As hacking groups such as Anonymous and LulzSec continue to make headlines, many of us in the Information Security field can only sit back and shake our heads. The large number of successful system breaches, web site defacements, and the publication of confidential data is not at all surprising, and for the most part was only a matter of time.
Releasing the personal information of innocent users is not responsible hacktivism, nor required to trumpet a successful hack. There are other ways to air bragging rights and teach a lesson about system security than potentially causing personal and financial harm to the users of the system. Showing the weaknesses in the state of online security, however, is something that can be agreed with and both Anonymous and LulzSec should be commended for their actions in that regard. Yes, commended. Thanked. Appreciated.
Regardless of the motive behind their actions, these groups are demonstrating publically what we in information security have been saying for years: not enough is being done to secure Internet accessible systems. In information security it can be difficult to convince people of a risk until they see someone else fall victim to that same risk. The publicized successes of these hacker groups help to build a case for enhanced Internet security, hopefully opening the minds and eyes of those that are most difficult to convince. But to truly understand why the information security community owes these groups a token of gratitude, you must first understand why so many vulnerable systems exist on the Internet.
Thanks in large part to Hollywood, the technical prowess of the computer hacker is often exaggerated and shrouded in mystery. It may be easier to imagine that it takes a great deal of skill and years of experience to breach computer security, but in truth it can be quite easy to hack a system. There is no real mystery or special skill required in exploiting a security weakness or vulnerability, with a hacker needing only to understand which tools to utilize and where to look for the weakness. In many cases this weakness occurs in the configuration of a given computer system, the result of two primary factors: the failure to properly fund the necessary level of security technology to protect the system, and the failure of the system administrator to understand how to secure the system.
Any technology professional with a few years of experience in the field can tell you that information security is not about security, it is about profit. Organizations do not pay for security that negatively impacts the bottom line, and will pay for only the bare essentials required to protect their ability to make a profit or meet budget. All too often security decisions are not made by technical professionals, instead middle and upper level business managers who have little or no experience in information security render these security decisions, viewing IT security spending as a black hole through which they refuse to pour money. All too often private organizations deploy only those security measures required by government regulation, and only to meet the passing requirements of internal or external audits. More sophisticated security measures are viewed as too costly, and thus become “optional.” This decision to make enhanced security optional can be directly correlated to the large number of security incidents, and contributes greatly to the global pandemic of security issues that impact the Internet as a whole.
Compounding the problem, and again rooted in the lack of financial support for information security, are the actions (or inactions) of the technical personnel responsible for the security of Internet-facing systems. It is not uncommon for a computer server or network-accessible application to be installed and configured by someone with only a cursory level of security knowledge. The repercussions of selected configuration options are not well understood, often resulting, for example, in default administrator level passwords and privileges left in place on the system. The necessary administrative and security knowledge to manage these servers and applications can only be obtained through advanced levels of training, often a rarity in information technology budgets. Typically, IT managers can fund only the technical training necessary to meet the bare minimum of skill required to maintain system uptime and support profitability.
Computer hackers have known for years that an Internet connected organization subject to a budgetary constraint will only be as difficult to hack as their budget allows. Even when properly funded, weaknesses can be found in a well-protected system if the skill level of administrative and support personnel is not sufficient to properly install, configure, and manage the system. A company that invests in advanced security technologies and training for administrative personnel will be much more difficult to compromise than one with limited funding and little security skill. This is the point that groups such as Anonymous and LulzSec are proving to the world: security of Internet connected systems is too weak and too easily compromised. This is a result of a decision being made at some point, either directly or indirectly, that enhancing the security of these systems was optional.
Making their point to the world, however, does not require harming an unsuspecting and innocent Internet public, whose personal and confidential data should not be used as fodder to boast of their achievements. Anonymous, LulzSec, and other groups can execute their manifesto, display their trophies, and make their point in a way that does not harm the general public, instead turning the public eye towards the managers and operators of the systems and services failing to secure our personal information. Gathering public support for their cause could be a powerful weapon for Internet security, one harnessed simply by saying, “we could easily release your personal data for all to see, but we won’t.”
The Internet has not yet seen this type of hacker, a “black hat” who champions the “white hat” cause, one that will limit their impact to avoid harming the masses of innocent victims who play no role in the game. Until private organizations, governments, and those responsible for information security decisions rethink how they approach and prioritize Internet security, the game will continue with the winners pre-determined by the inaction of the losers.