Editor’s note: As 2014 draws to a close, the news has been dominated by high-profile breaches, country-wide Internet outages and widespread discussion about the current state of information security. The OpenDNS blog team sat down with Senior Security Research Lead Andrew Hay to talk about the real takeaways from from this month’s news and what it means for security professionals. You can also read Andrew’s technical analysis of the attack here.

There has been a lot of discussion about the Sony Pictures attack, but what are some of the security implications for the average security practitioner?

What we do know is that the FBI said that the attack targeting Sony Pictures could have affected 90 percent of organizations in the world. The FBI is basically saying this breach could have happened to anybody. Security professionals still need to realize that a motivated, persistent attacker can get to you.

To use a sports analogy, attackers are playing “man-to-man”—they just have to worry about beating your organization. But security professionals have to worry about beating these attackers and everyone else. You’re playing zone defense. It’s hard to play zone defense against everyone on the Internet.

This risk means that security professionals need to reevaluate their systems and make sure they’re able to react faster and “play zone” better.

One aspect of this story that seems underreported is the extortion angle. Do you think 2014 was the year that attackers focused their efforts on blackmailing companies?

I suspect that when the 2015 Verizon Data Breach Investigations Report (DBIR) comes out, it will show the same trends in breaches that we have seen in past years. I think that reported extortion incidents will be relatively flat. What’s changed is that these incidents are becoming more widely publicized. More media outlets are covering high-profile extortion incidents. There’s more and more conversation on social media, so people are being more vocal about ransomware.

It used to be that these data breaches were just about making people look bad (e.g., the LulzSec campaign from a few years back). But now we’re seeing data breaches that cause real economic damage or worse. Recently there was a nuclear facility in South Korea that suffered a breach and was being extorted by hackers. It was a standard extortion scheme—but compromising the machines at that kind of facility is much bigger and is a more important concern than anything else that’s in the news right now.

What is the upshot of this increased publicity for breaches?

The increased publicity is helping to make a stronger case for a bigger security budget. The old idea that “it’s never hit us before, so it’s not our problem” has been replaced by the understanding that every organization is at risk. Organizations are now seeing neighbors getting hit. That makes them look inward and see what they need to do. The conversation has definitely moved on beyond the days when security folks were just checking the box for PCI compliance.

Are attackers just getting better at monetizing their attacks?

Monetization is the number one motive. There was a huge amount of money collected by Cryptolocker and its clones in a short amount of time, all through extortion.

With cryptocurrency and underground markets, there are now much easier ways to hide your tracks post-extortion. A whole other underground economy exists primarily to help launder this money.

Bonus question: Do you know who knocked North Korea off of the Internet earlier this month?

No one does, but you can see the problem just by looking at their peering connections. The Internet was designed to allow for multiple paths, so that if any one path goes down, the data keeps flowing. Something as simple as a ship’s anchor snapping an undersea cable or a backhoe operator digging in the wrong place can take a network offline.


The problem is that some networks only have one only one or two peering connections. North Korea’s Internet ASN (see above) is one of those networks. If the peering connection goes down, your Internet connection goes down.


You can see how pronounced the difference is when you look at the peering relationships of countries like the Canada (above). With one point of failure, anything could take their network offline.

This post is categorized in: