« Hack attack! » Three key messages for Senior Management

2011 has seen a dramatic acceleration of attacks against corporate and government information systems, and the year appears to be poised to break all records for losses of confidential data.

The case of Sony was particularly striking. An attack discovered in April against the PlayStation Network compromised the personal data of 75 million customers and required 23 days of network shutdown. Another in early May against Sony Entertainment involved the data of 25 million customers.

Sony executives have estimated the cost of these attacks at more than $ 170 million, not including (as of yet) the potential costs of the 58 customer class action lawsuits for negligence in the protection of personal data.

Given the importance of the stakes - financial, reputational, regulatory, even geopolitical in some cases - the ultimate responsibility has risen to the level of Senior Management, in particular as reflected in the formal Security Policy of the organisation.

This of course means that information system managers have to provide executive-level, actionable information to senior managers enabling them to assess the business risks and to commit the necessary resources to mitigate them.

As a starting point, in this research note we suggest three fundamental messages for senior management.

This first principle is not an admission of defeat but simply a lucid vision of an unfortunate reality, repeatedly confirmed by the successful attacks this year against corporate groups and government agencies.

In addition to Sony, among the best known "victims" are: RSA Security, Lockheed Martin, Epsilon, NASA, FBI, Citigroup and dozens of other companies and governments. These were targeted and persistent attacks, of a criminal or political-ideological nature … or of motivations that are still unclear.

Despite this state of affairs, there are still a number of organisations that have what might be called "a false sense of security" and for several reasons. We’ll mention three:

• The enterprise is in compliance with one or several major, international security standards

Complying with a security standard is of course a very good thing… but compliance is not the same thing as security.

A pertinent example is provided by the (now famous) attack against Heartland Payment Systems, a leading card payment processing company. In 2007-2008, criminals stole over 100 million card numbers (presumably to be resold on the black market), despite the fact that the company had been certified as compliant with PCI DSS, a particularly tough, international standard.

• The organization has a consistent SET of security tools in place

Once again, this is a good thing, but the protection is never total.

An especially instructive example this year: the attack against RSA Security, which resulted in the theft of critical information concerning its Secure ID authentication product, used by over 25,000 businesses and government agencies. This well publicised case was a real “wake up call” for the IT industry, demonstrating that even the best experts could not always protect their own companies.

We can also note that in its report this year on the security of software, VeraCode (authoritative on the subject) found that 72% of the security products and services that were tested presented an unacceptable level of insecurity.

• "Intrusion testing" has been carried out

The advantage of this approach is to provide a factual basis of weaknesses to correct.

The disadvantage is that the tests by definition are never complete. In addition, the failure to discover some potential vulnerabilities only proves … that they were not found.


On balance, we believe that the most reasonable working assumption is that the information system is not only vulnerable but that it has already been penetrated. Whether the organisation knows it or not is another question.

When an attack against a company is discovered and made public, it is quite common that the victim (for understandable reasons) is quick to explain how the attack was "advanced" or even "unprecedented."

While attacks on the Internet are tending to become more sophisticated, the fact remains that the majority of them still rely (at least in part) on well known vulnerabilities and techniques. Even so, many organisations do not seriously protect themselves against the most common attack vectors.

Here, we will limit the discussion to two particularly important areas of risk:

• Web facing applications

It is generally accepted that Web facing applications are targeted - at least as entry points - in more than half of the attacks against information systems over the Internet.

Techniques such as "SQL Injection" and "Cross Site Scripting" - which exploit vulnerabilities in Web applications - have been around for a long time, but they continue to do lots of damage. "SQL Injection", in particular, was used in the attack on Heartland and also, according to some sources, in the case of Sony.

However, there are defensive measures that can be taken. Various industry players (IBM, HP, ...) offer tools for automated “code scanning" to find vulnerabilities to correct. Alternatively or as a complement, the implementation of a "Web Application Firewall" (i.e., a firewall that inspects the contents of data packets at the application level) can provide dynamic protection.

