Hack to the Future

Earlier this week Hacktivist group Anonymous publically announced that they will increase attacks on agricultural products producer, Monsanto, in an effort to expose the “corrupt, unethical, and downright evil business practices” of the company. So far the only demonstrable damage has been the release of over 2,500 employees’ contact information, but as history has shown, when groups like Anonymous want something, they work tirelessly to get access to that data/information/network/server/etc.

Hacktivism is not new. As of late, however, the AntiSec Movement, powered by groups like Anonymous, (the former?) Lulzsec, and others, which in turn feed the distribution monster Wikileaks, have gained media prominence and even notoriety in certain circles. While these types of groups claim to be fighting for free access to information, for the destruction of bad or harmful business practices (much like Batman and his quest for justice), their methods and actions remain controversial. Whether or not you agree with Hacktivism, I firmly believe we’re likely to see more of this behavior as media is increasingly focused on these incidents and as the economy remains in a stunted state.

There is no question that the extended depressed (let’s be honest) state of the economy is driving desperation, which in turn drives imprudent behavior. Add to that the notion that non-US nation-states are sponsoring such activities through education, training, personal, and job security…and extremely attractive salaries, and suddenly we have an appealing career path.

So what does this mean for the non-Hacktivist information security professionals? It means trouble ahead. No matter how good your team, secure your systems, streamlined your processes and procedures, or airtight your contracts with third-party providers, there is going to be someone more motivated to break what you’re protecting. Probably better funded too. Since a security professionals’ job is to protect the information of their employer, and Hacktivist’s work to get at that information and expose it, we have to now think about what this means to Sara in marketing or Bob in janitorial services. Perhaps a high-ranking official at your company conducts himself with less-than-stellar behavior; does that mean the average underling deserves to have their PII published on the web? Of course not.

IANS’ clients think a lot about this topic. Taken directly from client feedback, our Faculty present tracks at our Forums on Information Protection, Incident Response, improved Security Operations, and Risk Mitigation; their sessions are always jam packed and highly interactive. Each company, and perhaps even each individual within a team, has its own idea of what they can do to protect their own organization from being targeted.

In order to understand if your company is a target, it would be helpful to know the motivation for Hacktavist groups. The problem: Hacktivists’ motivations are arguable at best. Some experts think it’s money, some think it’s publicity, and the groups themselves claim they’re after both fame and recognition as well as open availability of information. So what types of organizations are targets? Hacktivists appear to go after organizations that generally provoke strong public opinion (Monsanto, Apple, Federal and State governments, Westboro Baptist Church) and generally global. They are also typically organizations that, themselves, seek the limelight. But do these examples provide a good prediction engine? My personal answer is no.

So what are some of the things you can do to lessen your chances of being a target (“Don’t be controversial”? “Keep a low profile”?)? IANS Faculty and clients recommend:

1.      Acknowledge that the name of the game has changed. If corporate information security goes along playing by the old rules, your company will be hacked, maybe not by one of these groups, but someone, somewhere along the way (think: disgruntled ex-employee).

2.      Evaluate the tools that can help you identify points of entry and detect infiltrations (DLP, two or three-factor authentication, encryption training around social engineering attacks).

3.      Create a crisis management team and a data protection strategy: know both the scope of your potential problem and set achievable objectives that can easily be tracked.

We encourage this debate and are interested in any new ideas you might have on the topic. Maybe your company is a target, maybe not. Thinking proactively about the possibility of what is to come is never an exercise in futility, especially since IANS and our clients expect the emergence of even more Hacktivist groups in the coming months based on what we’ve seen and heard.

Please join the conversation - attend an upcoming Forum, comment on this blog post, submit an Ask an Expert query through your account manager - and fuel the fire. The more we can work together proactively, the better prepared we’ll all be when an incident does occur.