The recent attacks against the New York Times allegedly carried out by the Chinese military highlight the importance of layered security to protect sensitive systems and data.
The New York Times outlined in a Jan. 30 report how attackers stole passwords belonging to every employee, read company emails, and accessed several computers in order to find information relating to China's leaders and corporations over a four-month period. Employee data and files related to the publication's coverage of China's prime minister were not exposed, Jill Abramson, executive editor of the Times, said in the report. The attackers appeared to be looking for the names of people who may have spoken with the reporters who wrote a series of stories on the prime minister.
The New York Times noted in the report that during the course of the breach, attackers installed 45 pieces of malware. It appears the company's antivirus product—from Symantec— detected and quarantined only one of them. In response, Symantec pointed out that the New York Times should not have just relied on the antivirus product for its security.
"Advanced attacks like the ones the New York Times described…underscore how important it is for companies, countries and consumers to make sure they are using the full capability of security solutions," Symantec said in a statement on Jan. 31. "We encourage customers to be very aggressive in deploying solutions that offer a combined approach to security. Anti-virus software alone is not enough," the company said.
"Innovative and clever" attacks such as the one against the New York Times is why security experts recommend organizations deploy layered security mechanisms and not just rely on one single mode of protection, Kurt Hagerman, the director of information security at FireHost, told SecurityWeek. The best defense for Web applications and software is an intelligent security model, which incorporates numerous layers of protection, including DDoS mitigation, IP Reputation Filtering, web application protection, virtual and hardware based firewalling, and IDS/IPS, Hagerman said.
Security experts often liken security technologies and defenses to Swiss cheese, with each one having some holes. However, if you layer several slices of cheese on top of each other, the holes get covered up so that the cheese becomes a solid surface. In the same manner, experts recommend that organizations implement several different products in order to fill in the gaps in security.
Businesses using multiple protective methods "have the best chance to prevail," Hagerman said.
Using just signature-based anti-virus scanners "are not enough in a world that is changing daily from attacks and threats," Symantec said in its statement, noting the company's endpoint security products have "advanced capabilities," including reputation-based technology and behavior-based blocking, designed specifically to target sophisticated attacks.
It wasn't specified in the report which Symantec product the Times used, or whether the advanced features in the security suite were enabled. It's also not clear at this point what other types of security may have been in place at the New York Times.
"One of the chief reasons for this kind of security failure is our continued reliance on signature-based anti-malware technologies, such as traditional antivirus and intrusion prevention systems," John Prisco, CEO of Triumfant, told SecurityWeek. Antivirus and intrusion prevention systems are still the cornerstones of enterprise security, and organizations need to start changing "the way we approach cyber security," Prisco said.
The security conversation needs to shift away from antivirus and look at security products that do innovative things at the endpoint, Invincea's CEO Anup Ghosh told SecurityWeek in an earlier interview. "Stop looking at the endpoint as if you've got it taken care of through an anti-virus suite," he said. Instead, organizations should be looking at new security technology that is not based on signatures, not reactive, and not based "on the notion that you have to keep up with the latest threats," he said.
For example, Invincea "bubble-wraps" the user by having the user open PDF documents or surf the Web using a virtual environment. If the user triggers an attack or downloads the malware, it's just the virtual instance that is compromised, and as soon as the user closes the session, the infection is automatically removed. FireEye also uses a virtual environment to trap attacks and block them from damaging the user's computer or spilling into the rest of the network.
"Take a chance on new technologies at the endpoint - perhaps even to the point where you rip out subscription based A/V if you need budget replacement," Ghosh said.
The New York Times worked with security firm Mandiant to investigate the attacks and remove the intruders. Mandiant is still unclear how the attackers breached the network in the first place, but it's possible staffers were spear phished via a malicious attachment or a poisoned link, according to the report.
The attacks appear to be part of a broader computer espionage campaign against American news media companies, the New York Times said, citing reports of attacks against Bloomberg News last year. The Wall Street Journal also said its computer systems had been breached by Chinese attackers.
"Evidence shows that infiltration efforts target the monitoring of the Journal's coverage of China and are not an attempt to gain commercial advantage or to misappropriate customer information," Paula Keve, chief spokesperson for Dow Jones, the parent company for the Wall Street Journal, said in a statement.
China, which has blocked access to the New York Times’ website since its report on Wen's wealth, said it was "groundless" to suggest the incident was any state-endorsed hacking.
Speaking to PBS on Thursday, Mandiant’s Grady Summers was asked if the attack against the Times was a particularly sophisticated and technically proficient attack.
“We find that these attacks are as technically proficient as they need to be in order to break in to an organization,” Grady told PBS. “In the case we heard about in the New York Times today, it was maybe a six or a seven on a scale of one to ten. We certainly see these attackers become very sophisticated when they need to be. In some cases a simple spear phishing email, and what we call commodity malware will do the trick.”
Also speaking to PBS, New York Times reporter Nicole Perlroth, who wrote the story on the hacking, gave credit to her employer for coming forward with the story. “I really credit the Times for letting this story be told,” Perlroth said. “As Grady [Summers] can probably tell you, there were hundreds of other organizations targeted by the same group that hit the New York Times, you just haven’t heard about any of them.”
A video of the PBS interview with Nicole Perlroth and Grady Summers is embedded below.