3Qs: Analyzing the cybersecurity threat posed by hackers

Jun 05, 2012 By Casey Bayer

Two weeks ago, Anony­mous, a global group of hackers, suc­cess­fully infil­trated the Depart­ment of Justice’s system and released stolen data. At the same time,  al-​​Qaida, the inter­na­tional ter­rorist orga­ni­za­tion, released a video calling for an “elec­tronic jihad” on the United States. Northeastern University news office asked Themis Papa­george, an asso­ciate clin­ical pro­fessor in the Col­lege of Com­puter and Infor­ma­tion Sci­ence, and the director of the college’s infor­ma­tion assur­ance pro­gram, to ana­lyze the threat posed by rogue hacker groups and what the U.S. gov­ern­ment can do to pro­tect itself against future attacks.

This isn't the first time the Department of Justice was hacked. What do groups such as Anonymous accomplish by hacking into these networks and releasing data? What is the motivation behind their attacks?

Groups like Anony­mous are becoming a crit­ical threat to society and national secu­rity: They attack gov­ern­ment, public and pri­vate com­pa­nies, and indi­vid­uals’ net­works and com­puter sys­tems mul­tiple times every day. When they breach a com­puter system they steal data and many times install mali­cious soft­ware pro­grams that, unbe­knownst to the sys­tems’ owners, allow for future access by the and con­tin­uous leaking of con­fi­den­tial data.

Stolen data can vary from pro­pri­etary product infor­ma­tion and other intel­lec­tual prop­erty to national-​​security data. Anony­mous and sim­ilar groups can embar­rass a gov­ern­ment or a com­pany by breaching its net­works and com­puter sys­tems and can also gain finan­cially by selling the stolen data.

The moti­va­tion of hacker groups such as Anony­mous is a key com­po­nent of the threat analysis that we teach in infor­ma­tion assur­ance courses at North­eastern. Threat agents, such as Anony­mous group mem­bers, are moti­vated by many fac­tors, ranging from per­sonal gain to revenge, peer recog­ni­tion, curiosity, and crime; to polit­ical, reli­gious and sec­ular influ­ence; and poten­tially to ter­rorism and national mil­i­tary objec­tives. We train our stu­dents to assess the cyber­se­cu­rity risk posed by each group by ranking these moti­va­tion factors.

What can government do to thwart future breaches? What challenges do federal entities face in protecting themselves from hackers?

We need to defend more effec­tively against such groups, both from a tech­nical capa­bil­i­ties per­spec­tive as well from a con­tex­tual per­spec­tive. Gov­ern­ment and public orga­ni­za­tions need to con­sis­tently imple­ment risk-​​based tech­nical coun­ter­mea­sures and con­trols for net­works and com­puter sys­tems, along with poli­cies and user awareness.

Many times a cyber­se­cu­rity con­trol, such as a soft­ware patch, may be avail­able for months before it is impliemented. People can be our most capable fire­wall by training employees to defend against social engi­neering. It is impor­tant to know not to click on a mali­cious attach­ment in an email and not to pro­vide con­fi­den­tial infor­ma­tion to an uniden­ti­fied tele­phone caller. User training and aware­ness are some of the valu­able com­po­nents in secu­rity risk management.

The greatest chal­lenges facing fed­eral enti­ties come from a lim­ited knowl­edge of the threat agents’ modus operandi.

Since the attackers have the advan­tage of choosing the method and time of attack, fed­eral agen­cies could make risk-​​based deci­sions by defending against the most dam­aging attacks only by having access to a com­pre­hen­sive and cur­rent data set of attacks and methods. This can be accom­plished by sharing attack and method data and sce­narios across fed­eral agen­cies and public com­pa­nies. This strategy would help build effec­tive net­work and com­puter system secu­rity con­trols, coun­ter­mea­sures, poli­cies and inci­dent response strategies.

Al-Qaida has called for an "electronic jihad," promoting attacks on a range of online targets. Is there evidence that a network of al-Qaida operatives could plan coordinated attacks?

