Operation Night Dragon

My marketing guy says if my posts are going to rank higher on search engines, they have to be timely and call out keywords in bold and italics (and lots of hyperlinks throughout)… so today you get a post about OPERATION NIGHT DRAGON (insert ominous sound effect here).

Night Dragon for those that do not know, is an attack against energy companies that was recently (look marketing, it’s timely!) exposed by a McAfee report. The attacks involved several techniques including compromising web servers, database servers, stealing passwords and targeting employees for access and executives for data. The ultimate goal of this is unknown, but suspicions are leaning towards this being an attack focused on stealing data not on stealing money or reducing the capabilities of the attacked firms.

While there is plenty of discussion in the security community that is, frankly, overhyping this attack (I would have named it “Lightning Thief”) that’s not where I am going to go here. Instead, I am going to focus on two key words. To paraphrase the story, it all boils down to this:

“McAfee identified attackers that used unsophisticated attacks to enter the networks of US energy companies, where they browsed and accessed sensitive information. The attackers have been present in the networks since late 2009.”

So let’s talk about this a little bit…

Unsophistication

We like the stories about the uber-elite hackers that use diamond-tipped tools cut a hole in the firewall, glide into the network on a rappelling line, identify their targets and then steal them avoiding the fancy lasers and weight triggers. However, if your business doesn’t have those defenses, there’s no point in investing in all the impressive tools. Like as not, your business is less like The Louvre and more like Barometer World. Now don’t get me wrong, I think that barometers are pretty nifty, but let’s face facts. It doesn’t matter how many barometers you have in that room, you’re not going to protect it like the Mona Lisa.

(Note to marketing: I know that barometers aren’t timely. Sorry. Here’s some timely stuff in bold for you: #grammyforbieber, Mubarek resigns… we happy?)

Of course, this means that if someone wanted a barometer, they could probably just walk in and take one. Sadly, the same is true for your data. In a great many businesses, your data could just walk out the door and a lot of people wouldn’t care. I’ve heard comments ranging from “Who would want my data?” to “My data isn’t worth anything anyway.” as reasons to not invest in basic protection. However, the often-missed point is that it doesn’t matter how much you value your data. What matters is how much a competitor values it. If it costs very little to attempt to steal your stuff, people are going to try again and again. Eventually they’ll probably succeed.

In addition to the nifty-cool attacks we read about, there is a constant background of simple and unsophisticated attacks targeting your business. Once they get in, they’re a lot harder to get out, which brings us to…

2009

At the same time these attacks were occurring, the Billboard number one song was Whatcha Say by Jason Derülo. Twilight: New Moon was brand new and a groundbreaking paper on air pressure and landslides was released. (Sorry marketing, this timely stuff is hard, but at least barometers are still cool.) In the fifteen months following, the attackers have been digging through data, finding what they wanted and stealing the work of others. This has likely enabled them to win contracts by underbidding, develop competing technologies and steal customers.

Now combine this with that magic word unsophisticated and the fact that we’re not talking about the Louvre here. We don’t have a situation where a super-stealthy cat burglar snuck into a museum, stole an ancient and magical artifact, and slipped out under the eyes of watchful guards. Instead, we have a situation where someone like Jacques Clouseau clumsily stumbles into the barometer museum and lives there for a year, riffling through papers and taking barometers home every night. All without being noticed by anybody.

It’s ridiculous. For years, we’ve been giving people the same basic rules for security:

• Keep your systems patched.
• Give users minimal rights.
• Run antimalware software.
• Limit where your users can go.
• Watch what goes on on your network.

In order for these attacks to succeed, there had to be multiple failures along many of these rules. Let’s take one last visit to the barometer museum and think about what these rules would look like if IT were not a factor:

• Lock the doors when you’re closed.
• Don’t give everyone the master key.
• Hire a night watchman.
• Lock the windows too.
• Make sure the watchman is awake.

See, we’re not talking about building massive security infrastructure to protect your precious hoard of 17th century barometers.  We’re talking about taking extremely basic precautions.  It costs a lot less to invest in a few key technologies and make sure they’re working than it does to replace all your stuff, so just do that.  After all, where do you want the bad guys to live — your business or  that of your competitor?

(Marketing, here are some more words in bold for you: Night Dragon, Night Dragon!, Nihgt Dragoon (to catch the typo people) malware, evil, energy, security… we good?