Data/Cyber/Cloud Security, Privacy, Website Security, Data Encryption, Malware/Viruses, Open Source Intelligence, Cyber Defence, Data Breaches, Travel Reviews & Photos
Months have passed from the last major story relating to Anonymous and LulzSec. It seems they are back with “robin hood” tendencies, leading a “Christmas-inspired assault” and would “use the credit data to take a million dollars and give the money away as Christmas donations” to charities. The latest target was Strategic Forecasting Inc which is an intelligence think tank with around 70 staff based in Austin, Texas, USA with clients from Apple, Police departments to the US military.

With such sensitive data, large corporate clients and military clients you would think their IT security would have been a lot stricter and harder to penetrate. From our quick analysis and without going into too much technical detail they failed in three very basic and cheap to implement areas: not putting sensitive data on a web server, not encrypting documents and not isolating data.

For a start putting any kind of data on a forward pointing web server (website) is a bad idea. Stratfor had to have theirs “suspended” after “learning that its website had been hacked”. This would have been very easy to avoid by only putting what you want to be seen on a website, then if it is breached the only data which can be stolen is publicly visible data. Another simple trick is do not have your web server within the network, again if you breach the web server you cannot get into the internal servers.

Sensitive data should be encrypted document by document to stop other internal company departments viewing or pinching data, after all Anonymous said that they were “able to get the credit details in part because Stratfor didn't encrypt them”. If data is encrypted suitably and securely if leaked it can be next to impossible to decrypt it, “Anonymous tweeted a link to files online. It said the files contained 4,000 credit cards, passwords and home addresses belonging to individuals on the think tank's private client list.” Once this information has become public, it is virtually impossible to remove it. The good news is, by following our advice, you will never be in that situation.

Lastly the biggest trick in the book which a lot of IT security professionals will not think of or tell you is isolation. What makes computers and there network insecure? Hackers, spyware or malware. Neither, the internet cable! Take a laptop with ultra sensitive data on, it is very secure till you plug in a cable. Take away the cable and the only way at getting it is to steal it. Isolation makes data nearly 100% secure, is simple to implement and is very low cost. Take Stratfor for instance, 70 staff and not all will need access to intelligence data. Give each employee two screens and two desktop computers. One is for basic email and internet browsing which is linked to a server with internet access. Desktop number two is connected to a server with no outside access. All sensitive data should be stored on the network with the isolated server. Breach the email and internet computer network and there will be no way to get at the isolated data network.

A good simple way to make a network in which this could never happen is to buy, say, 70 desktops computers, a server and a method to backup it up using encrypted tapes. Once a day take a copy of the server, encrypt it and place it onto a tape. Store it offsite and hey presto you have a bullet proof network. Companies, governments and military departments should really think about this method because attacks by Anonymous, LulzSec and foreign states will not decrease and Anonymous has even warned that it has "enough targets lined up to extend the fun fun fun of LulzXmas through the entire next week." They show no sign of slowing down, so follow these simple rules and make sure you don't get caught out!