Criminal hacking is on the rise and threatening the security of domestic and international business, but firms must be careful that their own negligence does not contribute to the problem.
Even the general public is wising up due to news reports, such as the attempt in January by criminal gangs to extort money when Milliondollarhomepage.com was hacked using a distributed denial of service attack.
Distributed denial of service is where computer hacking tools are used to flood traffic on to a website, causing it to respond slowly or crash. These types of attacks are on the rise and all businesses are vulnerable, from the smallest firms who depend on their phone systems to the largest and best equipped multinationals - even the likes of Microsoft have fallen victim to hacker attacks.
There are endless ways in which cyber attacks can occur. A denial of service attack, like the Milliondollarhomepage example, is nothing more than a modern version of a protection racket. The proposition is "Pay me or I will hit you".
Don't stay in denial
Denial of service attacks are hard to prevent because the attacker can be anywhere in the world. The primary protection/response is to identify the attacking computer and initially divert traffic from it, and then to shut it down. Many commercial services are available to assist with this.
Unfortunately, a denial of service attack is fairly cheap to perpetrate, but can have expensive consequences. So denial of service is set to be a feature of cyber business for a long time to come, even if only as a periodic irritant. It is a bit like kids emptying rubbish bins in the doorway of a shop they don't like. It is easy for the kids to do, and is a nuisance for shop staff to clean up.
Ways to minimise denial of service attacks have been well known for many years. Even though each generation of technology brings new bugs, the basic protection principles are well established.
Prevention examples include defensive settings on firewalls, routers and servers - such as quickly dropping incoming messages that have no origin addresses - and keeping up to date with patches designed to fix system weaknesses.
Detection and response examples include capturing evidence traffic and calling your local high-tech crime unit who can direct you to rapid response organisations.
Trojan infection is also an increasingly used criminal attack. As the name implies, a Trojan, or logic bomb, is malicious software planted in a system. The software is capable of perpetrating no end of trouble, but current examples are used to either steal information like passwords or bank details, or to support denial of service attacks. As the following examples illustrate, criminal intent is now commonplace.
Defeating the Trojans
A former computer operator from a US stockbroker was convicted in 2003 for trying to manipulate the broker's stock price by crippling its systems.
The operator sent a logic bomb to 1,000 PCs after he purchased share options that would profit when the broker's share price fell. The broker claimed £1.7m as the cost of cleaning up its systems.
Ways of minimising Trojan attacks are well known. Preventative measures include avoiding free software, loading anti-virus and spyware tools, and educating staff. Detection and response examples include isolating network segments and reinstalling back-up copies of systems.
Criminal intent is now commonplace in the cyber world. However, there is little excuse for becoming a significant victim. Both denial of service and Trojan attacks can often be prevented with common sense measures like deleting unsolicited e-mails, or accounts.
We have not yet reached the same stage as ATM cards, where careless use of a Pin code will gain little sympathy. However, we are fast approaching the day when a court will decline to award damages because simple safety procedures were not followed.
Examples of safety failures might include not keeping logs, not using ethical hackers, or not promptly calling the computer forensic teams. The criminals may still be convicted, but contributory negligence may reduce damage awards.
Antony Smyth is a partner at Ernst & Young's information security group
This was first published in March 2006