In World War II, Nazi Germany unleashed thousands of Wonder Weapon attacks against it’s foes. Technologically-advanced V-1 and V-2 guided missiles caused over 33,000 casualties in England alone. As innovative as these weapons were, however, they lacked the precision targeting capability needed to be of significant tactical value and to avoid collateral (civilian) damage. With limited accuracy (i.e. “probably” hitting London) they became Nazi tools of reprisal and terror. Life in and around London was significantly impacted by the constant threat of these attacks (often about 100 per day), yet the British used their stiff upper lips to Keep Calm and Carry On. People still went to work. Commerce continued.
Flash forward 70-plus years, to 2016. On Friday, October 21st, significant portions of the United States and some parts of Europe were hit with massive, distributed denial of service (DDOS) attacks . Tech-savvy hackers realized they could effectively take down the Internet, not by storming the walls of the most heavily-fortified and obvious targets, but by overloading the capacity of supporting “utility” providers. Their “army” was a multitude of smart devices (connected to the internet with default passwords) that had been infected with purpose-written malware.
With apologies to all who suffered physical injury and loss in WWII, there are similarities, lessons, and relevant questions that should to be applied to our current situation. The chief similarity between then and now is the widespread effect on individual, commercial, governmental, and military targets alike. Technologically-advanced weapons still indiscriminately target common citizens, small businesses, non-profit organizations, and hospitals. All in a time of pervasive electronic interconnectivity and interdependency, where commerce must continue.
Widespread targeting hacks will continue, as multitudes of smart devices have (and will be) deployed with generic passwords. These attacks are effective, low risk, low cost, and facilitate covert massing of a disciplined “army” that attacks only upon command. Combining these methods with phishing, ransomware, etc. will result in much more damage than mere denial of service. Even well-protected infrastructure, companies, organizations, and individuals could be compromised by “sleeper insiders”. These malware-corrupted smart devices could easily sit inside security defenses as trusted agents, wreaking all manner of havoc when activated.
What should we do to face and overcome these threats? While no easy or all-encompassing solution exists, we recommend:
- Documenting all electronic assets (anything with an IP address)
- Characterizing and auditing the security state of each electronic asset
- Learning and documenting everything tied to electronic assets within organizational processes, products, and services (with both normal and degraded electronic assets)
- Minimizing external service dependency (maintain at least minimal local operations capability/continuity, even with substantial external outages)
- Designing and testing restoration procedures to insure seamless, accurate operations when external services are restored
- Updating risk assessments based on the factors outlined above
- Implementing and validating mitigation measures to minimize damage from similarly-undesirable occurrences, and
- Incorporating independent, objective professional planning and review of the above to maximize effectiveness while minimizing residual risk exposure
What we have seen thus far and what lies ahead are significant challenges to individual and institutional information security. Automated tools and smart device evolution will make a big difference, but it will take time for these solutions to emerge. Even then, adversaries will evolve and the threats vs. security chess match will continue. For now and the future, diligence and methodological improvement will minimize the damage from cyber attacks.
Keep Calm and Carry On.