Enterprise security pros have plenty to worry about: malware, insiders stealing information, an employee leaving an unencrypted notebook full of gigabytes of intellectual property on a train. However, the spate of hacktivist attacks in recent years from groups such as Anonymous and LulzSec has upped the anxiety level. According to a number of recent surveys, Most IT and security professionals see Anonymous as a serious threat to their companies.
So what to do about it? Should it change the way organizations secure their systems? Experts say, simply, most enterprises probably should.
The first piece of advice is to forget about security through obscurity. Assume you will be a target. "One of the interesting things about hactivism is that it is difficult for a company to determine in advance whether it is going to be the subject of a hacktivist attack," says Mark Rasch, director of cybersecurity and privacy consulting at Computer Sciences Corporation "Take a mid-sized company that manufactures widgets in Wisconsin. They could easily ask: 'Why would hactivists be after us.'"
There are plenty of unforeseeable reasons. "We're not involved in politics. We don't do anything particularly controversial. Suddenly, the spokesperson they have for their ads, who they've hired from their public relations firm, who in turn hired an ad firm, that's hired a person to put together an ad that hired an actress who says something that offends some group. Now you're off to the races. The point is it may be nothing they did. They may be a victim of circumstance or happenstance," says Rasch.
"Today, security teams also need to be aware of public actions taken by their respective employers that might make them a target, and they need to be prepared to react," says Shawn Moyer, practice manager, research consulting at Accuvant Labs.
Hacktivist attacks can run the gamut from traditional website defacements to denial-of-service attacks and the theft of IP or log-on credentials which are then dumped publicly on the Internet in a desire to create embarrassment.
"Most of the successful Anonymous attacks have been taking advantage of very bad practices," says John Pescatore, vice president and research fellow at Gartner. Organizations would be wise to bolster their denial of service defenses. "One of the things that surprised a lot of companies have been the denial of service attacks. Suddenly they are identified with being against WikiLeaks or whatever, and they're getting slammed," he says.
"15 years ago when lightning struck an electric pole and the lights went out, the computers went dark, and everybody went out and stood in the hall. We learned that a data center without electricity is pretty useless. Now companies routinely spend money on back-up power supplies like emergency generators. The same now needs to be true now with the Internet connection. If the electricity stays up but the Internet connection goes down the data center is sort of an expensive lump of metal. You need the same reliability on your Internet connection and the Anonymous attacks are good examples of why," he says.
Another expert says enterprises should check their susceptibility to website defacements, if only to protect themselves from embarrassment.
Finally, and perhaps most important, is to bolster an organization's ability to rapidly respond to incidents along with maintaining one's defenses. "We are progressing from the idea where you try to secure your network with essentially moats and castles to prevent every attack to almost an acknowledgement that a determined attacker will likely find some way into some part of your network," says Rasch.
Moyer and many others argue that it's time for enterprises to wake up from focusing heavily on regulatory compliance and move away from any checkbox security mentality. "The larger point isn't whether Anonymous is likely to target someone's environment or not, but that shoddy security practices will eventually come back to bite them. For the past few years, the primary objective for many security teams has been passing an endless stream of IT audits, enforcing a checkbox mentality that doesn't measure up against any competent adversary." Moyer says.