Sophisticated Cyber Assault Confused Network ManagersHard to Differentiate Legitimate, Illegitimate Cyber Traffic
"It started as a flood that was easy for network service providers to filter and then went through at least two increases in sophistication so that the flood looks more and more like legitimate traffic," says Alan Paller, director of research for the SANS Institute, a not-for-profit IT security training and certification provider. "Network providers have to work much harder to filter out malicious traffic that resembles legitimate traffic."
According to data SANS received from targeted organizations, hackers launched the attacks from a botnet that has command and control computers in multiple countries, including the United States. The assailants used different bots -- software applications that automate coordinate assaults on computer networks - so that the attacks didn't originate from a static set of computers, Paller says.
Starting over the Independence Day weekend and continuing into the week, hackers targeted government and business websites in the United States and South Korea, causing varying degrees of disruption of service. Among federal government websites reportedly assaulted: the White House, National Security Agency, Departments of Defense, Homeland Security, State and Transportation and Treasury; Federal Trade Commission and the Secret Service. Among business sites said to have been attacked: the New York Stock Exchange, NASDAQ and The Washington Post.
Some government websites repelled the assault, crediting help from their Internet service providers in spoiling the assailants, says Scott Charbo, who served as chief information office and then deputy undersecretary of national protection and programs at the Department of Homeland Security during President Bush's second term. "It seemed a normal day," says Charbo, Accenture vice president for cybersecurity and telecommunications/U.S. Federal. "They did not experience the attack to the point that they needed to bring the site down to isolate and push policy changes, even though there was activity targeting their domain."
Tom Kellermann, who chaired the threats working group of the Commission on Cybersecurity for the 44th Presidency, also credited U.S.-Computer Emergency Readiness Team for alerting agencies and businesses of the weekend attack, but gave a tongue-lashing to agencies and business that allowed hackers to penetrate their websites, saying these organizations had a miserable vulnerability management process, had a miserable web application testing program and, for that matter, had a mediocre incident response program."
Kellermann, vice president of security awareness at Core Security Technologies, a provider of IT security testing software, contends hacked organizations must beef up their web application and penetration testing to plug some of the holes that allowed the infiltrations.
What SANS's Paller found troublesome was that too many federal agency security professionals didn't know which network service provider connected their websites to the Internet, so they could not get the network service provider to filter traffic.
"As a result, DHS or US-CERT will probably establish a non-public registry for federal web sites where they maintain up-to-date information about which providers are responsible for the content because of SQL injection errors that let federal sites infect visitors and the network access so they can act much more quickly to help agencies under attack.," Paller says. (SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application.)
- with Linda McGlasson, managing editor, BankInfoSecurity.com