‘As the crow flies’ is a common saying, denoting that the shortest distance between two points is a straight line – ignoring any geographic landmarks that would otherwise impede the journey. This is an idiom that can easily be applied to cybersecurity, particularly in light of the recent attack against an Australian defence contractor.
The attacker, which the Australian Signals Directorate (ASD) has dubbed “ALF” (after Alf Stewart, a character in the long-running Australian TV soap Home and Away), was able to pilfer about 30 gigabytes of data from the contractor. This treasure trove included information on Australia’s involvement in the F-35 Joint Strike Fighter program as well as data on the P-8 Poseidon patrol plane, planned future Australian Navy ships, the C-130 Hercules cargo plane, and the Joint Direct Attack Munition (JDAM) bomb.
Now, if the attacker wanted to steal this information from the Government, they would have found it much more difficult. But, hackers being the clever, lazy criminals they are, knew that ‘as the crow flies’, the simplest, fastest way to get their hands on this data was to target a contractor in the supply chain, rather than the Government itself.
So how much easier was it?
Well, once initially gaining entry through an internet-facing server, the attackers had free reign in the contractor’s environment thanks in large part to incredibly careless username and password configurations (admin/admin and guest/guest).
If this doesn’t send alarms bells ringing, you’re not paying close enough attention.
As I’ve written about before: “Hackers know there’s little point trying to attack you through the front door, especially when you’ve left the back door ajar. Why would they waste the resources and effort mounting an attack against your alabaster walls when your supply chain is filled with smaller vendors whose credentials are much easier to steal… Attacking smaller organizations in the target business’ supply chain is becoming more prevalent as the big end of town fortifies.”
The campaign against the Australian defence contractor is just the latest in a long line of these ‘supply-chain’ attacks, and a potent reminder that the old world ‘castle mentality’ to cyber defence is not nearly good enough.
No one’s business operates in a vacuum. Not only must policies extend beyond your own walls, you need to have a way to identify – and deal with – attackers after an initial breach.
This is another point in which the defence contractor failed. Not only were attackers able to waltz in to their environment, according the Australian Cyber Security Centre, they “sustained access to the network for an extended period of time.”.
Think about the number of suppliers and contractors your business deals with on a regular basis. If an attacker was ultimately after confidential information on your operations, would it be easier to target them, or you? Or flip the question – how many large organisations contract your business? What would happen if an attacker went through you, to get to them?
Simply put, security is only as strong as its weakest link. Not only should you make sure you’re not that weak link, you need to be aware of the weak links in your own supply chain. Armed with this information, as Alf Stewart is known to say, you’ll be in a position to “stone the flamin’ crows”.