The largest criminal Internet attack ever was uncovered in March by the National Infrastructure Protection Centre (NIPC) – www.nipc.gov – in the United States.
At first estimate over 40 major e-commerce systems have been breached with customer information stolen and credit cards of up to one million customers compromised. The fact that financial e-commerce sites have been singled out and actually breached is worrying as we would expect them to be secured.
From our experience, many companies in New Zealand are vulnerable to the same sort of attack. It doesn’t take highly skilled hacker to exploit weaknesses in these systems but once the hole is found, the amount and extent of information that can be gleaned illegally is mammoth.
The latest attack was targeted at e-commerce and e-finance/banking companies.
The techniques and exploits these hackers from Eastern Europe have been using are well documented and extremely straightforward. While these exploits are utilising holes in the actual software, these are old vulnerabilities for which patches were issued as far back as 1998.
Sadly there are lot of systems out there that have not been patched correctly, or at all. There’s also huge number of tools available for free on the Internet which allow non-technical or low-skilled computer users to identify and exploit these holes with little idea of what they are actually doing. Common weaknesses include:
? lack of formal process for identifying and managing technology related risks (such as security holes, attempts at penetration, viruses etc being increasingly referred to as “malware”).
? Poorly configured and maintained environments including firewalls, routers and operating systems.
? No ability to detect, identify, and quantify security incident or suspected incident.
Lack of awareness
The really frightening thing is that most of the affected companies probably have no idea they have been breached and the first they will hear is when the NIPC contacts them or the hacker group themselves gets in touch to let them know they have been breached.
The fact is security is moving target which companies have to monitor regularly and apply patches and fixes from software vendors to ensure holes do not open through time and that new weaknesses are addressed on timely basis.
On positive note, the Centre for Internet Security (http://www.cisecurity.org), has released tool called PatchWorks that tests Windows NT systems to determine whether the FBI’s list of necessary patches are in place; points directly to the patches on Microsoft’s site if they are not; and retests to be certain they were installed correctly.
PatchWorks also attempts to determine whether systems have been compromised by checking for telltale files. The centre is not-for-profit consortium of 150 user organisations from 14 countries that jointly develop consensus on the priority of cyber threats and work together to forge tools to counter those threats. http://www.cisecurity.org/patchwork.html
Jan Smolnicki is partner, global risk management for PricewaterhouseCoopers and is based in Wellington: Email [email protected]