No one is safe and any organisation is fair game, says Martin Walshaw, senior engineer at F5 Networks.
The World Anti-Doping Authority (WADA) released the name of the hacker group that exposed sensitive and personal information on four top American athletes, Serena and Venus Williams, Simone Biles and Elena Delle Donne.
As we hear more and more about these attacks, we need to take a step back and give credit to the names these people chose for their groups, in this case, “Fancy Bear”. You can’t make this stuff up, which also is true about these types of hacks and what they are targeting. This was not a hack for financial gain, it was not credit card numbers, or social security details. It was simply to call into question the reputation of these US athletes, and the US Olympic Commission, acting as a direct response to the International Olympic Committee’s decision to ban so many Russian athletes due to alleged “state sponsored” doping in Russia.
What’s interesting about this attack is the target is not someone who you would associate with possibly being attacked. Other than potentially defacing its website, the WADA is not someone you would at first glance consider holding vast amounts of personal, health-related information on anyone, let alone some of the best athletes in the world. What’s also interesting is that the organisation may not have seen the risk and applied the relevant mitigations. The fact that Fancy Bear only released information on four people would lead us to assume that they possess similar medical data on additional athletes across the world. So
I would imagine it will only be a matter of time before we see more information being released on other athletes, both in the US and internationally.
What can we learn from this event? It is clear that you have to know what you are trying to protect. In this case, it was the personal data of these athletes, their drug tests, and other medical information. Once you have identified the actual data you need to protect, you need to work out the ‘how’. This is not an easy task and can lead many people down a rabbit hole. In some cases, people do what they have always done and rely on the same old risk mitigations they have always used. In a lot of cases, these mitigations have not evolved with the times and cannot protect against today’s dynamic threat landscape.
Another fundamental flaw is to assume that you won’t be attacked. A myriad of IT security marketing centralises on the message: “you will be attacked” or “it’s not if, but when”, and so on. While this is very much in the area of FUD (Fear, Uncertainty and Doubt), it is beginning to ring true. It seems that no one is safe anymore. If it’s from a personal security perspective, it’s easy for your details and identity to be stolen. From a professional point of view, it seems that any company or organisation is fair game now.
So it is really time to reassess your risk and review your current protections. Are they ready to take on today’s threats and attacks? Are they capable of standing up to blended attacks? Are they able to protect data, applications and identities, or do they still only protect your network?
We are going to continue to see more releases like this until we really step up our security and re-think what our security policy is and what it should be.