Protecting Your Agency From GhostNets, Learning Infosec from The Dalai Lama
If you are concerned about your agency’s
information security, I’d encourage you to take a look at one of the
two reports that came out last week regarding the cyber attack on the
Office of His Holiness, the Dalai Lama.
(Overview: Video http://www.youtube.com/watch?v=tnK0s6aWzCM,
Text http://government.zdnet.com/?p=4498 )
The Dalai Lama’s organization made the analysis
public, which is unusual for an information security breach of this
nature. The reports are available at
http://documents.scribd.com/docs/1jiyoq3c13a9a4udh2s7.pdf
and http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.pdf
It could be argued that there is nothing new in the findings in terms
of attack vectors, exploits, and payloads. What can’t be argued is that
this was a highly structured attack after specific high-level
targets. This attack is similar to those we’ve seen at many
Federal Civilian Agencies.
One of the big differentiators I saw in this attack was the use the
content of legitimate outbound emails as a way to strengthen the target
profile. The attackers took the content of legitimate outbound emails,
and added malicious payloads hidden in Word and Acrobat
files. There was no distinction between the text of a
legitimate email, and a compromised email, because they were written
with the same exact text.
The reason that the web and email are exploited as attack vectors is
that these vectors allow non-security personnel to essentially make
network access control decisions. It’s the user that makes the decision
to click on the URL or download the application to their desktop. In
the past, many security people have felt that the problem with web and
email security was due to users who didn’t understand or care about
network security. The Dalai Lama attack shows that there are web and
email based attacks that even the most vigilant and knowledgeable
security person would not be able to determine on face value.
I was enthusiastic about the analysis and detailed forensics in this
report. But it was painfully obvious to me that these reports fell
short when it came to providing solutions. Some of the
recommendations were to use user based access controls, like SeLinux,
which arguably are very difficult to implement in any environment that
interacts with the outside world.
Preventing attacks like these is the reason why talking to Websense
should be required for your organization. Websense has the technology
to minimize exposure to these sophisticated, multi-channel
attacks.
- Websense Web Security Gateway can categorize, analyze, and inspect
both known and unknown URLS, including those that contain malware and
spyware. We can identify zero-day exploits, and provide protection
before anti-virus definitions or patches are created. It is all but
certain we would have blocked the links that contained the malware in
this investigation.
- Websense Data Security Suite can discover, monitor, and protect
sensitive agency information from being disseminated
inappropriately.
- Websense Email Security can remove suspicious URLs in the
cloud, even before they bridge your network
If your agency is concerned about these types of attacks, it would be
beneficial to talk with my engineers and myself. To schedule
an appointment with my team, please call me at
410-740-3490, or email
pmisner@websense.com
- See reports and videos on Websense Security Gateway
at http://www.websense.com/wsg
- Information on Websense Data Security can be found at
http://www.websense.com/dss
- Information on Websense email can be found at
http://www.websense.com/content/HostedEmailSecurity.aspx