Lessons Reiterated by the New York Times Hack

As we keep interacting with folks from different types of organisations in this part of the world, and keep addressing so many ‘fallacies’ around managing Information Security, along comes news of yet another high-profile hack that reiterates some basic lessons. Here is a ‘quick take’ on the lessons we can learn…

What Happened – The Background:

– The NYT revealed yesterday that it’s computer systems had been attacked & infiltrated for the last four months – by China-based insurgents

– Apparently they got hold of the passwords of all its users – and used them to spy on some journalists who were investigating a story about the outgoing Chinese premier, Wen Jiabao

 How did they do it?

– They apparently installed 45 pieces of ‘malware’ – malicious software – in the NYT’s IT infrastructure

  •  Of this, only one was identified by their Antivirus product (from Symantec)

– And how were these installed?

  •  The technique most likely to have been used is ‘Spear-phishing’ – where a very realistic-looking mail is sent to specific, targeted people within the company with an attachment containing malware. When the person clicks on this attachment, the malware gets installed on his or her machine

–  Interestingly, the attack was not direct – it was routed via some US universities

Lessons?

– Don’t assume that your traditional Anti-Virus solution is the ‘be-all & end-all’ of your defence against Viruses & Malware

  •           Supplement it with other approaches and solutions
  •           Basically look at Infosec holistically – specific products and technologies alone cannot protect you completely

–  Educate! Educate! Educate! your users.

  •           They are the first and most critical line of defence of your company

– Your company need not always be the end-target of an attack – but you may be used as the crucial “via media” to attack someone else

  •           So you cannot hide behind the excuse that “we are a small company – we don’t have anything worth stealing”

– Remember : In today’s world, if someone wants to ‘get’ you, they will find a way. Your best approach is to assume you will indeed get infiltrated some day and how best can you be prepared to deal with it and to limit the damage

Posted by Shivangi Nadkarni, Co-Founder & CEO, Arrka Consulting

www.arrka.com | @shivanginadkarn |@arrka2

Leave a Reply