Al-​​Qaida has a well-​​documented record as a ter­rorist group with mul­tiple phys­ical attacks. In terms of orga­ni­za­tional struc­ture, hacker groups have been a col­lec­tion of indi­vidual threat agents with net­working abil­i­ties (ini­tially using the Internet and also later tech­nolo­gies such as Peer-​​to-​​Peer and Bit­Tor­rent) to talk about their exploits and share mali­cious tools. Al-​​Qaida is reported to have a hier­archy but seems to operate as a net­work of semi­au­tonomous cells of threat agents whose actions are thus even more dif­fi­cult to pre­dict and stop.

There­fore, if al-​​Qaida were to acquire the tech­nical capa­bil­i­ties of a hacker group such as Anony­mous, they would be a very cred­ible and high-​​risk cyber­se­cu­rity threat. Plan­ning and exe­cuting coor­di­nated attacks in the cyber­se­cu­rity domain is very dif­ferent from exe­cuting attacks in the phys­ical secu­rity domain, because the space and time con­straints of phys­ical attacks are con­sid­er­ably reduced in the cyber domain. It may take weeks or months to plan a cyber­se­cu­rity attack, but it could only take a few min­utes to launch a denial-​​of-​​service attack, using a botnet of com­puters belonging to unsus­pecting com­pa­nies and indi­vid­uals, and poten­tially bring down a com­po­nent of crit­ical infrastructure.

Explore further: Twitter blocks two accounts on its Turkish network

add to favorites email to friend print save as pdf

Related Stories

Convenience leads to corpulence

Apr 06, 2011

Two of the biggest influences on children — parents and schools — may unintentionally contribute to childhood obesity. That's the observation of Susan Terwilliger, clinical as­sociate professor in the Decker ...

Coactivator stokes continuing fire of endometriosis

Jun 04, 2012

(Medical Xpress) -- Endometriosis, which can cause severe pain and even infertility in the estimated 8.5 million U.S. women it affects, is driven by one of the cell's master regulators ­ steroid receptor coactivator ...

First study to measure value of marine spatial planning

Mar 05, 2012

The ocean is becoming an increasingly crowded place. New users, such as the wind industry, compete with existing users and interests for space and resources. With the federal mandate for comprehensive ocean planning made ...

Teenage pregnancy is not a racial issue

Feb 07, 2012

While researchers have long set to determine if there is a tie between race and teenage pregnancy, according to a new study, equating black teenagers with the problem of teenage pregnancy is a misrepresentation of today's ...

Sony PS3 boss: 'No turning back' despite hacks

Jun 07, 2011

(AP) -- The head of the Sony Corp. unit that makes the PlayStation 3 game console says there's no going back on a push to offer always-connected play despite a series of hacking attacks that downed its network and will cost ...

Recommended for you

LinkedIn membership hits 300 million

Apr 18, 2014

The career-focused social network LinkedIn announced Friday it has 300 million members, with more than half the total outside the United States.

Researchers uncover likely creator of Bitcoin

Apr 18, 2014

The primary author of the celebrated Bitcoin paper, and therefore probable creator of Bitcoin, is most likely Nick Szabo, a blogger and former George Washington University law professor, according to students ...

White House updating online privacy policy

Apr 18, 2014

A new Obama administration privacy policy out Friday explains how the government will gather the user data of online visitors to WhiteHouse.gov, mobile apps and social media sites. It also clarifies that ...

User comments : 0

More news stories

Students take clot-buster for a spin

(Phys.org) —In the hands of some Rice University senior engineering students, a fishing rod is more than what it seems. For them, it's a way to help destroy blood clots that threaten lives.

First steps towards "Experimental Literature 2.0"

As part of a student's thesis, the Laboratory of Digital Humanities at EPFL has developed an application that aims at rearranging literary works by changing their chapter order. "The human simulation" a saga ...

Finnish inventor rethinks design of the axe

(Phys.org) —Finnish inventor Heikki Kärnä is the man behind the Vipukirves Leveraxe, which is a precision tool for splitting firewood. He designed the tool to make the job easier and more efficient, with ...

Hyperbolic homogeneous polynomials, oh my!

Cutting-edge mathematics today, at least to the uninitiated, often sounds as if it bears no relation to the arithmetic we all learned in grade school. What do topology and combinatorics and n-dimensional ...