VideoIt's every CFO's nightmare. A fax comes in containing a thinly veiled threat: "You have a breach in your security system and you need to hire us to fix it.'' People typically ignore the fax until a second and then perhaps a third message comes — this time with a sample report of credit card numbers, says Gene Fay, a vice president at RSA Security Inc., the security division of storage giant EMC. The threat becomes stark: "You need to pay us or we'll post all these numbers to a website." If the company opts to pay, the hacking rarely gets reported. If they try to fight and find the perpetrators, they may step into a murky world of organized crime.
Reports about major companies' networks getting hacked are becoming frighteningly commonplace. The hacking has evolved from a kid defacing a Website five or six years ago to organized crime groups realizing there is big money to be made from stealing a company's sensitive customer information. Security experts say that in Russia, for example, loose law enforcement is motivating computer programmers to design malware that can be used by cybercriminals to steal credit card and social security numbers and sell the information on the black market.
Database hacking is not limited to any particular region. "It's a transborder data flow problem, which means the thefts and attack strategies quickly move from jurisdiction to jurisdiction, so the applicability of the laws is difficult to discern," says Andrew Walls, a research director with Gartner Group in Melbourne. But Asia is becoming a particular target, in part because of the philosophy of trust that companies in this region tend to nurture. "We're seeing a trend of information being scanned and looked at more on the Asian market, which we believe will result in more hacking into systems, because the people doing the penetration testing or identification of vulnerabilities are going to see them as easier opportunities,'' says Doug Howard, chief operating officer of BT Counterpane, a managed security company in the United States.
Companies in Asia that are only now starting to open their businesses to the outside world are especially vulnerable. When Techcombank decided to become the first bank in Vietnam to provide customer Internet banking services, officials knew standard passwords wouldn't be enough for database protection because of the hackers' aggressive techniques. The bank chose RSA's Two-Factor Authentication (2FA) key token system for user authentication. When customers first register for the Internet service, they are given the token key, a user ID and user guide. The password they create combined with the token key becomes their login password. Their account will be locked if one or both passwords are entered incorrectly.
Focus on Best Practice
The good news is that the tools to combat
hackers have become more sophisticated,
allowing companies to home in at a very
granular level. The bad news is that hackers
are rapidly working out what exactly those
tools are. That is why companies must recognize
that technology in and of itself will
not prevent network attacks, security
experts say. First and foremost, they must
have the fundamentals in place.
"If you've got weak passwords and [there are worms or Trojans] in Web-based applications, hackers will gain access to back-end databases," says Johannes Ullrich, chief research officer at the SANS Institute, which provides information security training and certification. "Companies often fail to apply patches or use strong passwords or ensure that the code they write internally is secure, because it's too time-intensive."
But before a company can assess whether a specific data request going against a database is appropriate or not, it must have a benchmark against which to judge that activity. "You have to do the hard, boring work of defining your business processes and how those business processes should be segmented,'' emphasizes Walls from Gartner, adding that "99 percent of the time you can defeat a probable security attack by designing your business processes better."
BT Counterpane's Howard warns that simply deploying an event management or perimeter security tool will "either add no value because it's not configured properly — or it will disable all the things that were working properly in your business.'' When implemented correctly, event monitoring tools let companies decide whether to give access to different levels of users, and also give the option of shutting them out from say, midnight to 3 a.m., when the chances of getting hacked are greater.
Sasan Hamidi understands the importance of being methodical when it comes to making security systems work for the business. The chief information security officer of U.S.-based Interval International, a vacation exchange network, says that as the company began building a security infrastructure, officials established specific policies and procedures about who can access what systems. In addition to network-based intrusion detection systems (IDS), hostbased intrusion systems and firewalls, Hamidi deployed nFX SIM One, a security information management system from net- Forensics. His IT group set up certain thresholds so the system knows what types of behaviors to look for, ensuring that staff isn't inundated with alerts.
Reader Comments» Post a comment