Cyberattacks don't have to be 'terminal,' experts say

Preventing cyberattacks is impossible, but governments and businesses can and should prevent the attackers from stealing data, a computer security specialist says.

But precautions can keep data out of the wrong hands

Preventing cyberattacks is impossible, but governments and businesses can and should be able to stop attackers from stealing data, a computer security specialist says.

There is "nothing in the world you can do" to prevent attacks such as the one that penetrated computer systems in three Canadian federal government departments, said Stephen Northcutt, president of the SANS Technology Insitute, a security training facility in Bethseda, Md.

If a hacker penetrates the security of a computer system, "that's bad, but it's not terminal," Northcutt says.

"Until the data actually gets out of your organization and into the hands of your adversary, you haven't lost."

Unfortunately, in the case of the recent attack, hackers are believed to have stolen sensitive government information.

Executive spear-phishing

The attack on Canadian government computers involved a technique called executive spear-phishing or whaling.

According to reports, servers in China gained access to a number of Canadian government computers.

The hackers, posing as senior bureaucrats, then sent emails to the department's technical staffers, conning them into providing key passwords to government networks.

At the same time, the hackers sent other staff seemingly innocuous memos as attachments.

The moment an attachment was opened by a recipient, a viral program was unleashed. 

The program hunts for specific kinds of classified government information, and sends it back to the hackers over the internet.

Northcutt applauded the Canadian government for responding to the attack, which was detected in January, by disconnecting its computers from the internet.

He said that is a good move if you believe your system has been successfully compromised and the attack is ongoing.

The next step is to bring in experts who can find the malware responsible for the attack and help figure out where the data is headed.

Northcutt added that most organizations never even detect when a cyberattack is underway. Partly, that is because security systems tend to monitor data entering rather than leaving the system.

"It's a big part of the problem," he said. But he added that people are starting to recognize that and install software to monitor data leaving the system through strange routes like unsecured ports.

Organizations should, of course, also be trying to prevent attackers from getting in to begin with, he said.

He recommends implementing software that only allows a certain "whitelist" of approved programs to be installed on computers or tracks the programs that are installed, in order to prevent malicious software from taking root.

Executive privileges risky

Adam Wosotwosky, principal engineer for internet security firm McAfee, said its not unusual for organizations loosen company-wide security measures for a select group of executives — something he recommends against.

"When you open up a back door like that, you're opening a back door to all your hackers."

Wosotowsky also suggests keeping web browser software up to date to minimize the chance that browsers will automatically download malware from malicious websites that employees have been lured to visit.

Companies can also ban their email system from transferring any executable files — the form that a lot of malware takes.

"There are other ways to transfer executable files," Wosotowsky said.

Education 'inoculates'

Both he and Northcutt said that, in addition to technological defences, it's important to educate employees to prevent successful phishing.

For example, Wosotowsky said, they need to know that all the text in an email can be "made up," and that the person it appears to be from may not have sent it.

Northcutt said a number of U.S. government organizations, including the New York State government, have started "inoculation" campaigns that educate employees about security threats and hold occasional drills.

"From time to time, we need to send a note to ourselves — and see how many people fall for it," he said.

He estimated that only five per cent of organizations actually do that.

But both he and Wosotowsky also acknowledge that technological measures to detect attacks are crucial even when employees are educated.

"We can't get every single employee to do the right thing," he said. "Humans make errors."