Nowak, principal research analyst for the Information Security Forum, an independent global authority, says most organizations misunderstand hacktivism. They view hacktivist attacks as IT or Internet-security problems. Instead, they should approach hacktivism as a business and reputational threat.
Hacktivist attacks are different than attacks waged for financial gain, Nowak says. Consider 2011's high-profile hacktivist attacks against Sony, the CIA, the U.S. Senate and PBS. LulzSec, the group claiming responsibility, said it wanted to send a message about freedom and its support of the anti-security movement. The attacks were meant to embarrass these entities - not cripple them.
"The point of a hacktivist attack is an attack on the reputation of an organization," Nowak says. "Most organizations are not prepared to fight a public relations war on the Internet front." (See new hacktivism research from the ISF.)
The technical side of hacktivist attacks is not especially sophisticated. Denial of service attacks and e-mail bombing, for instance, have been around for more than a decade. Most organizations should have technologies and solutions in place to mitigate risks linked to those online threats.
"What is truly new about hactivism is the public relations aspect," and that's where organizations should focus their efforts, Nowak says.
And yet this is where organizations fail. They see hacktivism as an online nuisance, rather than an emerging social and political movement, and so they are ill-prepared to protect against and respond to these attacks.
But because recent hacktivist efforts, such as those initiated by Anonymous and others, have garnered attention and been catalysts for change, organizations must expect these attacks to continue - perhaps even escalate.
"(Hacktivists) are going to discover more and more that using online means to air their grievances gives them more bang for their buck, with less risk and greater impact," Nowak says.
During this interview, Nowak discusses how best to respond to the hacktivist threat, including:
- Steps information-security and risk-management teams should take to raise awareness about hacktivist attacks;
- Proactive measures every organization should put in place to mitigate hacktivist risks;
- How proper incident response in the wake of a hacktivist attack can preserve, and sometimes enhance, reputation.
Nowak is a member of the ISF Global Team in the United States, where he is responsible for delivering client-facing projects. Nowak has contributed to ISF projects on hacktivism, cyber-citizenship and securing mobile devices. He also is responsible for ISF's Information Risk Analysis Methodology and has represented ISF as a speaker at industry conferences such as the MISA Annual Conference and the Software Assurance Forum.
Nowak has worked as an information security professional for more than 10 years in Fortune 500 companies and consultancy firms. He has experience in a wide range of information security disciplines, with a focus on software development, business continuity, and data and content management applications.