Months have passed from the last major story relating to Anonymous and LulzSec. It seems they are back with their “robin hood” tendencies.
They say their “goal was to use the credit data to take a million dollars and give the money away as Christmas donations”, from the target for this was Strategic Forecasting Inc which is an intelligence think tank with around 70 staff based in Austin, Texas, USA, which has clients from Apple, The U.S. Army, the U.S. Air Force and the Miami Police Department. As you can tell, this is serious stuff.
It would seem almost obvious that with sensitive data belonging to large corporate and military clients their IT security would have been very strict and very difficult to penetrate. Unfortunately that was not the case.
From my quick analysis and without going into technical detail they failed in three very basic and cheap to implement areas: not putting sensitive data on a web server, not encrypting documents and not isolating data. It really is that easy.
For a start putting any kind of data on a forward pointing web server (website) is a bad idea, to maximise security you should only put what you want to be seen on a website, then if it is breached the only data which can be stolen is publicly visible data.
Another simple trick is do not have your web server within the network, again if you breach the web server you cannot get into the internal servers. You’re probably thinking this sounds obvious, and you’re right, it is, but you would be surprised at how many companies fail to realise this.
We live in the age of info-leaks, with modern technology it is possible to send huge amounts of data around the world in literally less than a second, therefore sensitive data itself should be encrypted on a document by document basis to stop other internal company departments viewing or pinching data.
If data is encrypted suitably and securely if leaked it can be next to impossible to decrypt it. I’m sure you can think of a lot of problems which could have been avoided if people encrypted their sensitive data.
Lastly the biggest trick in the book which a lot of IT security professionals will not think of or tell you is isolation. What makes computers and there network insecure? Hackers, spyware or malware. Neither, the internet cable! Take a laptop with ultra sensitive data on, it is very secure till you plug in a cable. Take away the cable and the only way at getting it is to steal it. Isolation makes data nearly 100% secure, is simple to implement and is very low cost.
Take Stratfor for instance, 70 staff and not all will need access to intelligence data. Give each employee two screens and two desktop computers. One is for basic email and internet browsing which is linked to a server with internet access.
Desktop number two is connected to a server with no outside access. All sensitive data should be stored on the network with the isolated server. Breach the email and internet computer network and there will be no way to get at the isolated data network.
So, how could you made your network perfect? Buy 70 desktops computers, a server and a method to backup it up using encrypted tapes. Once a day take a copy of the server, encrypt it and place it onto a tape. Store it offsite and hey presto you have a bullet proof network.
Companies, governments and military departments should really think about this method because attacks by Anonymous, LulzSec and foreign states will not decrease.