70 likes | 190 Views
EASy Security Project Anonymous vs HBGary Inc. Prepared by: Shoua Vang Abhinav Juwa Chase Paul. The Security Incident. Aaron Barr, CEO of HBGary Inc, stirred the Anonymous beehive by claiming to have information on members of Anonymous
E N D
EASy Security ProjectAnonymous vs HBGary Inc. Prepared by: Shoua Vang Abhinav Juwa Chase Paul
The Security Incident • Aaron Barr, CEO of HBGary Inc, stirred the Anonymous beehive by claiming to have information on members of Anonymous • Anonymous is a loose coalition of internet ‘hacktivist’, who are using hacking as a form of protest • They are regarded by some as a cyber terrorist group with no clear leadership • Barr announced he will sell information to FBI and other organizations • Anonymous retaliated by • Hacking and defacing HBGary’s website • Extracting and uploading over 40,000 emails and documents to Pirate Bay • Deleted 1TB of HBGary backup data • Hacked Aaron Barr’s twitter, remotely wiped his IPAD, and release his personal information out to public • Releasing thousands of documents which harmed HBGary greatly. • Anonymous gained access into HBGary’s internal email server and website mainly by • SQL Injection • Social Engineering
Impact of Security Incident Impact on HBGary Inc. Impact on Anonymous • Aaron Barr stepped down from his post as CEO of HBGary Inc. • Lost of business with companies who does not want to be associated with HBGary after the emails were release • Financial damages in the ‘millions’ • Pulled out of RSA conference • Negative reputation as a security company who got hacked • Glorious publicity for Anonymous
Analysis of the Security Incident using COBIT • 5.1 Manage Security Measures • 5.2 Identification, Authentication and Access • 5.3 Security of Online Access to Data • 5.4 User Account Management • 5.5 Management Review of User Accounts • 5.6 User Control of User Accounts • 5.7 Security Surveillance • 5.8 Data Classification • 5.9 Central Identification and Access Rights Management • 5.10 Violation and Security Activity Reports • 5.11 Incident Handling • 5.12 Reaccreditation • 5.13 Counterparty Trust • 5.14 Transaction Authorization • 5.15 Nonrepudiation • 5.16 Trusted Path • 5.17 Protection of Security Functions • 5.18 Cryptographic Key Management • 5.19 Malicious Software Prevention, Detection and Correction • 5.20 Firewall Architectures and Connections with Public Networks • 5.21 Protection of Electronic Value Based on our use of COBIT we determined that HBGary failed 16 out of the 21 control objectives.
Problems in Control Process From the COBIT analysis we were able to narrow it down to five main processes that should be change or updated. Reaccreditation Since HBGary are using a custom ordered Content management system they should Routinely audit the system for security holes Off-the-shelf software could’ve prevented the whole thing Most commercial off-the-shelf software would’ve done the job to protect against SQL Injection Commercial CMS would not cost as much as custom ordered one and would already be Prevention, Detection, and Correction Create procedures to detect and correct vulnerable holes that exist in the system Security Surveillance HBGary should get a Security Information Management system in place to track and log activities that are going on. We would recommend TriGeo’s Security Information Manager since we did not find any information on whether they have an activity logging system going on. Recommended Changes in Control Process
Recommended Changes in Control Process • Identification, Authentication and Access • Store password securely • Establish policy to force users to use more complex passwords • Establish policy to force users to not reuse same password all over the places • Establish policy to force users to change password every 90 days • Password Reminder Pro from SysOp Tools • Train employees against Social Engineering • Provide training to employees against social engineering • Defcon-5 provides great training for 20 employees at a flat rate of $2000 for 1-2 days
References Anderson, N. (2011, March, 10). Anonymous vs. HBGary: the aftermath. retrieved April 10 2011, from Ars Technica Web Site: http://arstechnica.com/tech- policy/news/2011/02/anonymous- vs-hbgary-the-aftermath.ars/2 Bright, P. (February, 25, 2011). Anonymous speaks: the inside story of the HBGary hack. In http://arstechnica.com/tech-policy/news/201 1/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars/3. Nachreiner, C. (2011, February, 22). The HBGary vs. Anonymous Saga: What can we learn?. retrieved April 10 2011, from WatchGuard Security Center Web Site: http://watchguardsecuritycenter.com/2011/02/22/the-hbgary-vs-anonymous-saga- what-can-we-learn/ Thomas, K. (2011, March, 7). 8 Security Tips from the HBGary Hack. retrieved April 10 2011, from PC World Web Site: http://www.pcworld.com/businesscenter/article/221504/8_security_tips_from_the_hbg ary_hack.html