Operation Megaupload: Are Companies and Organizations Negligent with Today's Cyber Threats?

Recently, an online retail store called Zappos experienced an enormous cyber attack on January 16, 2012. A data breach occurred resulting in loss (or compromise) of twenty-four million customer names, e-mails, physical addresses, phone numbers and the last four digits of credit card numbers. Although the incident only caused minimum monetary damage to the company in terms of intellectual property and private data, customer reputation and confidence towards the company’s e-commerce system is now lower than ever before. Investigators are still trying to piece together who is responsible for the attack, but this brings us to an important topic on the recent cyber attacks conducted by Anonymous, involving such major sites like the U.S. Department of Justice and Universal Music Group, the largest music record label in the United States.

What does this mean in terms of security posture and infrastructure assurance for these hacked companies? Was complacency to blame for a faulty security system because executives felt there was no need for a security deployment? Did they feel that their sites had negligible information that did not justify a solid security deployment? Apparently, these organizations believed so and as a result, a swift cyber attack overwhelmed their sites and caused denial-of-service and data loss.

The attack was called Operation Megaupload, created by the notorious hacker group Anonymous, a collective group of hackers held responsible for recent attacks on Amazon, Paypal, major credit card companies and even major government sites such as the FBI. The attack was considered retaliation in response to the U.S. government’s recent crackdown on Magaupload.com, a site which the federal government executed a huge piracy indictment towards the popular file hosting site. The FBI, Recording Industry Association of America (RIAA), and Motion Picture Association of America (MPAA) were all targeted attacks by Anonymous.

This is a major wakeup call for these organizations. Certainly, if confidential or private data is not truly an important reason to implement security controls, then public confidence and reputation should be a high priority to do so. It is understandable that capital budgets seems to be the main factor in executive decisions in not deploying a strategic security plan, but they must consider the monetary damage such as lawsuits, overwhelming customer calls (over 1 million calls were made in just one hour after the security incident was declared, causing significant costs in terms of productivity), and the difficulty of rebuilding customer trust.  Anonymous doesn’t seem to be leaving anytime soon and others like them are inevitably following their footsteps. As a counter to these types of attacks, executives can purchase DDoS security products from various vendors. Arbor Networks has a long standing tradition in the anti-DDoS space, with a variety of products that can monitor and protect networks from DDoS attacks using real-time analysis in order to detect and mitigate these types of threats. Also, Prolexic is another, newer vendor that mitigates DDoS attacks by redirecting to a Prolexic filter or cleaner device, thereby allowing business continuity.

Perhaps vulnerability assessments were not properly carried out. Maybe risk management underestimated the probability of occurring threats within their IT systems. Whatever the case may be, one thing is certain: Security assurance, awareness and preparation are extremely lacking in today’s IT infrastructure. Hackers are viewed to be one step ahead in comparison to existing security defenses, but if we’ve learned one thing from Anonymous and other hackers it is that we need to be just as competent, persistent and tenacious to keep abreast of the current threats in our chaotic cyber environment. We must recognize that security should not be taken lightly. It should be a top priority for every organization, especially those handling sensitive data. We must admit to the fact that we are not safe from anyone, anytime.