The “Phony War” is how commentators described the seven-month period of eerie quiet that prevailed in Western Europe between Germany’s 1939 invasion of Poland and its later move into the Benelux countries, when erstwhile allies Britain and France avoided offensive operations and simply waited for the German Army to regroup and come to them.
We appear to be entering a similar moment in cybersecurity. The hackers have started – and escalated – the war. We’re all familiar with the large data breach earlier this year, when cybercriminals stole payment card information for up to 110 million consumers at one large U.S. retailer. Now just this week comes news that a group operating out of Russia has collected 1.2 billion credentials (usernames and passwords) from 420,000 websites.
In terms of immediate impact, this new revelation is not as serious as the earlier retail breach, which cost the company involved tens of millions of dollars in clean-up costs and contributed to the resignation of two C-level executives. Payment card companies spent months processing replacement accounts for consumers, who also dealt with fraudulent charges (at worst) or the joy of reassigning all their automatic payments to new numbers (at best).
However, the long run consequences of the modern, massive-scale credential thefts are potentially even more severe. Like the World War II Allies, we find ourselves in a state of hostilities … but still watching and waiting for the big one to hit.
It is clear the cyber risk is growing and that the impact to our institutions may be hitting a tipping point. Armed with such a huge number of accounts and passwords, nation-state or terrorist-linked groups could launch sophisticated attacks on our financial systems and critical infrastructure.
In cyber terms, the bad guys now have nukes. And they’re on the path to getting more.
The recent Heartbleed vulnerability demonstrated cyber gangs could acquire user credentials from vulnerable SSL implementations that were intended to protect remote connections and supposedly secure web site locations. The early success of Heartbleed (and other vulnerabilities) harvested tons of intelligence, including random user credentials that could be used to escalate attacks.
As seen in the Kill Chain Analysis methodology at right, the reconnaissance stage could go on for years. In all likelihood, those early compromises led this particular gang into a massive attack to harvest user credentials across a wide spectrum. As of this moment, we still don’t know what happened to encryption and other protection. The cybersecurity industry will be uneasy until this part of the story on attack escalation has been covered.
However, the situation is not hopeless. We just need to apply the right response, commensurate with the types of known attacks that are on the horizon. Here are a few things to consider:
Change administrative credentials ASAP and implement a weekly change until the source vulnerabilities are fully discovered.
Change user credentials and require STRONG passwords.
Change encryption mechanisms to make it harder for the attackers to decrypt the credentials. Ensure unique random salts are part of the hashing process. Simple hashes are no longer good enough.
As soon as possible, upgrade to two factor authentication mechanisms.
Test your website for vulnerabilities under the context of one of your authenticated users to assess whether your site could be compromised in a similar manner as this attack.
Finally, really review cyber risks in a meaningful process. Know what you are up against form both a threat and vulnerability perspective.
This is not yet a panic situation. Coalfire is a leading security assessment and cyber risk management firm that conducts over 1,400 assessments each year for leading companies in the financial services, retail, healthcare and government sectors. As yet, none of our 1,400 clients has called to express that they were being overrun with cyber-attacks.
The nervous part is the waiting.