Blended Attacks: The Nasdaq Edition
October 25, 2011 | Uncategorized | CyberArk
by Adam Bosnian
Despite spending nearly $1 billion a year defending itself against constant cyber attacks, news broke late last week in an exclusive report from Reuters that “the hackers who infiltrated the Nasdaq’s computer systems last year installed malicious software that allowed them to spy on the directors of publicly held companies.”
According the story, the Nasdaq case, reportedly similar to the attack against RSA earlier this year, is an example of a “blended attack,” where elite hackers infiltrate one target to facilitate access to another. Nasdaq has said that hackers attacked a Web-based software program called Directors Desk, used by corporate boards to share documents and communicate with executives, among other things. By infecting Directors Desk, the hackers were able to access confidential documents and the communications of board directors.
As Jaikumar Vijayan emphasized in his recent article for Computerworld, “Despite Stuxnet, Duqu, control system flaws still overlooked,” most efforts to fix infrastructure threats are wrongly focused. It seems Nasdaq learned the hard way that throwing a large budget at a security issue to build up perimeter walls won’t fix an issue that’s already inside. ”God knows exactly what they have done. The long term impact of such attack is still unknown,” Tom Kellermann, a well-known cyber security expert, told Reuters of the attack.
Cyber-Ark believes that regardless of the attack vector, there must be heightened emphasis on the importance of proactively locking down and isolating sensitive information, and maybe even more critically, the servers, systems and applications where this confidential information resides or is transmitted to or from. Post-fact reaction by its very nature means that the vulnerability has already been leveraged. Only truly proactive, preventative approaches can help organizations guard themselves from these types of ongoing and often persistent attacks.
Additionally, it’s important to examine the concept of enforcing the rule of least privilege for end-users and security administrators – the idea being to provide only that amount of privilege necessary for a given activity. What’s often overlooked is how these accounts can be tampered with to provide unwanted ‘escalation of privileges’ to aid in persistent attacks – as it appears what happened in the Nasdaq case.
In the RSA case, recommendations to customers included enforcing strong password and PIN policies, and watching closely for changes in user privilege levels and access rights using security monitoring technologies such as SIEM, and consider adding more levels of manual approval for those changes. Could these steps have helped Nasdaq? It will be interesting to learn more as this story continues to unfold.