The Hacking Team Breach - How the for Hire Hackers Got Hacked

...

A Look at the effects of the Remote Control System (RCS). A research published by the research laboratory Citizen Labs show that the RCS tool can infect the target device’s microphone, camera, keyboard and even a few services on the device. RCS can take control of the microphone to listen to every conversation of the target. An image released by the Citizen Labs shows a device monitoring someone named Jimmy Page. The notable thing about the image is that the subject’s location is in an access controlled parking lot of an LA sheriff’s office. (see Figure 1)

---------------------------------------------------------------

Figure 1. (Source: Citizen Lab)

Security Lessons from the Hacking Team breach

There is lot to learn from the Hacking team breach in the security point of view for organizations. There is a huge difference between a hacker who is trying to steal an individual’s credit card information and someone who is trying to breach into an organization to leak vital data as in the case of Hacking Team. Whatever the case maybe, no matter how secure an organization is there is always scope for attackers, and the likelihood of a breach is rapidly increasing. The following steps can be taken by an organization to avoid the risk of an attack.

Risk Management. The Institute of Risk Management defines risk as “The combination of the probability of an event and its consequence” where “consequences can range from positive to negative.” Events with negative consequences are most likely to affect any organization’s objectives. These risks can be addressed at multiple levels: strategic, tactical and operational. From

---------------------------------------------------------------

the Hacking Team breach one can learn that it is an “aggressive attack” with elements of elements of revenge, spite, politics, and intimidation. The first lesson is that the risk of attacks of this nature is higher than it has ever been. Unfortunately, too many organizations approach IT risk analysis in isolation from other aspects of the organization, often working toward a checklist of the usual suspects, from malicious code infection to employee sabotage to power outage. Sure, those threats are important, and so are the controls that you put in place to mitigate them. However, any organization needs to be sure about objectively assessing the lengths to which some people will go to thwart the organization’s objectives through systems abuse.

Situational awareness. Most organizations these days miss this important aspect of risk management. In the context of today’s highly connected global society, situational awareness at the organizational level means knowing who doesn’t feel good about the organization.

Incident response preparedness. In these days it is pretty much inevitable that things will, at some point, go wrong for any organization. Therefore, organizations need to reduce the chances that things will go wrong and be prepared to respond when they do. The point is that any organization needs to be able to respond effectively to adverse incidents, regardless of their origin. This is the art and science of incident response and incident management. As seen in the Sony Pictures Hack3 the incident response was very well done. They came out saying the breach was beyond passwords and network security woes and every detail of the breach was given to the authorities by the company for a full investigation.

3On November, 2014 a hacker group leaked confidential data of Sony Pictures which

included the sensitive and personal information of all employees at the company. This hack came with a physical threat in case of the release of their new movie “The Interview”. Later

---------------------------------------------------------------

investigations by the Unites States intelligence authorities after evaluating the software and techniques used, confirmed the attack was sponsored by North Korea.

Bring your own device policy. Data Breach Study estimates that the cost of dealing with a data breach increased by 15 percent in 2014 and will continue to rise. Employees and their devices are the front line of any organization. To safeguard the organization from internal threats and external factors, specifically targeting individual employees, it makes great sense to focus on employees themselves to lessen the chance of any harm. This is why security awareness and securing the own device of employees should be the main focus of any organization.

Defense in Depth. “A security system is only as strong as its weakest link” (Ferguson, Schneieir,

& Tadayoshi, 2010). The concept of defense in depth is to use multiple layers of defense strategies in the network infrastructure to protect the internal vital data from a breach. It should be best interest of any organization to implement a proactive defense strategy.

"Risk = Threat X Vulnerability" (Cole. Fossen. Northcutt. Palmeranz., P. 306)

A threat can be thought of anything that can potentially affect the confidentiality and integrity of the data. Vulnerabilities are weaknesses in systems or devices that allow threats to compromise a system. These can be a result of services running, unpatched systems, poor configurations, etc. Just like threats, vulnerabilities exist in all systems. However, not all vulnerabilities are bad and have to be stopped. In fact some vulnerabilities are necessary to provide functionality and operations. It is when the vulnerability meets up with the threat that the Confidentiality, Integrity, and Availability of systems, and the data they hold, are in danger of compromise. Vulnerabilities are really the only variable that we maintain some control over. Threats are always going to be there and, for the most part, will be out of our control. Therefore, a Defense in Depth strategy will

---------------------------------------------------------------

take aim at the reduction, removal, and separation of vulnerabilities. A good defense in depth will always help out an organization in case of a potential data breach.

How the Hacking Team data breach could have been prevented

Though the Hacking Team breach was considered one of the biggest data breaches in history, it could have been prevented very easily by the Hacking Team organization. This shows how vulnerable