Evidence from the recent Aurora hack attacks on major American corporations suggest that many may have tightly locked virtual front doors, but no cybersecurity inside their systems, a McAfee expert warned on Wednesday. In a Security Insights blog post, Paul Kurtz, McAfee's chief technology officer, discussed his study of the December-through-February attacks on Google, Intel, Adobe Systems, and other large firms.
He concluded that "Many organizations have tight around financial systems and other mission-critical systems, but leave their intellectual-property repositories broadly accessible. The company might have strong perimeter security, but once you're in, the [source code] is readily available."
Protecting 'Crown Jewels'
The Aurora attack, named for what is assumed to be the hackers' internal reference to the operation based on malware findings, is believed to have originated in China. The incident has strained relations between the U.S. and Chinese governments and caused Google to reconsider its presence there. The Wall Street Journal reported that as many as 100 companies may have been targeted.
Kurtz said the hackers "went after the crown jewels of the targeted companies, their intellectual property." To do so, they likely tried to gain access to source-code management systems used internally to manage projects. Once they cracked the systems, they would be free to steal the code or implant malicious code.
Kurtz and McAfee's Stuart McClure discussed their findings at the RSA Conference in San Francisco this week, but didn't say whether Google or other companies lost their source code in the attack, according to the Journal. The two have published a white paper on their research available to companies on McAfee's web site.
Stepping Up Security
Data security is one of the fastest-growing technology sectors, with a 53 percent rise in open security positions in the second half of 2009, according to Barclay Simpson's annual market report.
"This is one of those circular issues, where as good as you make the lock, someone's always going to try to find the key to get in," says Michael Gartenberg, a partner at Altimeter Group, a technology consulting firm. "Most companies realize this and are taking aim to make themselves as secure as possible, which is why it's important to take security warnings seriously."
But Gartenberg said external threats aren't the only concern. "In an age where gigabytes worth of can walk out the door on a device the size of a thumbnail, security efforts become more of a challenge every day," he said.
E. Scott Menter of the consulting firm Shire Ventures said some of the hacked companies may have failed at both the software-procurement level and in managing their source code.
"McAfee is suggesting that the [source-code management] in use at Adobe, and perhaps at Google, failed in some pretty basic and well-understood ways to protect access to the under its control," said Menter. "It's incredibly difficult for a CIO to control each and every bit of software in use at a company, but certainly something as important as the source-code management system ought to have been rigorously evaluated for obvious security flaws before it was acquired and installed."
Posted: 2010-03-05 @ 8:20pm PT
I agree with the comment regarding the need for access control via authorization and authentication technology. The McAfee report suggests failure in this area, as well as in the manner in which SCM was operated.
Posted: 2010-03-05 @ 7:06am PT
There are few defenses for networks full of low assurance systems. What is required to defend against persistent adversaries are fine grained access controls inside the network in a least privilege environment, on a per authorized user basis. This would essentially be an authorization engine that would work in tendem with ID management technologies at the perimeter. At the moment all we have is authentication used as a proxy for authorization, which does not cut it.
A change in the security model is also required where policies governing where sensitive data may be released to in an authorized manner only, are enforced.
These attacks essentially become insider attacks on data in use, probably the two weakest areas of IT security traditionally, because it is much harder to do than perimeter security, but they are an essential focus of high assurance systems.