Cybersecurity Lessons from the New York Times Security Breach

Although we have no direct knowledge of the incidents and information security environment at the New York Times, based on news reports it appears that the NYT was using only antivirus protection features of Symantec’s information security solutions. The comments below are based on that premise.

Many large enterprises and government agencies are failing to follow the basic rules of cybersecurity. It is not enough to deploy a “name” security product and assume protection is in place. It is more complex than that because the bad guys are more complex.

The New York Times selected a premier vendor of security products, Symantec Corporation, to provide antivirus software. Recently, they were attacked by hackers originating in China. After the attacks, the Times’ security consultant reported that the antivirus software did not protect the company. I consult for DLT Solutions with some of the most secure government agencies in the U.S. My primary suite of products comes from Symantec. Their security solutions are among the best in the industry. If they had fully deployed and properly utilized Symantec’s anti-virus software in their enterprise, most, if not all, of the attacks could have been prevented.

Published reports, many by the Times itself, indicate that the primary line of defense was a Symantec antivirus software product that goes by the name Symantec Endpoint Protection (SEP). SEP’s antivirus component relies on digital signatures to match against known threats. There are other components of SEP and other Symantec solutions that would have improved the paper’s odds of combating the attack. These are called “reputation” and “behavior” based technologies. They would have allowed the Times to proactively manage the first wave of attacks. A Symantec suite of products – Critical Systems Protection (SCSP) – controls behavior by preventing specific actions that an attacker might try to launch. SCSP can specify that an email application cannot spawn other processes such as viruses, worms, and trojan horses.

Sophisticated Deception

The New York Times was not confronted by a teenage hacker sitting in his basement. Sophisticated Black Hat hackers worldwide are deploying complex malware that have multiple layers of attack vectors and features such as antivirus evasion code, zero-day vulnerabilities, and network infection algorithms. The attacker’s introduction of the malware can be equally sophisticated. Attackers have been known to recon their target for months, then build hardware and software environments that mirror the target systems. They compromise digital certificates and introduce malware with email attachments or fake websites that will infect drives and propagate over the network.

Here is a common sense approach to dealing with today’s reality:

  1. Start with a review of your physical security practices. Most cybersecurity breaches are still caused by insiders, whether through deliberate malfeasance or a simple mistake. What are employees bringing into the environment and what are they taking out? Are removable drives allowed? Can employees take a hard drive home? Establish physical security policies and enforce them. Track your assets and know where they are at all times. Trust, but verify.
  2. Keep your cybersecurity solutions up to date. Patch your operating systems and verify that virus definitions are regularly updated. Many zero-day vulnerabilities are tested before deploying against a critical target. It is encouraging how quickly the security industry can catch up to the latest malware. It is up to the enterprise to update systems.
  3. Since attacks can be multi-layered, deploy a multi-layered solution. Protect the entry and end points, report and monitor daily, and get the latest information about attacks to the right people in your organization as soon as possible.
  4. If you are a security professional in your organization, monitor worldwide activity daily. I use Symantec’s Global Intelligence Network (GIN) and supplement that with daily reports from Microsoft, McAfee, and others.
  5. Implement and enforce a robust Change Control process within your IT Department. Too many IT personnel are allowed to make critical changes to systems and then report on the result after the fact. A proper Change Control process allows the security administrator and others in the organization to weigh in before a implementing a change. I have seen IT personnel install shareware and freeware to servers without regard for vulnerabilities.

Apparently, the U.S. media is the new favorite target of hackers. Welcome to our world. Department of Defense sites, Homeland Security Agencies and even state and local governments have been dealing with Black Hatters for years. Usually, the good guys win.

Understand the mentality of the attacker: It is a game to them. The security professional, the White Hat, needs to be in “game mode” at all times. Like the famous NY Times crossword puzzle, the solution is not easy. But when the cybersecurity pieces are all filled in, the result is a secure enterprise that allows our customers to fulfill their mission and prosper.

Symantec has issued an official statement.

Interested in learning more about cybersecurity? The GovDefenders Virtual Event is a free online cybersecurity conference on April 24. Join us from your desk as experts from NetApp, Symantec, ForeScout, Red Hat, Quest Software, SolarWinds, and DLT Solutions, discuss trends, best practices, and the future of public sector cybersecurity. Register today!