Cyber Attacks: The Simple LessonIncidents against U.S., Israel Show Need for Application Security
Hacktivist attacks against U.S. and Israeli sites illustrate a clear message. If you have unprotected web applications, you will suffer the consequences, says cybersecurity expert Amichai Shulman.
Shulman, chief technology officer at IT security provider Imperva, says it's a very simple lesson for organizations. Those who take the time to put in real web protections avoid the repercussions of an attack.
"If you don't put real web-application defense out there - not just your network firewall or installing antivirus - but web-application firewalls and data firewalls, you will be successfully hacked," Shulman says in an interview with Information Security Media Group [transcript below].
Attacks, like the ones Israel experienced, are happening all the time, Shulman says, and it should serve as a reminder that the necessary steps need to be taken. "It's a wake-up call for everyone out there with a web presence that this is happening," he says.
In the interview, Shulman explains:
- Why Hamas, the military and political organization that governs Gaza, is unlikely involved in the cyberattacks;
- Why Israel isn't conducting a cyberwar against the Palestinians in Gaza in connection with its bombing attacks;
- How the DDoS attack against Israeli sites differ from those launched against American banks in recent weeks.
At Imperva, Shulman heads its research organization that's focused on security and compliance. Prior to co-founding Imperva, Shulman started and served as CTO of Edvice Security Services, a consulting group that provided application and database security services to major financial institutions. As a member of the Israel Defense Forces, Schulman led a team that identified new computer attack and defense techniques. He holds a bachelor of science and master degrees in Computer Science from the Technion, Israel Institute of Technology.
Israeli Cyber Attacks
ERIC CHABROW: You gained a lot of expertise on cybersecurity as a member of the Israeli Defense Forces. And, Imperva was formed by former members of the IDF. From your perspective, what types of cyber attacks have occurred against Israeli government and business websites and systems, and what type of damage has been inflicted?
AMICHAI SHULMAN: It's very important to understand that the same attacks that we're seeing over the past few days against government sites in Israel, as well as commercial sites in Israel, are the same attacks that we're seeing on a daily basis all over the world all the time. We're seeing denial-of-service attacks. We're seeing mainly hacktivists trying to deface the front page of web servers. We're seeing attackers trying to launch application-layer attacks and grab sensitive information from databases of web applications. And we're seeing that happening on a daily basis all the time, either from hacktivists or criminal groups.
We have experienced in the past few days some increase in the volume of these attacks in Israel, but certainly not something that we haven't seen before. It's very simple. If you have an unprotected web application, you will suffer the consequences and you will have your front page defaced. You might have sensitive information, like customer data, stolen from your database and we have seen some publications in the last few days indicate that some applications were indeed hacked.
I don't know whether there actually have been any successful attacks against the government side, maybe some small and unimportant application somewhere. But I don't think that any actual government-related website was indeed hacked. We do know some small commercial sites have been suffering at least some downtime in the past few days, but again this is something that we're seeing in Israel and some other countries - the U.S. and U.K. - on a daily basis.
Defining a Successful Attack
CHABROW: You used the term "successful attack." How would you define a successful attack?
SHULMAN: If the attacker's trying to take down your application, then it's a successful attack and one in which the legitimate clients of that application or server are not able to receive service. If you're tying to get into customer information from a retail application, then a successful attack would be one in which you're actually able to grab sensitive information from the database. That's not necessarily the publishing of it, but for most attackers, getting their hand on credit card information and being able to then exploit it, or getting their hands on identity information and using it later for identity theft, would be a successful attack. From the hacktivist point-of-view, a successful attack is being able to publish allegedly stolen and sensitive information about the other side.
CHABROW: There have been published reports where there was a release of some information from some of these attacks. You don't think these have been damaging at all?
SHULMAN: We aren't seeing this type of information being published and pasted to various sites on the web on a daily basis. It comes from retail sites and web applications all over the world over time, and it might have been the case that the information published by the alleged hackers is really something that they had recently grabbed from maybe a site. It might be that they collected information that contains Israeli e-mail addresses from other hacked applications over the years. If someone grabs Facebook credentials in one way or another, then some of them are probably Israeli. If someone grabs Gmail credentials, some of them are from Israel. It might be that this is really a successful attack against an Israeli site. It might be just a collection of Israeli details from other hacks.
Similarities between U.S., Israeli Attacks
CHABROW: You're aware of the series of attacks against American banks in recent months. Do you see a similarity between what's happening in Israel over the past few days and what has been happening to American banks?
SHULMAN: If I had to guess, I would say these are not similar things, and I think that the scale that we had seen in the attacks against the U.S. banks was very different, different to the point that it suggests some state-sponsored activity. What we're seeing now against Israel is mostly nuisance. The attacks that we've seen on American banks months ago were probably a signal of maybe a Cold War going on between the U.S., Israel and Iran about who's able to take down who in cyber space. Or it's some sort of retaliation for Stuxnet and Flame and now we're indicating that the Iranians do have some capabilities. That's a speculation, but I do think that these are different things.
CHABROW: Besides these hacktivist-type attacks, you don't see any other players or motivations involved in the recent attacks in Israel, perhaps coming from Iran or help from Iran?
SHULMAN: Hacktivists have to eat, breathe and get their computer equipment from somewhere. They need sponsorship from time to time. Whether this is sponsored by Iran, it could be. It certainly doesn't look like a state-sponsored sophisticated attack.
CHABROW: I've heard a lot over the past few years that the only kind of cyber war is as a component of a kinetic war, and I'm wondering whether you're aware of any kind of offensive steps Israel is taking in cyber space that supports its defense against the missiles being launched from Gaza.
SHULMAN: This is one of the things we sometimes forget about cyber war, and it's very asymmetric. States like Israel, the UK and the U.S. are much more vulnerable on the defensive side than their opponents. There's no real cyber dependent on the opposition side that justifies that.
Definitely, in terms of eavesdropping, in terms of jamming communication and so on, you will see that. That's for sure. Certainly, if you're going against a more complex and sophisticated target like Iran's nuclear program, you'd probably be using this kind of technique. In the current military conflict that we have with Gaza, I don't really see where sophisticated cyber war has been a real thing.
I don't think that this is one conflict that we'll see cyber war really being a part of. In terms of the other side, there's the hope for them to try and achieve something. Whether they have the capability, I doubt that. Whether states like Iran have the capability, they might.
CHABROW: Are there any lessons to be taken away by other organizations around the world, even including other governments and businesses from the way Israeli sites have handled these attacks?
SHULMAN: I think there are clear lessons. If you look at the list of web servers and applications that have been defaced, for example, those that were under attack but maintained their posture, you can see a clear difference. The first group did not bother to put any real web protection, and the second did. It's as simple as that. If you don't put real web-application defenses out there - not just your network firewall or installing antivirus and being able to protect - if you're not putting in real web protection - and there are tools out there, web-application firewalls, data firewalls - if you're not using that kind of technology, you will be successfully hacked. The lesson is not only for that point in time where we have military conflicts, as I said earlier. These attacks are occurring all over the world on a daily basis by criminal organizations, as well as hacktivists. It's a lesson and wake-up call for everyone out there with a web presence that this is happening. This is real and if you don't get real protection and if you don't get application protection in place, you will be hacked.