Google Hack: Security a Reality SMBs Can No Longer Ignore

Paul Mah

You've read the news that saw search giant Google making the highly unusual move of announcing that it was a victim of an attack against its corporate network, and that intellectual property has allegedly been stolen. Of particular note is how this attack made use of many different - some reports mention a dozen - pieces of malware, as well as encryption to burrow undetected into Google's internal network.

 

In fact, Dmitri Alperovitch, vice president of threat research for McAfee, was quoted as saying, "We have never ever, outside of the defense industry, seen commercial industrial companies come under that level of sophisticated attack." Alperovitch went on to highlight how this attack is "totally changing the threat model." In the meantime, other companies such as Adobe have also come forward with reference to a "sophisticated, coordinated attack against [their] corporate network systems."

 

The companies involved are understandably not keen to elaborate on what exactly happened, or the extent of the damage. However, additional information has since been uncovered by dissecting some of the malware used. You can read more details of the process here, courtesy of investigations by security vendor McAfee. A cursory read of the attack process - or what is known of it - certainly proved a fascinating read to me.

 

What happened here involved a brand-new vulnerability being leveraged in a commonly used application (Internet Explorer), in order to load obfuscated malware. Encryption was extensively used, and the malware made use of SSL connections to deflect any internal firewalls or intrusion scanning devices that might be deployed.

 

Rather than react in fear and panic, the one thing that we need to bear in mind is this: The cyber attacks do not represent any new paradigm or techniques in hacking. Ultimately, the security breach entailed the use of methods and vectors that we have long written about and discussed on this blog.


 

Internet Explorer: I've been a staunch opponent of the use of popular software with a poor track record of security. Indeed, I have written about moving away from Internet Explorer, specifically Internet Explorer 6. While there is no guarantee that other browsers will not be used as attack vectors, the malware in this instance was specially crafted to take advantage of a "zero day" vulnerability found in Internet Explorer.

 

Antivirus: Traditional antivirus defenses have little hope of filtering against new or custom malware. Another option is for SMBs take a closer look at alternative solutions, such as the use of whitelisting. In all fairness, there is no way to determine if whitelisting could have thwarted the hacking in this instance. Still, the perpetrators would surely have tested their malware against popular antivirus scanners prior to dispatching them, making additional defenses that much more attractive.

 

So what lesson can we learn here? In the past, SMBs are guilty of shying away from investing in and implementing adequate security measures. Common refrains might range from: "It's not like we deal with military secrets," to "Cyber attacks are just stuff you find in movies and novels."

 

More than anything, this debacle clearly shows that targeted hacking is a very real threat, and that security is a reality that commercial entities, including SMBs, can no longer ignore. Organizations need to budget for, and then implement, the appropriate security defenses - and do it today.



Add Comment      Leave a comment on this blog post
Jan 21, 2010 6:48 AM Joseph A'Deo Joseph A'Deo  says:

Very, very true. Not to beat a corporate dead equine (I work for VeriSign so I'm somewhat in this biz) but companies also need to better educate their employees on general online safety and protocol. A successful phishing hack on a personal computer is a devastating crime, but the same hack leveraged towards credentials that are used for corporate accounts could affect hundreds or thousands of people (like the "stolen company laptop" issue). At the very least SMBs should take note of technology like extended validation ssl, which verifies the identity of the site you're on with the phish-proof green url bar. A few well-planned online safety workshops now could save quite a bundle in damage control later.

Reply
Jan 22, 2010 3:50 AM Joseph A'Deo Joseph A'Deo  says: in response to Paul Mah

Thanks for your follow-up comment, Paul. As far as convincing organizations to bring in trainers -- I mean obviously there has to be a desire for security and a receptiveness to improvement on the part of the general manager (or whoever's booking/approving trainings) in order for the workshop to really have any impact. That having been said, however, the data speaks loudly -- data breaches from stolen laptops, phishing attempts, and improperly implemented security infrastructures cost corporations millions in the last year alone. There are a handful of resources with these numbers, and also great stories like the one I'll link to below that round-up the worst data breaches from 2009. It can be quite eye-opening: http://blogs.reuters.com/great-debate/2009/12/22/the-top-10-security-threats-of-2009/

Reply
Jan 22, 2010 12:45 PM Paul Mah Paul Mah  says: in response to Joseph A'Deo

Hi Joseph, well said. You mentioned about training/safety workshops. I've always wondered about how it is possible to convince organization to bring in some of these training to non-IT staffers (Who need it the most).  Do you have any thoughts or suggestions on this?

Reply
Feb 1, 2010 9:56 AM technotera technotera  says: in response to Paul Mah

Its great and knowledgeable site but if u want to know what In a complex world of Information Technology and 'technology upheavals', enterprises feel the need for aligning their business objectives with security for optimizing profits. The threat of information collapse for enterprises and ultimately the much intertwined destiny of survival are at stake. TechnoTera.Com offers enterprises a strategic mix of information security consulting services, web and programming solutions. Subscribing to TechnoTera.Com services platform is the difference between enterprise success and failure, innovation and mediocrity, security and threat, entity and non-entity, progression and regression, education and ignorance.for more information about network security, information security, internet security, firewall, IT security, penetration testing, hacking penetration testing, , software security, system security, internet security just visit http://www.technotera.com.

Reply
Feb 12, 2010 5:16 AM Darrin Coulson Darrin Coulson  says:

Paul,

Thanks for posting this article, very interesting and I am glad this problem is being called out.  Your paragraph says it all ;

***

What happened here involved a brand-new vulnerability being leveraged in a commonly used application (Internet Explorer), in order to load obfuscated malware. Encryption was extensively used, and the malware made use of SSL connections to deflect any internal firewalls or intrusion scanning devices that might be deployed.

***

I guess a good dose of Google-Induced Buzz (and bloggers/writers like yourself) are creating the visibility.

Our company has a great answer and people are starting to realize the necessity in a BIG way.  We have a Transparent SSL Proxy device called an SSL Inspection Appliance - that will inspect and decypher SSL traffic at gigabit line rate handing off clear text to the DLP in an Outbound use case or the IDS,IPS systems allowing the security devices to re-gain visibility into this type of traffic. Most systems either ignore SSL (or common SSL Ports ie 443) or the have a software solution that brings network to it's knees.

Anyhow - if you or your followers would ever want to chat in more detail to learn more about this type of solution let me know.

http://www.ssl-inspector.com/

Again thanks for article.

Regards,

Darrin Coulson

Netronome Systems

Reply

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

null
null

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.