The recent cyber-attacks on defense contractor Lockheed Martin, which the company disclosed at the end of May, appear to mark an escalation of a “cyber-cold war” that few realize has been going on for some time.
Recent sophisticated cyber-attacks have focused on some the most sensitive defense contractors in the U.S. But there is a high likelihood the attacks will spread to other industries, as well. If your company does business with a defense contractor, a bank, an electric utility or a phone system, you’re at risk. Cyber-attackers may hit you if it even appears that you might provide a pathway to the bigger target they really want. So you need to make sure your security is up to snuff.
Lockheed Martin issued statements that itdiscovered the attack nearly as soon as it started and that it believes no data was stolen. A separate prepared statement by Lockheed Martin CIO Sondra Barbour said the company thwarted the attack by shutting down the VPN that gave employees and contractors remote access to the company’s IT systems. Other actions included resetting all user passwords, upgrading remote access to new access RSA SecurID tokens and “adding a new level of security to our remote-access network log-on procedure,” Barbour’s statement said.
Others, however, are saying more. Tom Kellermann, a member of President Obama’s commission on cyber-security, and CTO of mobile security application provider AirPatrol told Bloomberg TV that the attack was more than likely state-sponsored.
However, Kellermann declined to specify what country may have sponsored the attack and said that it’s impossible to know for sure since many countries have that ability. Kellermann noted that many people are blaming China and Russia for the attack, but that this isn’t necessarily the case.
What is known is that the attack against Lockheed Martin may be related to a successful attack against RSA earlier this year in which the algorithms used to generate keys on the company’s SecureID security tokens were taken. Since that breach, other SecureID customers, including Northrop Grumman and L3 Communications, both major defense contractors, have been attacked.
The attack initially targeted Lockheed Martin’s network, and when that failed, the hackers tried to attack the company through other companies that do business with Lockheed Martin, according to Kellermann.
Lockheed Martin has beefed up its security to world-class standards over the years since the Chinese military was able to successfully penetrate the company’s security. It’s impossible to know whether China was involved in the most recent set of attacks, although the Chinese government did promise sanctions against the company for its plan to supply F-16 fighter jets to Taiwan. That sale is apparently going ahead on schedule.
The Department of Defense is about finished with a revised plan for dealing with cyber-attacks in which some such attacks would be viewed as acts of war, and could be met with a military response, according to an Agence France Presse report in Defense News. The Pentagon’s plans have been in development since a cyber-attack on the U.S. Army in 2008.
Attacks Show Need for In-Depth Security Defenses
To date, the attack on Lockheed Martin was apparently the most intense so far. The sophistication and tenacity of the attack helps confirm the thinking that this was a state-sponsored attack. The attack also confirmed that Lockheed Martin is a much tougher target than it was a few years ago. In fact, one Washington IT staffer, who asked that he not be identified because of his position as a government employee, said that Lockheed Martin might have been picked by the hackers because it is “the gold standard” when it comes to security. The staffer said that Lockheed Martin’s security is so good that it’s widely considered to be impossible to breach.
The lesson from Lockheed Martin’s successful repulsion of this attacker is that you need to have defense in depth. You can’t depend on passwords, security tokens or encryption alone. You need all of that, and you need more. Your network should have internal firewalls, it should have the routers set so they only accept traffic from specific MAC addresses, and you need to have an up-to-date intrusion-prevention and detection system.
Sounds serious, right? That’s because it is serious. While it may be that you have no useful information regarding any of the targets that these state-sponsored hackers want, that won’t stop them from taking advantage of what they do find on your network. The bottom line is that the new edition of the Cold War has begun, and this time it’s a “cyber-cold war.” You need to be careful not to be caught in the crossfire.
For most companies, a breach of personal information or credit card data can be damaging to the extent that it can ultimately cause the company to go out of business. This is usually not considered a good outcome by security professionals. For that matter, neither are stories about lost information or irate customers. While the credit card numbers may not be state secrets, they’re still very important to your customers, and they need protection.
There is an attitude in many companies that protecting personal information is nice in theory, but not so important in practice because it’s inconvenient or costs money. But inconvenience and cost will grow exponentially if your security system isn’t well-designed. Every company’s senior executives should ask themselves what is less convenient-implementing stronger security or being forced to bail out your CEO in the middle of the night because he was charged with violations to compliance laws?
It’s also essential to remember that security is just as important for business partners as it is for you. If you don’t require your business partners to have at least as much security as you require for yourself, then you can’t allow them into your network. One of the features of the attack on Lockheed Martin is that the attackers tried to use business partners’ networks as a pathway to Lockheed Martin when it couldn’t break into the network directly. It didn’t work, and it shouldn’t work for your business partners either.