting malicious websites, has lately been on the rise.

Earlier this month, for example, Google warned Gmail users about a spear-phishing attack that was targeting high-ranking politicians, among others, and alleged that the attacks had originated in Jinan, China. According to news reports, the city's Lanxiang vocational school may train computer engineers for the People's Liberation Army. Both the Chinese government and the school have denied any involvement in the Google attacks.

With hacking attacks on the rise, what's interesting is that more businesses do seem to be aware of when they've been attacked, and also ready to confirm it. "What's encouraging is to see organizations such as the IMF making public announcements about successful attacks on them, when we know that many more such incidents go unreported--and an even larger number go undetected," said Henry Harrison, technical director at Detica, a business and technology consulting firm owned by BAE Systems, in an email.

But why are so many organizations now not only suffering hacking attacks, but also seeing their systems get breached? "The question with all of these breaches, such as the Sony breach--which encrypted the credit card data, but nothing else--with the IMF, Epsilon, ... goes to, why weren't solid data security practices being implemented at these organizations?" said Gretchen Hellman, VP of product management for data security vendor Vormetric, in a phone interview.

The answer, she said, is that many organizations have been focusing on complying with regulations, rather than taking a top-down look at what most needs to be secured. Indeed, most of the information stolen in recent attacks hasn't been regulated, and likewise wasn't encrypted. "Security has been driven by compliance for the past seven years, starting with Sarbanes-Oxley and going to PCI," she said. "So there's been a focus on complying with regulations, and not focusing on a strong, holistic, layered security program--everything from end user awareness training to encrypting and controlling access to data with a strong separation of duties program, to monitoring activity to ensure that you can capture malicious activity as soon as it starts."

Security concerns give many companies pause as they consider migrating portions of their IT operations to cloud-based services. But you can stay safe in the cloud, as this Tech Center report explains. Download it now. (Free registration required.)