Business Issues -> Regulation
By: Nigel Stanley, Practice Leader - IT Security, Bloor Research
Published: 17th December 2010
Copyright Bloor Research © 2010
There are a variety of ways in which websites and public-facing computer systems can be attacked by hacktivists, and attacks on websites continues to be a popular form of political demonstration.
In December 2010, around 36 Pakistani government websites were hacked by an online hacker group called the Indian Cyber Army. All hosted on the same server, the sites that were hacked included the Pakistan Army, the Ministry of Foreign Affairs, Ministry of Education and the Ministry of Finance. The attacks consisted of messages and graphics inserted into the web pages with political messages, some of which related to the attacks in Mumbai.
Also in December 2010 a number of financial payment websites were subject to denial of service attacks by hacktivists disgruntled at these companies no longer processing payments to the WikiLeaks website.
For commercial websites that trade across the internet, this can be catastrophic and is the equivalent of having all their real-life stores closed down in one go. Denial of service attacks can range in their level of sophistication from destruction of physical internet connection points through to the flooding of websites with extraneous data that overwhelms web servers, forcing them to close down. This is similar to blocking the switchboard of a business with lots of phone calls that are terminated as soon as they are picked up, but uses the TCP/IP protocol that runs the internet to flood servers with bogus messages. These attacks can be coordinated using hijacked networks of computers, called botnets, which, in turn, are forced to send high levels of spurious data to target websites. There are steps that designers can take to mitigate such attacks but, in reality, a significant attack can be difficult to manage, and often the best course of action is to take down the servers and hope the attackers go away.
More sinister is a malware threat that emerged in 2010 called Stuxnet. Researchers had been aware of this malware for many months, but it hit the media headlines when reports emerged of Stuxnet finding its way into Iranian nuclear plants. Excellent investigation by Symantec  has enabled us to see inside this malware and understand how it works.
The malware was apparently written to target industrial control systems such as those used in manufacturing and processing plants. Its ultimate aim is to reprogram control systems by modifying computer code on programmable logic controllers, or PLCs, in such a way that plant operators would never suspect anything was wrong. In contrast to a denial of service attack that is extremely noisy, Stuxnet is a very clever and covert attack. Bundled with the Stuxnet malware is a whole arsenal of additional components designed to assist in this control system attack, including zero-day exploits, antivirus evasion and a Windows rootkit, an advanced form of malware.
So why bother to mess with PLCs?
In fact Stuxnet only affects specific PLCs controlling electric motors that run at special high speeds and frequencies. These are only available from two specified companies and the attack will only be initiated if there are at least 33 of these devices present. The majority of Stuxnet infections were found in Iran and these devices are regulated for export by the United States Nuclear Regulatory Commission as they can be used in centrifuges used for uranium enrichment.
Yes, the implication is that Stuxnet is a powerful piece of malware created to disrupt the enrichment of uranium by the Iranian government.
Clearly this advanced malware has not been developed by a back-bedroom hacker, as it needed very specific insight into the workings of complex industrial control systems. This is a high watermark in terms of malware, and evidence is starting to emerge that conventional cybercriminals are adapting Stuxnet for more conventional criminal activities.
We have not seen the end of Stuxnet yet.
Is your organisation a target?
It could be argued that, in the great scheme of things, most businesses and organisations will never appear on a cyberterrorist’s radar, as the type of work they do is not one that attracts attention from such people. On the other hand it could be argued that every person and organisation is a target for cybercriminals, so a reasoned, objective risk assessment should always be undertaken to gauge a likely risk profile. This must include all aspects of a business, including the supply chain, employee travel, executive profiles, nature of the business and, of course, the ever-changing worldwide geopolitical situation.
This risk assessment needs to be continuous and fully integrated into the decision-making process of the leadership team. Informing this risk assessment must be intelligence gained and shared with colleagues, industry communities and the authorities ensuring a two way flow of up to date, actionable and relevant information.
Polices and procedures need to be built that encompass this risk assessment and it is vital that a converged approach is taken, such that information security experts work with physical security experts to develop plans and skills to manage a cyberterrorist attack. These attacks will rarely come from nowhere and the sharing of skills and information is vital.
Employees are often in the front line against cyberterrorists, as their day-to-day activities are often subject to reconnaissance and investigation from potential attackers. Phishing emails, social engineering phone calls and strange conversations are just some of the indicators that an organisation is being scoped for attack. These users must be educated about the importance of both physical and information security, supporting a converged approach, in their day-to-day jobs and have a means to raise their concerns in an open way that supports these reports and avoids any embarrassment if a genuine report is false.
Finally, organisations and businesses need to be doing their job, focusing on delivering value, products and services to their clients and shareholders. In support of this it makes complete sense to work with expert third parties that can take on a lot of the risk management work, freeing up the business to do what it does best.
Over these 3 articles we have seen that the internet is awash with threats to organisations and individuals, but it is also an amazing force for good in the world, supporting commerce and the freer flow of information. Inevitably criminals, rogue states and terrorists will see the internet as an ideal tool in their armoury but, by taking some reasonable precautionary steps, many of these threats can be significantly reduced.
 Symantec. Stuxnet: A Breakthrough. Available at http://www.symantec.com/connect/blogs/stuxnet-breakthrough Last accessed 9th December 2010
Posted: 3rd January 2011 | By Eduard :
Hello, I'm starting a blog related to cyberwarfare, I want to ask, can I take your article, translate it to spanish language and publish it in my blog (with all the backtrace links and copyrights notes, to this page)
I think this article gives a really good starting point to all the spanish speaking people that want to know more about the topic.
Thank you very much for the attentions.
The messages above were all contributed by IT-Director.com readers. Whilst we take care to remove any posts deemed inappropriate, we can take no responsibility for these comments. If you would like a comment removed please contact our editorial team.
We automatically stop accepting comments 180 days after a post is published. If you would like to know more about this subject, please contact us and we'll try to help.
Published by: IT Analysis Communications Ltd.
T: +44 (0)190 888 0760 | F: +44 (0)190 888 0761