Site icon IT World Canada

Lessons from South Korea cyber attack

There are valuable security lessons for Canadian government agencies and business in the cyber attacks that caused massive disruptions for South Korean financial firms and media outlets yesterday, according to a Toronto-based security expert.

“These attacks were clearly meant to intimidate and demonstrate that the South Korean systems can be taken down,” said Claudiu Popa, principal of Informatica Corp., an international IT security firm and author of several books on security and privacy issues. “They can also serve as a wakeup call for Canadian businesses, government departments and agencies that it’s time to harden their systems.”
 
He pointed out that the attacks suffered by the South Korea institutions were not meant to compromise any information but rather only meant to show that the attackers had the ability to cripple vital networks.
RELATED CONTENT
 
Rules of engagement for cyverwarfare
Ottawa missing-in-action on ceberwarefare
Report links cyber spy group to Chinese army

Computer networks of at least three media broadcast stations, and Internet Service Provider and two banks were paralyzed Wednesday. The attack involved defacement of the ISP’s site and crippling of the servers belonging to the other organizations.

Security software company, McAfee Inc. said the attack wiped put the master boot records (MBR) of the hard drives of the infected computers and over wrote the MBRs with a set of three different data strings.

“The attacks also overwrote random parts of a file system with the same string rendering several files unrecoverable.” A blog post by malware researchers Jorge Arias and Guillermo Veneer said. “So even if the MBR is recovered, the files on disk will be compromised too.”

The attack forces the system to reboot after which the computers are unable to restart because of the corrupted MBR.

The office of the South Korea government told media that the disruption was caused by a malware and that investigators are looking into the possibility of involvement of North Korea. A week earlier, North Korea suffered an Internet outage that impacted users of the country’s 1,024 Internet Protocol (IP) addresses for over a day.

Symantec Corp. yesterday said it detected malware such as Trojan horse, Trojan Okra and WS Reputation 1 in the attacks. Today, the company said it also found that a malware component used to erase Linux machines was also employed by the attackers.

“The real motives of the attack are also unclear but in recent times there has been a ramping up of political tensions in the Korean peninsula and these attacks may be part of either a clandestine attack or the work of nationalistic hacktivists taking issues into their own hands,” Symantec said.

South Korea is reported to be upgrading its information surveillance posture and has charged its neighbor of hacking into the computer systems of the country’s government agencies and financial companies over the years. North Korea has denied these allegations.

Popa said the real lesson behind yesterday’s disruption is that organizations need to continually review their networks and address vulnerabilities diligently.

“Being lazy will always backfire,” he said. “If organizations take the time to plug vulnerabilities as fast as they can, they can avoid being victims to attacks such as this one.”

Popa government as well as business IT administrators and decision makers should:

– Make sure networks are resilient enough to withstand threats and that vital and operational systems are still able to operate even in the face of a cyber attack

– Create an effective back up strategy that outlines policies, procedures and allocates resources aimed at security, storage and recovery of data; continuity of operations; and quick return to previous capacities

– Regular and frequent reviews of disaster recovery and business continuity plans with the eye of finding loop holes, weaknesses and opportunities for improvement
 
“There is no magic pill, but the real enemy here is complacency,” Popa said. “Protectiong agains security attacks involves a layered approach that requires conitinuous monitoring, relentless testing and cyclical remediation.”
 
Exit mobile version