• Vulnerabilities at the level of user devices

One of the most common ways to compromise the “client devices” of an information system is a technique called "spear phishing," which “fishes” (so to speak) for imprudent users as an entry point to the organisation’s systems.

Attackers send waves of emails that carry malicious software ("malware") via a URL or an infected file attachment. Once the client is compromised, the infection can spread and the attack will continue one way or another against the heart of the information system.

Often, these (and similar) attacks exploit vulnerabilities in widely used programs such as Adobe PDF Reader, QuickTime, Adobe Flash or Microsoft Office. Unfortunately, most organisations are much slower to fix vulnerabilities with "patches" on the client side - where the risk is greater - than on the data center side.

In the case of RSA Security, employees of the company received an email with the intriguing subject line "Recruitment Plan 2011". An attached Excel file contained custom malware that exploited a vulnerability in Adobe Flash. The attackers assumed (correctly) that at least one employee would not resist the temptation to open the file. As a result, they were able to take control of the infected user computer and penetrate the otherwise robust defenses of the company.

To be fair to RSA Security, we should note that the malware exploited a “Zero Day" vulnerability, in other words, a software fault that had not yet been discovered and for which there was no available “patch”. (Subsequently, the vendor Adobe quickly provided the patch.) Even so, the employee should never have opened the attachment.

At the level of the client device, the real difficulties are not so much the technical tools (such as anti-malware suites) but rather the security processes and the human factor, especially the security awareness of employees.


The preceding discussion is not exhaustive. It could have been usefully extended to, for example, the growing threats to mobile devices or the fragility of industrial control systems. Even so, Web facing applications and the user’s client devices - both major gateways into the information system - are two domains that encompass a very big proportion of the attack vectors and hence the risks.

In any case, it is clear that an organisation can reduce its vulnerability, by dealing with the technical, organisational and human factors. The attacks of 2011 show that much remains to be done.

This message is a logical corollary of our first principle concerning the vulnerability of any information system. When the system’s defenses are penetrated, everything depends on the capability to block the attack as fast as possible and to stop data leakage and other damage.

Unfortunately, one can often see a sort of imbalance between prevention and response, both in terms of management attention and on the technical, organisational and budgetary levels. Even if “prevention is better than cure”, an organisation should nonetheless have the means to know that it is under attack and to defend itself.

In the case of Heartland and many others, the attack went on for months before finally being discovered and blocked.

Concretely, a robust security incident response capacity requires tools to monitor the various infrastructure components, identify anomalies, and trigger predefined alerts, while also providing the technicians with the right information at each step of handling an incident.

The processes are as important as the tools, especially the process of escalation from the first level of monitoring and analysis of incidents to higher levels of complete diagnosis and decision making.

One can admit that this may not be within reach of an SMB with a small IT team, except perhaps as an outsourced function. For larger organisations, however, we believe that it is essential to have a real response capability - be it internal or outsourced – that is structured and sized based on lucid risk analysis.

To illustrate what could be at stake, let’s come back to the attacks against Sony. In one of the class action lawsuits for negligence in federal court, the plaintiffs claim (among other grievances) that, as a cost cutting move, Sony had fired a number of technicians in the unit responsible for responding to security incidents, only two weeks before the attack…

True or false, this sort of accusation raises the question of the potential legal liability of companies whose inadequate response capacity could negligently endanger the personal data of customers.

The stakes in targeted attacks are high, and their acceleration in 2011 demands attention from senior management at both companies and government agencies.

Fortunately, an organisation can reduce its vulnerability, generally by dealing in priority with the most common attack vectors, acting on the various technical, organisational and human aspects of the problem.

However, the protection will never be perfect, and the organisation should also have the capabilities - in terms of tools and processes – to enable it to identify and to block intrusions as quickly as possible.

We therefore recommend a balanced approach, combining strong preventive measures with a robust capacity for security incident response.