Last week, a large-scale cyber-attack hit yet another crypto-currency exchange, wiping out potentially billions of dollars’ worth of wealth. While Coinrail, the exchange that was attacked, has not released specific numbers on exactly how much was stolen, that number is significant, however, it is not the key take-away. There is one very important thing that we – the security and tech-savvy, the C-Suite and even the lay person should all pay attention to: we need to stop calling such incidents “cyber-attacks” or “hacks.”
The term “cyber-attack” is really a misnomer. Let’s call it what it is: theft, plain old boring theft. So let’s stop calling it anything but that. Terms like “hack” or “cyber-attack” are attention grabbers – it’s the headline intended to get you to read the rest of the article – these terms sensationalize what took place. When you read or hear those terms, you probably paint yourself a mental picture of some shadowy figure surrounded by hi-tech gear and monitors resembling something from The Matrix. It’s a figure you almost revere for his prowess at the keyboard. This elite hacker has subverted all of the latest computer and network security gear of the victim to extract his bounty. Oh, the poor victim, that lonely, ill-equipped team responsible for performing the thankless and endless job of protecting the systems and data placed in their trust. How unlucky they were to be targeted by such a formidable foe! What chance did they really have!? This is the probably the picture you have in your mind, it’s even the same one we see in so many Hollywood movies. Unfortunately, just like a book or movie, it’s fiction and in reality it’s detrimental to us all.
In reality what took place is far less “glamorous”, being more akin to you leaving your wallet in your car overnight with the doors unlocked. In the night, a prowler opened your car door, grabbed your stuff, quietly closed the door, and then walked away. Admittedly this story is not as exciting, and maybe even a bit embarrassing, but it is what actually happened. With this new visual in mind let’s examine what took place with the Coinrail attack.
A small but significant crypto currency exchange service, Coinrail, essentially left their car doors open and just like our scenario above, they didn’t perform their due diligence. They failed to take appropriate action from a security advisory posted nearly three years ago. Our prowler, probably not using much more than a decently outfitted gaming system, a web browser and a few basic tools, simply walked in through a backdoor and walked away with a significant amount of loot.
By allowing our minds to go to that flashier, spy movie scenario, we unconsciously do something that is inherently bad for security as a whole. First, we over qualify the perpetrators, giving them more credit than is due. In this case, they simply scanned for an open port and took advantage of a three-year-old vulnerability on systems they found. Second, and most importantly, we fail to hold the victim accountable in any way. As this Hollywood mental image is so prevalent, we tend to disregard the actions, or is more often the case, the inactions of the victim. While there is plenty of rightly placed emphasis on pursuing legal action against those who carried out the attack, we shouldn’t ignore the victim’s failure to adhere to some basic security practices. In this, and in every case I can think of (Equifax, Target, OPM, City of Atlanta etc.), the owners of the targeted system failed to properly configure their systems, patch their systems and properly control access to their systems or monitor their systems. While we should, without a doubt, pursue the criminal element in each case, we must equally hold the system owner’s responsible and culpable.
InterDev has helped dozens of our clients find and plug vulnerabilities in their IT Infrastructure. Our highly qualified security experts can perform a system-wide Vulnerability Assessment on your network to notify you of any holes in your infrastructure and recommend the best solution for your organization. As seen from the Coinrail attack, many times vulnerabilities are simply overlooked and having an extra set of eyes scanning your system can help discover things that may have been missed. Contact us today to find out how we can help protect your system.