It seems that every week we are seeing a whole new slew of major security attacks. We could go through the list but at PDC we have a game where every time a new one is mentioned we have to drink. It is early in the morning and I don’t think that would be a wise decision.
The most recent one is the attack on the International Monetary Fund (IMF). Once again, details are very sketchy as of right now, but it is clear they were attack and it is clear that they had to cut their connection to the World Bank because of the attack.
Right now the rumors are stating that the attack was not related to the RSA debacle. Which is good, I think… However, it does appear that the attack was a spear-phishing attack. Once again, we have to ask if it is really necessary for all of our users to access the Internet as part of their jobs? Paul and I are working on a test this month where we had the customer check out a site with some information on a vulnerability we had found. It took him a while to get to the site because he had to switch to a different computer that was connected to the Internet via a cable modem that was completely segmented from the rest of their environment. He stated that they are moving to a posture of Internet white listing rather than a black list approach. Why? Because they were tired of dealing with the spear-phishing attack of the month.
There are also two other bits of information that I find terribly interesting. One, they noticed the attack because of a file transfer. This rocks. If it is in fact the case that they discovered the breach because of a change in network flow (and the bad guys did not have access for weeks, or months) we at PDC would like to commend the IDS/Network/Admin team.
The other bit of interesting information is that they severed their connections with the World Bank. There are some other things we can read between the lines on this one as well. One, they had someone on staff who was willing to make a hard call. Also, they had the technical capability to cut the connection. I know this seems like a petty, small thing, however, we have worked on a number of incidents where the customer had no idea how to sever a connection.
So, two things you need to do this week:
1. Sniff your traffic at the edge of the network. If HR gets all nuts about privacy just collect the TCP/IP header data. Then look at the HTTP statistics and see how much traffic is business related.
2. Ask management if you have the procedures in place to cut your connection to a major business partner or the Internet - In the right circumstances of course.
For more on the IMF attack please see below:
PaulDotCom will be teaching Offensive Countermeasures at Black Hat July 30-31