You've read the news that saw search giant Google making the highly unusual move of announcing that it was a victim of an attack against its corporate network, and that intellectual property has allegedly been stolen. Of particular note is how this attack made use of many different - some reports mention a dozen - pieces of malware, as well as encryption to burrow undetected into Google's internal network.
In fact, Dmitri Alperovitch, vice president of threat research for McAfee, was quoted as saying, "We have never ever, outside of the defense industry, seen commercial industrial companies come under that level of sophisticated attack." Alperovitch went on to highlight how this attack is "totally changing the threat model." In the meantime, other companies such as Adobe have also come forward with reference to a "sophisticated, coordinated attack against [their] corporate network systems."
The companies involved are understandably not keen to elaborate on what exactly happened, or the extent of the damage. However, additional information has since been uncovered by dissecting some of the malware used. You can read more details of the process here, courtesy of investigations by security vendor McAfee. A cursory read of the attack process - or what is known of it - certainly proved a fascinating read to me.
What happened here involved a brand-new vulnerability being leveraged in a commonly used application (Internet Explorer), in order to load obfuscated malware. Encryption was extensively used, and the malware made use of SSL connections to deflect any internal firewalls or intrusion scanning devices that might be deployed.
Rather than react in fear and panic, the one thing that we need to bear in mind is this: The cyber attacks do not represent any new paradigm or techniques in hacking. Ultimately, the security breach entailed the use of methods and vectors that we have long written about and discussed on this blog.
Internet Explorer: I've been a staunch opponent of the use of popular software with a poor track record of security. Indeed, I have written about moving away from Internet Explorer, specifically Internet Explorer 6. While there is no guarantee that other browsers will not be used as attack vectors, the malware in this instance was specially crafted to take advantage of a "zero day" vulnerability found in Internet Explorer.
Antivirus: Traditional antivirus defenses have little hope of filtering against new or custom malware. Another option is for SMBs take a closer look at alternative solutions, such as the use of whitelisting. In all fairness, there is no way to determine if whitelisting could have thwarted the hacking in this instance. Still, the perpetrators would surely have tested their malware against popular antivirus scanners prior to dispatching them, making additional defenses that much more attractive.
So what lesson can we learn here? In the past, SMBs are guilty of shying away from investing in and implementing adequate security measures. Common refrains might range from: "It's not like we deal with military secrets," to "Cyber attacks are just stuff you find in movies and novels."
More than anything, this debacle clearly shows that targeted hacking is a very real threat, and that security is a reality that commercial entities, including SMBs, can no longer ignore. Organizations need to budget for, and then implement, the appropriate security defenses - and do it today.