© 2000 ZDNet UK
Hacker attacks on Web sites have
cost e-businesses millions of pounds. Ignoring the threats could result
in big losses, so companies should take steps to minimise their risks, reports
Paola di Maio
Recent denial of service attacks on some of the most popular sites on the
Web have raised security up the e-trade agenda. Last February, hackers temporarily
disabled sites at Yahoo, CNN, E*Trade and ZDNet. These types of attack are
costing firms millions in capitalisation costs, lost revenues and security
upgrades, according to analyst firm Yankee Group.
London-based security firm mi2g has been studying such attacks for
years. It has found plenty of examples. Last spring, hackers disabled systems
of the Ministry of Defence and Nato for 48 hours. US hacker MagicFX broke
into eBay, the largest online auction site. Guessing passwords, MagicFX managed
to access and modify system software, intercept log-in identities and passwords,
read users' keystrokes and amend eBay's Web pages.
On 30 August 1999 the Hackers Unite group accessed Hotmail's systems, causing
a big drop in Microsoft's share value. Last September, the United Loan Gunmen
(ULG) accessed the Nasdaq stock exchange network. Nasdaq also reported some
'hiccups' last month, but has not disclosed details. In January, a group known
as East European Syndicate accessed online music vendor CD Universe and tried
to blackmail the parent company, eUniverse. The group stole 300,000 credit
card numbers and attempted to sell them over the Internet.
Risk assessment
According to mi2g, most security breaches are caused by disgruntled
staff who want to damage their current or former employers.
Some hackers seek financial gain, but most see hacking as an intellectual
challenge and are presumably responsible for those attacks that seem pointless
to the rest of us. Others can be politically motivated, and express their
dissent by disrupting their target's online activities.
'Our research concludes that 60 percent of attacks
take place because of a security breach caused by bribed or angry staff, who
disclose details of internal systems to third parties,' said DK Matai,
mi2g's founder.
'Our recommendation is that the first level of precaution
is taken within human resources management monitoring dissatisfaction among
employees. Solid legal contracts should be in place that emphasise the consequences
of security breaches and make clear that the company will pursue the moles
with penal action,' he said.
Cyber attacks can fall into several different categories. These include:
· Denial of service Users cannot access sites.
· Surrogacy The site address is usurped.
· Piracy Data is extracted or manipulated.
· Hazards Vital operational information is manipulated to disrupt an
activity.
While firms have long been able to insure against the loss of business information,
such policies have failed to keep pace with the increasing risk. The proliferation
of Internet applications is making business systems increasingly open and
vulnerable.
New categories of risk are appearing that could make businesses lose revenue,
and make host organisations liable to third parties for the loss or theft
of personal information in their possession. This could include credit card
information, medical histories and intellectual property.
The first step in securing a network is to understand exactly what data is
available online, who has access to it, and whether adequate protection is
in place.
The most widely used method of assessing the likelihood and impact of risk
exposure addresses three main areas:
· Prediction What is the current state of the systems? Where
are security failures likely, or actually occurring? How effective is the
security policy?
· Quantification of impact and prioritisation What failures
will cause the most harm? What security risks should be tackled first?
· Management What changes are occurring in an organisation's
risk profile? How is security policy addressing those changes?
A survey of City of London financial institutions by mi2g found that
four in 10 banks are dissatisfied with their current security provisions and
that 5.5 percent had been attacked online at least once.
Some trouble can be avoided by having suitable security policies, and there
are a number of IT measures companies can take. 'Firms
should regularly review recovery procedures, and maybe keep a unique spare
system with a different underlying operating system, so that if the main system
is attacked, the spare one kicks in,' said Matai.
Matai acknowledged this is a very expensive solution. 'This
option involves the cost of keeping over 50 percent of your computing resources
idle, and not every organisation can afford that,' he said.
Another step is securing reference clocks. Ensuring that the date and time
of systems cannot be changed is an important precaution to avoid interference
with accounts.
High-risk companies should create unique security architectures so that no
one knows the whole system design, thus making it difficult to break in.
There are a number of architectural tricks that can be designed into a system,
said Matai. These include adding extra layers and what are called 'honey pots'
relatively visible and easily accessible areas that lure hackers, leading
them to believe that they are inside a network. However, they trigger alarms
so administrators know the system is being hacked into.
A security policy should also prioritise remedial action and foster strong
encryption, interception and pursuit techniques.
Network and Internet risk management is the combination of legal, technical,
personnel and insurance provisions. However, even with proper precautions,
eternal vigilance is still required.
www.mi2g.com
www.l0pht.com
SUMMARY
· Recent denial of service attacks on leading Web sites have highlighted
the vulnerability of e-businesses.
· Most security threats emanate from disgruntled staff.
· Companies should include stringent security rules in staff handbooks.
· Safeguards can be designed into systems. These may include hacker
traps, spare systems, and restricting knowledge of the network.
