Articles | Journal Home | Home

Information Systems Audit and Control Association

Excerpt from a recent Deloitte & Touche Client Advisory:

"A Response to Recent Cyber Attacks"

by Shayne Gregg, CA (NZ), CISA, CMC

As many of us are probably aware, there is a current spate of attacks underway against major e-business organizations on the Internet. Authorities are not sure where or which country these attacks are coming from - but the attacks do appear to be automated and well organized. This advisory is to inform you of the real issues (as opposed to media hype).

First, the issue. The type of attack underway is known as a "distributed denial of service" attack (or 'DDoS Attack'). This is one of several hundred methods available to hackers to explore and exploit weaknesses in a company's Internet site. The method involves bombarding the web site with packets of information similar in nature to requests that would be sent by legitimate users. These attacks are usually performed via a series of compromised staging sites. This disguises the origin of the attack and preserves the anonymity of the hacker.

In most cases, the web site under attack cannot handle the volume of information and will react in one of several ways. It will either shut down under the strain; continue to operate normally but legitimate users won't be able to access the site; or (worst case scenario) the defense mechanisms of the site break down allowing the hackers complete access to the site and potentially the corporate networks behind it. In most cases, disruption is highly likely. This has been an isolated problem for our clients who use the Internet for many years now.

Why would someone do this? This is the subject of psychological speculation, but in most cases the reasons include revenge, boredom, media attention, demonstration of vulnerabilities to the company, peer recognition, blackmail or even corporate espionage. So what can your organization do to avoid becoming an innocent victim, either as the subject of an attack or worse, as a staging site for more widespread attacks? Companies who are serious about e-business should have a number of mechanisms in place to prevent or defer these attacks. These mechanisms include the following:

• Switch on audit logs for all key servers - when efficiently and effectively configured, these logs will provide adequate information to identify and investigate any problems.
  
  
• Implement properly designed firewalls - these can track all traffic in and out of the site, logging and inspect every packet of information to ensure its legitimacy.
  
  
• Install intrusion detection software - if properly configured, this software will quickly identify known patterns of attack and immediately shut out only the attacker, while sounding the appropriate alarms.
  
  
• Hire the right people - make sure your technical personnel completely understand the issues, the technologies and the solutions
  
  
• Test defenses regularly - the rapid rate of change in both the technology area and the hacking community means you must test your own defenses on a regular basis
  
  
• Design the network to isolate attacks - if the worst happens and the hacker gets inside, appropriate network configuration, firewalls and other tools will ensure any damage the hacker could cause is isolated to a small area
  
  
• Have an incident response plan - identifying, reacting and resolving the problem immediately is the real business dilemma. Most organizations implement the right preventative measures, but do not prepare and train for the worst
  
  
• Focus on preventative measures - swift, large volume, automated attacks require sophisticated, automated defense mechanisms. Identifying a problem an hour later and then trying to trace and resolve it is not an option
  
  
• Keep all software up-to-date - implementing all security fixes and patches as they are released will go a long way to reducing your vulnerability to these attacks
  
  
• Gather evidence - understanding how to identify, gather and manage legal evidence to ensure the appropriate legal action can be taken against a hacker should be a key element of your defense system design; and
  
  
• Educate - constant awareness and updating of knowledge is the best defense to any attack.
  
  

It is surprising how many companies have not implemented any of these activities. But even if you implement them all correctly, you may still not be able to guarantee 100% security - at least not as long as human error is a factor. That's the nature of doing e-business today. What you can guarantee is that the hacker will quickly tire of attempting to break down your company's defenses and move onto the next poorly protected site. Create a "path of least resistance" to another site and increase the cost of the hacker "doing business" on your site!

What these incidents will prove, however, is that on the Internet, 99% secure is the same as 100% vulnerable. Such incidents will not go away anytime soon. They will expose the most apathetic companies. And they will likely highlight the issue of abdicating the problem to under-staffed, poorly-funded law enforcement agencies. The best skillsets to solve this problem exist within the technology vendor community, within security advisors such as Deloitte & Touche, but most appropriately, within your own organization. However, they also exist within the hacking community - it just depends on which side of the law you wish to work.

Articles | Journal Home | Home

Copyright © 2001 Information Systems Audit and Control Association®. All rights reserved. Email webmaster@isaca.org with questions or comments about this web site. Disclaimer and Privacy Statements.