“On Friday the group posted a torrent on The Pirate Bay containing internal documents from the Arizona DPS to protest its anti-immigration policies…,” Are your clients at risk?
This happened today, an attack on the AZ state police department – following a long list of incidents brought to government organizations as well as Sony, Sega, Nintendo, and others, by the LulzSec and Anonymous hackers. Are we less safe all of the sudden? The answer is no…it’s just more apparent. These groups are using the same tools and techniques expert hackers have used for years (I’m not suggesting I know exactly what they used to break in). My point is, companies have been completely vulnerable for a long time. The problem is, the evidence has been hidden. These groups have chosen to make a political statement, while groups such as those who worked along side Albert Gonzales were stealth.
The change here of course is the nature of the attack. Suddenly you are at war if you take a stand that opposes another’s ideology. The issue here:
“SB1070 is a controversial anti-illegal immigration measure in Arizona that makes it a misdemeanor crime for aliens in Arizona who have been required to register with the U.S. government to not have their registration documents with them. It also imposes stiff penalties on people who harbor illegal aliens. “
This could be government policy, your client’s position on a government policy or social issue, or a new product launch or customer service issue your client is involved in that somehow disturbs an opposing group. Suddenly your clients are at risk if they do anything these groups don’t like. The next step will be for groups like these to attack on behalf of disgruntled people who are willing to pay to shut someone down. Of course this sort of thing is not new, but expect this trend to continue, even if law enforcement does manage to track these individuals down. It’s a small scale cyberwar.
What’s at stake? Many companies, when asked, say they aren’t that concerned with security. They don’t have anything worth money, or they don’t really care about down time. What that really means is, they really think something will happen to them. In other words, the likelihood is low, therefore the impact is not worth worrying about. AZ police are suddenly concerned…
“AZ DPS documents …show a mishmash of …files, including various situational awareness bulletins, a complementary invitation to a border security conference, and a street price list for various illegal drugs. There also are personal photos of men holding fish, ostensibly after catching them.
Additionally, the torrent contains a graphic video–apparently taken from a camera inside a police cruiser–showing an AZ law-enforcement officer throwing an unidentifiable metal object across a highway and then being hit by a car. The files are assumed to have been extracted from the email accounts of AZ DPS personnel.”
On one video I viewed online, the issue was security of their officers. Interviews online explain that having stolen documents and personal information put their team in jeopardy. This would be true of just about any company. While the IT people are claiming to have it covered, and company budget approvers are half listening but more intent on saving money, employees are at the mercy of hacker groups who could easily have their payroll and personnel records published online in a few hours.
WHERE DO WE GO FROM HERE?
Putting cybercrime briefings together for your clients is likely the highest value you can be providing to those who believe they have it covered. This issue is almost always a belief that they are not likely to suffer harm for whatever reason. If you want to reach decision makers, put your high end consultants on the stage discussing what is happening, showing why, relating possible impact of local business leaders, and offering advice on what to be doing.
COMMENTS and EXPERIENCES WELCOME…
** Quotes taken from InformationWeek: http://www.informationweek.com/news/government/security/231000377
© 2011, David Stelzl
