Operation Aurora – Google responds to attacks

Operation Aurora received a significant amount of press in January due to the high profile nature of Google’s response to the attacks. Not only did Google indicate that the attacks had originated from China, but that they were targeting theft of e-mail credentials of Chinese dissidents. Google responded publicly on their blog and indicated the potential that they may move out of China all together:

“These attacks and the surveillance they have uncovered — combined with the attempts over the past year to further limit free speech on the web — have led us to conclude that we should review the feasibility of our business operations in China. We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China.”

Operation Aurora – More than just Google affected

Operation Aurora impacted more than just Google. The Washington Post reported that the “Google China cyberattack part of vast espionage campaign,” They went on to report:

“Computer attacks on Google that the search giant said originated in China were part of a concerted political and corporate espionage effort that exploited security flaws in e-mail attachments to sneak into the networks of major financial, defense and technology companies and research institutions in the United States, security experts said.

At least 34 companies — including Yahoo, Symantec, Adobe, Northrop Grumman and Dow Chemical — were attacked, according to congressional and industry sources.”

This is one of the most blatant instances of coordinated targeted attacks taking advantage of a zero day attack against main stream businesses.

Operation Aurora – Application whitelisting would have stopped it

The foundation of the attacks was the installation of a Trojan horse that allowed for remote control of the infected system. Because it was a targeted attack taking advantage of a zero day vulnerability (one that had not yet been disclosed) it bypassed traditional endpoint security solutions, but for any system protected by application whitelisting it would have prevented the malware from executing.

Data breach costs continue to rise in 2009

I came across this interesting report of a study from Ponemon on data breaches. In their survey of 45 companies, they experienced average data losses of $6.75 million in 2009. Interestingly enough, they attribute a mere 24% of the data breach losses to malware. Since this data was self reported, I question whether this really gives an accurate picture of how much data is being lost to cyber attacks. One thing we do know is that the largest data breach in history, of Heartland Payment Systems, was a result of cyber attack and it’s not a stretch to assume that many more are attributed to similar attacks.

Protection of our critical infrastructure remains a hot topic

Two articles highlighted the continued need for security against attacks on our critical infrastructure.

• Vanson Borne conducted a research report titled “In the Crossfire: Critical Infrastructure in the Age of Cyberwar.” This report was based on interviews of 600 IT and security executives at critical infrastructure enterprises and points to their growing concern of cyber attack and readiness.
• The U.S. Department of Energy announced that they would set up a national energy cyber security organization to help focus on protecting our national power grids.

So 2010 has picked up where 2009 left off and the need for strong protective endpoint security remains top of mind for almost all world businesses. Awareness continues to grow of the power of application whitelisting and we expect 2010 to be a break through year for this technology.

These attacks also illustrate the growing need for, and strength of, application whitelisting solutions. As Aurora first gained access by attacking an endpoint within Google’s network to trick a user into installing malware, even leading antivirus software designed to detect such viruses and malicious code couldn’t stop it from running within the network.

There couldn’t be a better illustration of the reactive nature of patching and antivirus. In order to defend our IT resources we must move to an endpoint security tool that both protects against attacks we have never seen and makes up for security deficiencies in software that can lead to vulnerabilities. In this, the outcry has been against Internet Explorer, but these types of attacks aren’t unique to one application or vendor as long as our endpoint security remains reliant on after the fact detection of weaknesses, patching, and signatures. We posted a blog on this topic last week titled: “The French and German governments agree… And they are both wrong” that has generated a lot of discussion between security professionals.

This is where application whitelisting fills the gaps of other endpoint security tools. With traditional AV technologies constantly playing catch-up with new and more complex forms of Web-based malware, whitelisting shuts the door on any unauthorized application from launching in the first place. Along with its industry-wide and political ramifications, Operation Aurora is yet another example of why application whitelisting is becoming a critical component of any endpoint security strategy.