The key security lessons from the NYTimes attack

by Sohini Bagchi    Aug 29, 2013

security threat

The recent hacking on The New York Times website and that of the social media site Twitter again raised another alarm in the industry on the rising security attacks on corporations. Security experts opine the latest intrusions were the most sophisticated in a series of attacks on high-profile organizations and unless organizations learn to take a sophisticated security approach, it will continue to be damaging for them.

In recent months, attacks on major media companies have escalated. Besides, organizations like the Financial Times, Washington Post, CNN and BBC, hackers went on social media organizations such as Twitter, Facebook and LinkedIn – a clear shift from the simple denial-of-service attacks and toward full domain compromise.In the recent case, for instance, the suspected hacker group known as the Syrian Electronic Army, was said to have caused more sustained damage by focusing on editing DNS - Domain Name System - information. The SEA was able to gain access to hosting provider, Melbourne IT’s system, where Twitter and the New York Times registered their respective domains. Melbourne IT said the breach happened through one of their third party hosting resellers. This can be an eye-opener in the world of IT security because it indicates the hackers could change DNS details so that instead of, “nytimes.com” the original NY Times server, the domain was pointed to a website hosted by the SEA. In Twitter’s case, for example, they used twimg.com - a separate domain that the social network used to store image data, as well as styling code, which meant many pages were displayed incorrectly.

There’s plenty to learn from each of these high profile attacks, which may continue in the coming months. Organizations should no longer ask how to protect my organization from being attacked, but its a matter of when now and they should find out how to be ready to deal with any kind of threat - no matter how big or small - to save their most critical assets.
-Lawrence Orans, Research Director, Gartner Inc.

Experts point out the key lessons for both big and mid-sized organizations to learn from this advanced attacks.

Get the basics right

You should get the basics right, states Lawrence Orans, Research Director, Gartner Inc, who believes this is something even big corporate houses overlook. According to him, adopting good practice techniques such as having a vulnerability management system in place, keeping security patches up to date, and continually testing the security health of the IT infrastructure can reduce the likelihood of accidental compromise. It is also important to have response plan, a recovery plan, security awareness and training as well as have a re-assessment program. “As part of the re-assessment process, an organization should design a risk register to allocate funds and resources to protect the assets . these aspects are most valuable to the organisation but often overlooked,” says Orans adding that a third party security audit can also add greater transparency and help in reducing threats.

Take security to the boardroom

Today security is already finding a place in the boardroom agenda today, rather than remaining a sole domain of the IT department and the trend will continue to rise in the coming months. The focus today should be on quick detection and response. Every organization should follow the five steps include, minding the gap between business and IT security, identifying targets, evolving key security control, adding newer delivery mechanisms and repeating and reviewing the security measures frequently. “With the proliferation of BYOD, big data, social and cloud computing, enterprises should identify the right security solutions,” he says. He also believes that the role of the CSO should be well defined in the coming months and there will be high demand for data scientists and security analysts to analyze and correlate security data and unstructured business data to apply it in the real time setting and environment.

Create security awareness among employees

The final line of defense is the people in the organization, the most valuable asset of a business. Andy Steingruebl, senior manager, customer and eco-system security at PayPal advocates a thorough security awareness training and education program. “With the right level of training, employees of an organisation can function as human intrusion detection systems in every part of the business,” says Steingruebl. Employees are not something to be controlled or locked down,” he says. Instead senior executives (both IT and business) should have explained the real risks and the potential consequences of a successful attack and how they can fight that collectively.

To sum up, attacks in the industry will continue to be more crafty and sophisticated. It needs to be ensured there is greater cooperation in the industry, between security professionals, management, and IT. In the long run, education and training in the cyber space should be an integral part of every organization’s business agenda.