A Computer Attack... Trivial Or Not?

The Internet's capabilities and today's rapid information transfer rates enable many companies to have services distributed throughout the world. Not surprisingly, the Pacific Islands region is increasingly depending on the Internet as part of the critical infrastructure for its distributed businesses.

This critical infrastructure is the backbone of many services, including government, the online tourism and gaming industries; with the latter promising to be huge revenue generators for the governments and service providers. While these online markets help inject money into the region, the slightest compromise in the security of the infrastructure can seriously disrupt a business, government services or a small nation's economy.

Many organisations may believe they are not a target for hackers: "I have nothing of interest; I only provide on-line hotel bookings". However, after many years of providing information security services, Electronic Warfare Associates Australia has found that in most incidents the intended target was not the company itself. Instead, the attacker used the company's assets to direct attacks at other targets or to host illegal software, music, or pornography. In many cases, it became evident that the attacker did not even know which system they had compromised: it was merely a soft target IP address to use.

As with any good military action, a successful offensive operation is through the exploitation of the weakest part in the intended targets defence. Seasonal attackers seek out companies' regional sites since there is a perception that, because they are regional or may have a low security budget, their information security is overlooked. Exploiting these sites can provide the backdoor into the company's trusted network.

The website www.zone-h.com lists reported attacks by hackers: not all attacks: as some hackers don't boast about their recent successes. This site indicates that in Australia, more than 100 websites may be hacked over a weekend. A perusal of this list reveals many hacked sites do not appear to be targets of interest in themselves, but merely a route to more fruitful pickings.

While these web site attacks may not appear to be significant, there is always soft costs in recovering and these attacks may indicate that the web server was vulnerable and that others may have exploited this vulnerability and gained access to the system. It may have been done by someone not boasting?

An attack on your system may not be immediately obvious. However, it may become evident later due to:

• An increased telephone/ISP bill, if you pay by Internet byte usage: you will now be billed for the attacker's usage as well.
• Your help-desk receiving complaints that customers are unable to access services.
• Other organisations may block your IP address range if they notice attacks originating from you: hence a (DOS).
• Private information related to your clients appearing on a website.
• A knock on the door from law enforcement officers, with a warrant to seize computers for forensics due to hosting illegal software.

Some costs may be obvious, other less so:

• Increased ISP costs.
• Loss of business: for example if your on-line booking system was unavailable, customers may go to another site that is functioning.
• Down time due to cleaning up your system if attackers used them to host illegal software, images, or music.
• Battles with ISPs over responsibility for increased Internet usage charges, or loss of consumer confidence.
• Legal action: for example, many countries like Vanuatu have enacted a comprehensive legislation to cover online gaming. What if your organisation breached this legislation?
• Loss of customer confidence. For example, if an ISP server contains a vulnerability allowing attacks to exploit the server, an attacker can deface 10-20 different web sites in one go. The public are unaware that the defaced web site is hosted at an ISP, therefore the organisation loses customer confidence, and the organisations lose confidence in the ISP as a hosting provider.

Consider the recent (Oct, 2003) cost to Australia's Telstra because of the W32.SwenA or gibe.c worm. Because Telstra user's emails were delayed for up to several days before being sent, Telstra credited their customers with a two-week credit on their accounts. This attempt to retain consumer confidence cost Telstra $25 million (Source: The Australian October 17, 2003). Other businesses who suffered due to the delayed emails would also be counting the cost.

Given that the risks associated with the Internet are greater than in any other network environment, critical infrastructure owners need to ensure that, as a minimum, they understand and have conducted a threat and risk assessment, have an ongoing security commitment, and a Business Continuity Plan.

Recognising that no security solution is absolute, a company's security practices should aim to minimise:

• the probability of a risk event from occurring,
• the severity of a risk event when one does occur, and
• the impact to customers and the core business. A threat and risk assessment would identify where and how a system is vulnerable.

This would assist an organisation to develop their ongoing security commitment that may include features such as:

• continually and proactively hardening networks, servers and personal computers,
• taking pre-emptive measures in an effort to mitigate the risks of a security event, and
• following industry-accepted guidelines found within resources such as the ISO 17799 and the Systems Security Engineering - Capability Maturity Model (ISO 21827:2002.

Your ability to anticipate and quickly recover from a disaster while continuing operations is critical to your success. This is particularly important for companies that use or offer critical communications infrastructure services. These requirements dictate a high priority for maintaining network integrity and preparing for the unexpected, both with respect to internal systems and networks and the services provided to your customers.

However, should unforeseeable service interruptions occur, you need to have in place a Business Continuity Plan to maintain dependable internal operations and continuity of service for customers. You should have strategic plans designed to incorporate pro-active measures that minimise service interruptions and the ability to react quickly to a variety of events such as large-scale power outages, key mechanical and electronic or optical component failures, incidents involving hazardous materials or conditions, natural disasters, terrorist attacks, and cyber crimes. The dependence upon the Internet makes companies in the Pacific region vulnerable to security exploits as the Internet is uncontrolled and insecure.

However, this vulnerability can be reduced by establishing an on-going commitment to security and implementing security best practices including the conduct of a Threat and Risk Assessment and the implementation of Business Continuity measures.

The benefits of being prepared are that it will assist you in maintaining your competitive advantage and reduce financial risk from security threats. In particular, you will be ready to meet all likely contingencies, you are covered from a liability perspective, risks are recognised and treated and you will be better placed to deal with industry wide crisis.

€ If you would like further information or assistance in the area of information security, contact Dr Mick Millington, Electronic Warfare Associates Pty Ltd - Australia, PO Box 141, O'Connor, Australian Capital Territory 2602; Telephone: +61 2 6230 6833; and website: www.ewa-australia.com