Criminal hacking is on the rise and threatening the
security of domestic and international business, but firms must be
careful that their own negligence does not contribute to the
problem.
Even the general public is wising up due to news reports, such
as the attempt in January by criminal gangs to extort money when
Milliondollarhomepage.com was hacked using a distributed denial of
service attack.
Distributed denial of service is where computer hacking tools
are used to flood traffic on to a website, causing it to respond
slowly or crash. These types of attacks are on the rise and all
businesses are vulnerable, from the smallest firms who depend on
their phone systems to the largest and best equipped multinationals
- even the likes of Microsoft have fallen victim to hacker
attacks.
There are endless ways in which cyber attacks can occur. A
denial of service attack, like the Milliondollarhomepage example,
is nothing more than a modern version of a protection racket. The
proposition is "Pay me or I will hit you".
Don't stay in denial
Denial of service attacks are hard to prevent because the
attacker can be anywhere in the world. The primary
protection/response is to identify the attacking computer and
initially divert traffic from it, and then to shut it down. Many
commercial services are available to assist with this.
Unfortunately, a denial of service attack is fairly cheap to
perpetrate, but can have expensive consequences. So denial of
service is set to be a feature of cyber business for a long time to
come, even if only as a periodic irritant. It is a bit like kids
emptying rubbish bins in the doorway of a shop they don't like. It
is easy for the kids to do, and is a nuisance for shop staff to
clean up.
Ways to minimise denial of service attacks have been well known
for many years. Even though each generation of technology brings
new bugs, the basic protection principles are well established.
Prevention examples include defensive settings on firewalls,
routers and servers - such as quickly dropping incoming messages
that have no origin addresses - and keeping up to date with patches
designed to fix system weaknesses.
Detection and response examples include capturing evidence
traffic and calling your local high-tech crime unit who can direct
you to rapid response organisations.
Trojan infection is also an increasingly used criminal attack.
As the name implies, a Trojan, or logic bomb, is malicious software
planted in a system. The software is capable of perpetrating no end
of trouble, but current examples are used to either steal
information like passwords or bank details, or to support denial of
service attacks. As the following examples illustrate, criminal
intent is now commonplace.
Defeating the Trojans
A former computer operator from a US stockbroker was convicted
in 2003 for trying to manipulate the broker's stock price by
crippling its systems.
The operator sent a logic bomb to 1,000 PCs after he purchased
share options that would profit when the broker's share price fell.
The broker claimed £1.7m as the cost of cleaning up its
systems.
Ways of minimising Trojan attacks are well known. Preventative
measures include avoiding free software, loading anti-virus and
spyware tools, and educating staff. Detection and response examples
include isolating network segments and reinstalling back-up copies
of systems.
Criminal intent is now commonplace in the cyber world. However,
there is little excuse for becoming a significant victim. Both
denial of service and Trojan attacks can often be prevented with
common sense measures like deleting unsolicited e-mails, or
accounts.
We have not yet reached the same stage as ATM cards, where
careless use of a Pin code will gain little sympathy. However, we
are fast approaching the day when a court will decline to award
damages because simple safety procedures were not followed.
Examples of safety failures might include not keeping logs, not
using ethical hackers, or not promptly calling the computer
forensic teams. The criminals may still be convicted, but
contributory negligence may reduce damage awards.
Antony Smyth is a partner at Ernst & Young's information
security group