What will it take to convince companies that there is no option but to test their network security regularly for vulnerabilities?
And the problem is not going to go away. Criminals want to test their skills and soon want fresh challenges and bigger companies to hack, causing more havoc. It is alarming the number of South African companies and government departments that have either been hacked repeatedly, are not aware of it, or have been warned that they have exploitable vulnerabilities and have done nothing about it.
There are many ISPs who have suffered repeated defacements of their clients' sites or had multiple bogus pages posted by attackers on their shared servers, and yet have not encouraged their clients to improve their security.
Hiding from vulnerabilities in security will not make them go away. Other hackers wanting to demonstrate their skill will repeat their attacks, particularly those posted on defacement mirrors. The danger for companies who are not aware they have or will be hacked is that they will not be aware of the subsequent criminal use their computer systems could be put to.
A recent article published in the UK indicated that the number of computer systems now employed in so-called bot networks has increased by 60% over the past 12 months. Bot networks are made up of computers belonging to reputable companies or home users that have been compromised by attackers and then used in Denial of Service attacks (DoS) against other companies for hacking. Millions of vulnerable machines worldwide are being employed in this way.
A newly emerging trend is for criminals to threaten companies with disabling their online systems if their demands for money are not met. Or attempts at extortion are made, by threatening the exposure of confidential information or the divulgence of other sensitive documents.
Would you know whether any of your machines have been compromised in this way? I have spoken to a number of large and listed South African companies who do have the problem and are not aware of it. They are under the impression that their security is quite adequate.
Thin end of the wedge
If a company did not even notice a simple defacement, how can it say it has not had data stolen or that its machines are not being used to deliver illegal or otherwise undesirable material or to relay spam. Since company directors can now be held responsible for misuse of their IT systems from both internal or external sources, it is important for them to demonstrate that they have taken reasonable steps to prevent such abuse. Ignorance is no longer an excuse.
If companies do not test their systems, they will never know their actual level of security. Until they are held liable, or suffer financial loss through system outages, theft or disclosure of information, they will not act.
Test or be tested
So how can companies defend their assets? It is not necessary to keep buying more hardware or software. Products are not the answer, diligence and good housekeeping is.
Establish a security policy which details what assets need to be protected, how the company intends to do it and then prove that the measures are effective through independent testing. Make sure that sensitive data is encrypted and train all staff to be aware of the risks and sources of security breaches. Do not overlook social engineering. It is simpler to be given information than to steal it.
It is also worth noting that the threat exists as much internally. The disgruntled middle manager who was passed over for promotion or the sales person who has been made an offer by a competitor may be a potentially greater risk than the 16-year-old hacker operating from their bedroom.
IS Digital Networks MD, Barry Cribb
For more information contact Barry Cribb, IS Digital networks, 011 234 9536.