Here's a story that caught my attention... “In Soviet Russia, Georgian government hacks hacker!” All Internet meme inspired jokes aside, an interesting article caught my eye recently that described how an exasperated Georgian government fought back at an alleged Russian attacker that ran a months-long campaign to steal as much information from government ministries, parliament, banks, and other organizations.
  • The Georgian CERT team set a baited trap for the attacker that led him to believe that he was downloading sensitive information, but instead contained malware of its own. The attacker took the bait, and the team was able to mine his computer for documents that might give them clues. They also snapped two photos with his own webcam. The surprised attacker severed the connection after presumably discovering the ruse.
  • The team was able to link this attacker to earlier attacks after being tipped off  (ironically) by a Russian antivirus program. The attacker began his assault by peppering Georgian news websites with malware, but only those articles that would interest his intended targets. His strategy apparently worked fairly well, as he seized control of approximately 300-400 government computers in key agencies, which were directed to transmit sensitive documents to servers the attacker controlled. The Georgian team blocked connections to these servers, and the attacker escalated.
  • Next, the attacker sent emails to government officials that contained a malware-laced PDF file- which was a fairly complex attack that wasn’t widely known at the time and not detected by security software- and indicated to the Georgian team that this was no average attacker.
  • Fortunately for the Georgian team, they were able to discover a few clues about the attacker as he also fell victim to some weak security practices of his own. In the end, the attacker finally fell for the trap that was set.
  • Unfortunately for the Georgian government, this was neither the first time that such attacks had occurred, nor the last. This attacker was also certainly not acting alone, and may have learned from his mistakes to return and escalate his antics yet again.
What YOU can do with technology to protect your information So, while the Georgian government released photos of their attacker in order to show their irritation and potentially give other attackers a reason to pause before their next volley, we can hopefully learn from the mistakes made on both sides. Here’s what you can do:
  • Run antivirus
  • Keep OS, applications, and malware definitions up to date
  • Deploy a firewall at the network edge
  • Segregate networks by function
  • Run a host-based firewall on all endpoints
  • Employ spam filtering
  • Enact policies regarding removable media, portable devices, mobile devices, and connectivity
  • Practice the “principle of least privilege”
  • Use strong passwords, and password policies that do not promote bad practices
  • Practice “defense in depth”
  • Remove or disable unnecessary software and services
  • Employ exfiltration protections

Utilizing these staples of IT security on your networks, servers, workstations, laptops, and mobile devices will help mitigate some threats, as well as limit the damage and possible escalation should an attack succeed. However, technology only goes so far, and people can sidestep nearly every technological safeguard that they deem unnecessary, an impediment to their job, unintentionally, or worse while intentionally performing an attack as an inside job. People can be your greatest strength and greatest weakness Let’s face it, a large source of the security risk facing your organization sits squarely on the shoulders of the employees that run it day in and day out, and handle the valuable information of your organization. Those people can either expose that information or protect it. What makes the difference? Security Awareness These programs can educate your employees about security fundamentals, the risks associated with different pieces of information and the methods by which that information could be exposed, as well as role-specific guidance on how to have a positive impact on security. Technology is not the sole solution If an attacker can simply overhear or directly call up an employee and have him or her willingly hand over data that is well-protected on your system over the phone, and the employee is none the wiser, all the technology in the world has failed (and to be fair, isn’t or shouldn’t be meant to address this problem). Myths, misconceptions, and misinformation can also lead to a compromise

  • One of the biggest sources of leaks comes from careless users simply losing a laptop, USB stick, or mobile device containing sensitive information.
  • A less obvious source of leaks could be a productive employee signing on from an unprotected or compromised coffee shop or hotel network, leaking data with every email and instant message they send.
  • Similar to the phone call (though potentially mitigated by technology), a phishing attack might be successful at stealing credentials or convincing a user to send along sensitive data.

As you can see, there are a number of ways by which the people in an organization that is otherwise “armored to the teeth” are the greatest risk for an organization. What you can do with staff to protect your information The first step is education Every day, people in your organization are in a position to behave in ways that either expose or protect valuable information that is in their hands. General staff should all understand the “do’s and don’ts” to help prevent sensitive information from being compromised. Role specific training courses IT staff are in a unique position where they may have access to more data than any other position in the organization, or the means to get access to such data. From system architects to database administrators, role-specific security training programs help you assist and aid your entire information technology team. All software development teams, whether they build in-house or commercial software, have a critical role to play in protecting sensitive information. Follow compliance requirements There may be regulatory compliance or requirements for your specific industry that needs to be addressed.  Lastly, empower users to recognize and report threats, including suspected insider threat People on hand to deal with security situations for your infrastructure and solutions (and products if applicable) can boost your tolerance to attacks because there is someone at the switch, so to speak, watching the vital signs of the organization. Security staff are smarter than any number of layered or individual technologies are, especially because they can look across the various technological solutions you may have in place and recognize patterns or anomalies that technology alone isn’t equipped to deal with yet (no matter what vendors will try and have you believe). Having staff isn’t going to be fool proof, but it’s the next evolutionary step in the security maturation process, and may or may not make sense based on the risks your organization faces and the cost of such staff.   References: Irked by cyberspying, Georgia outs Russia-based hacker -- with photos  

Continue the Conversation on Twitter @SafelightSec

Connect with Mike on Twitter @SafelightCoop