The FBI and Scotland Yard should be praised in their ability to track down, identify and arrest members of the related hacking organizations Anonymous and LulzSec. The cyber-sleuthing they did is not easy. When you have to do it well enough for the arrest to hold up in court, it’s harder still. Unfortunately, it’s not going to solve the problem.
While the arrest of 12 members of the Anonymous hacking group, as well as two of the reputed six-member LulzSec team, may have taken these specific people off the street, the fact remains there is a limitless supply of people who want to break into computer networks, the higher the profile the better. Anonymous has already threatened a retaliatory attack on the FBI for the arrests. Whether they go through with the threats and whether the attacks, if attempted, are successful remains a mystery until it happens.
But it’s a virtual certainty there will be further attacks on the FBI. Likewise, there will be more attacks on Scotland Yard and on any number of other law enforcement and intelligence organizations. These targets are just so tempting that even a mediocre hacker wants the bragging rights.
And that’s one of the problems with the collection of hackers these days. Some are just in it for the bragging rights. It doesn’t really matter if your important data is encrypted, hidden away and unable to be copied. Some of these people aren’t after that. They just want to be able to prove they visited your company, breached your security and then left a message behind that they did it.
Problem is, if they can break into your battle-hardened network, so can someone who has all of the money they need, all of the best talent, and a strong motivation to steal information from you. That someone could be a state-sponsored hacker, a terrorist, a freelance cyber-thief in it for the money, or even a competitor. One way or another, someone is trying to get into your secrets and steal them.
However, it’s important to note that a successful attack from Anonymous or some other organization should be a warning. At the very least your security is inadequate. You need to find out how the attack took place and you need to fix it.
Make Your Company’s Network a Less Inviting Target
The problem is it’s almost impossible to make an impregnable network that’s also attached to the Internet. The only way to be certain is can’t be breached is to disconnect the Internet, put your servers in a vault and station a squad of Marines around it. And that will only work if one of the hackers isn’t also one of the Marines.
And that’s one of the basic problems that lead to data breaches. You can’t always trust your employees. Employees have nasty habits of writing down their passwords, making copies of sensitive data so they don’t have to deal with the encryption software, attaching unprotected WiFi APs to your network so they don’t have to deal with that annoying Ethernet cable. And sometimes the employees are working with the attackers to breach your defenses as happened with the WikiLeaks case last year.
So what do you do? The bottom line is that you need to invest wisely in security. This means that you get the firewalls that you actually need and you pay to train the person who has to configure and run the device. You encrypt your data; you take steps to limit access to data to specific people; you track what they do; and you set your rules on internal and external firewalls to prevent the movement of such data.
But most important, you have to be willing to invest in your staff. This means you don’t just give your IT people a shiny new firewall and tell them to implement it; you need to pay for training and probably for ongoing support so that the security hardware, software and procedures in your company stay up-to-date.
You also have to realize that no security system is perfect. But if you make it hard enough to break in, then the hackers will attack some other company. If you also make sure that you have nothing that they can breach easily, you will decrease the interest in an attack on your company. But it takes constant training and constant vigilance.
In a way, the best news to come out of the arrests of Anonymous and LulzSec is if it has prompted your company to pay closer attention to network security. Being lulled into a sense of complacency is perhaps the best way to help the people that would attack your network. Staying on top of your security will help ensure that you’re not an inviting target for the next attack.