|Advanced persistent threats are different from typical cyberattacks. They attempt to obtain personal information to later gain beachheads in other unrelated computing systems. Image: Dell SecureWorks|
Those of us who work in cybersecurity would prefer to avoid publicity. In most cases when you hear or read about security it is because something unfortunate has happened. And in fact there have been headlines in the past few days about a security incident affecting the federal Office of Personnel Management.
The types of attacks that frequently make headlines are often the advanced persistent threats. This type of attack is rather different from the traditional hacker activity. The adversary emphasizes stealth, maintaining a low profile for an extended period of time to avoid detection and to maximize the amount of data he can collect. There are no flashy Web page defacements or noisy attacks on other systems, making it difficult to detect the presence of unauthorized users. And the aims of the attack are to gather information, not just credit card numbers that could be used for identity theft or financial gain, but also the kind of personal information that can be used in future social engineering attempts to gain beachheads in other unrelated computing systems.
What does this mean to us? First, it is a reminder that we must be constantly vigilant in looking for any types of unusual behavior on our computing systems and be aggressive in scanning for and remediating any vulnerabilities in our systems that could allow attackers to penetrate. Please be cooperative if you are notified of such vulnerabilities in any of your systems; even one unpatched system can serve as a point of entry for an attacker.
Next, we will need to speed up our plans to require two-factor authentication (use of a password together with a hardware token) for access to any of our systems with sensitive information. We have already been moving in this direction using the RSA tokens I have written about previously, but we will likely be asked to make this access method universal for privileged users. And of course we should continue to avoid having any sensitive information on laptops or desktops or in cloud data storage.
Finally, be very suspicious of phone calls and emails purporting to come from government employees. There are very few legitimate reasons for most employees to be so contacted. When an unknown adversary has access to detailed information about government personnel, they will try to create very plausible stories in attempts to gain further entry to computing systems at sites like Fermilab.