Security lessons from 2012

DDoS attacks on banks, cyberwarfare should be high on security agendas

For all the apocalyptic prognostications, 2012 turned out to be a relatively uneventful year from an information security standpoint.

A cyber Pearl Harbor did not happen. Stuxnet and its kin did not take out any power grids or shut down cities. Mobile threats continued to escalate and malware became more sophisticated, but none were as game-changing in nature as Stuxnet was. While there were still plenty of data breaches, including a handful of big ones, they were much smaller in scope compared to the TJX and Heartland breaches of a few years ago.

Even so, several security related events in 2012 could well be harbingers of things to come in 2013.

DDoS attacks on banks

In the second half of 2012, U.S. financial services organizations became targets of sophisticated, high bandwidth distributed denial-of-service attacks launched by politically and financially motivated groups. Several banks experienced severe disruptions to their online banking operations as a result of the DDoS attacks.

Often, the attacks were accompanied by online fraud and account takeovers. The weapon of choice in many of the attacks was a toolkit called Itosknoproblembro which was capable of generating close to 70GBps of DDoS traffic and designed to launch multiple DDoS attacks simultaneously.

Such attacks could become increasingly common this year, according to Gartner analyst Avivah Litan. It's not just banks that will be targets, but enterprises as well. According to security firm Prolexic, the average bandwidth in DDoS attacks in 2012 was around 4.9Gbps, a 200% increase from just a year ago. Attacks averaging 20GBps of DDoS traffic happened with alarming frequency in 2012 compared to the smattering of them in previous years, according to Prolexic.

"This is definitely a threat to the day-to-day workings of our financial systems," Litan said. Banks in general, "should add DDoS attacks to the checklist of things to worry about when trying to prevent fraud," Litan said. "I don't expect [the attacks] to let up in 2013. To the contrary, I expect them to increase since so far they have generally been successful," she said.

Shamoon, Flame and other cyber sabotage malware

About 30,000 Windows PCs at Saudi oil company Saudi Aramco were believed to have been rendered unusable in August after they were infected by a particularly destructive virus called Shamoon. The virus was noteworthy because it not only corrupted and deleted files, but also completely overwrote the Master Boot Record on Windows PCs thereby rendering them useless.

Though Aramaco downplayed the seriousness of the incident, Shamoon stirred concern at the highest levels of the U.S. government. In a speech at a meeting of Business Executives for National Security (BENS) in New York, U.S. Secretary of Defense Leon Panetta described Shamoon as one of the most destructive viruses ever and one that could be used to launch an attack as calamitous as the 9/11 attacks.

Security experts see Shamoon and similar malware, such as Flame and BatchWiper, as harbingers of a new class of tools that will increasingly be used in hacktivist attacks, for cyber espionage and cyber sabotage purposes.

"With assertions that attempts were made to destroy data and some suggestion of state sponsorship, Shamoon signals a move towards more serious economic espionage, regardless of motives," said Pete Lindstrom, an analyst with Spire Security in Malvern, Penn.

State-sponsored attacks

Many believe that the New York Times' report in June that the U.S. government had been actively involved in the development and use of Stuxnet to disrupt Iran's nuclear program may have ushered in an era of more open cyber hostilities between nations.

The big worry is that by choosing to develop and use cyber weapons such as Stuxnet, the U.S. government has exposed its own companies and networks to similar attacks by nations that are likely to be less hesitant about launching them. Many of the recent DDoS attacks against major U.S. banks, for instance, are believed to be the work of Iranian hackers. So too is the attack on Saudi Aramaco and other energy companies in the Middle East.

"There is no question in my mind that the biggest story of the year was the NYT revelation that the US was behind Operation Olympic Games in which they developed and successfully deployed Stuxnet," said Richard Stiennon, principal analyst at security consultancy IT-Harvest.

"Nation states are now undeniably in the game of cyber attacks. Olympic Games ushered in the era of weaponized software. There is no looking back," Stiennon said. "At the same time, as countries get into offensive cyberattacks, the defensive side is finally taking a turn for the better." Expect heightened awareness of the threat to result in new investments in 2013 on the tools and people needed to counter targeted state sponsored attacks, he said.

Targeted attacks

Many of the security incidents that made the news last year, including a massive breach at the South Carolina Department of Revenue, involved highly targeted attacks that combined social engineering techniques with sophisticated data stealing Trojans and other malware. In May, the U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued an advisory warning gas pipeline companies to be on the lookout for targeted phishing attacks and intrusions.

In December, security firm RSA issued a similar alert warning more than two dozen banks about targeted attacks.

According to Verizon, expect such attacks to increase going forward. Large, high-profile enterprises and companies in the financial services and insurance sectors in particular are likely to be more vulnerable to such attacks. In fact, almost seven out of 10 targeted attacks already are directed at large companies, Verizon noted in its 2012 Data Breach Investigations Report.

"Targeted attacks from adversaries motivated by espionage and hacktivism ..will continue to occur, so it's critical to be watchful on this front," the company said.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is jvijayan@computerworld.com.

See more by Jaikumar Vijayan on Computerworld.com.

Read more about cyberwarfare in Computerworld's Cyberwarfare Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybercrime and HackingFinancial ITsecuritycyberwarfare

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place