What's happened to website security? While hearing about Japanese gaming giants Sony and Nintendo experiencing high profile security breaches was a surprise, hearing that online powerhouses such as Google, Hotmail and Yahoo! were not immune to cyber attacks must have IT specialists worried to some extent.
Companies and individuals have experienced security breaches of varying degrees since the advent of the Internet, such as the relatively recent break-in of then US Republican Vice-Presidential candidate Sarah Palin’s Yahoo! inbox in 2008, but it seems that this year is becoming notorious for the sheer scale and amount of attacks carried out by hacking groups.
The question many people, both IT professionals and the general public, are asking themselves is why this is happening now when systems are supposed to be stable and secure, and not years ago when the Internet was seemingly still in its infancy.
“There are many reasons why breaches have become a problem recently, though it's difficult to pinpoint why the attacks occurred exactly,” Content Security Pty Ltd security solutions and services director, Louis Abdilla, said.
“For example, the attack on Sony was ostensibly as revenge for their decision to prosecute [hacker] George Hotz, but there were claims that credit card numbers from Sony were being sold later. So is the motive hacktivism or money?”
Abdilla said the biggest reasons for the increase in cyber attacks is connected to individuals mistakenly thinking that hacktivism is a legitimate form of protest rather than a crime, which started to gain momentum around the time the “Anonymous” hacking outfit attacked the Australian Prime Minister's web site last year in protest against Internet filtering.
While some cyber attacks have been framed as acts of hactivism, others have not been as sincere in their motives, and it’s those type of attacks that Southern Cross general manager of consulting services, Ashutosh Kapse, said are the most dangerous.
“In the past, attacks were mainly perpetrated by ‘script kiddies'', people trying to prove a point or claim some bragging rights,” Kapse said.
“However, recently we have seen attackers who are motivated by commercial gain and money, so the attacks are more targeted and perpetrated by highly motivated criminal groups that have large amounts of money, skills and other resources needed to carry out complex technological attacks.”
With the proliferation of point-and-click tools which require no skill beyond basic computer literacy and seemingly limitless amount of tutorials available online, it has reached the point where almost anyone with a computer and an Internet connection is able to hack.
Hostile online environement
When companies such as Sony and Google that possess significant cash flows, infrastructure and IT know how are not immune to security attacks, the question many Australian and New Zealand businesses must be asking themselves is whether they are safe in this increasingly hostile online environment.
“There could be dozens or hundreds of small Australian businesses out there who have been hacked, and haven’t told their customers,” Abdilla said.
“Or it could be just Lush, the only high profile Australian hack in the past year or so, but it's hard to say because Australia doesn't have mandatory disclosure laws.”
While Abdilla concedes that Australian small businesses are less likely to be targets of hacktivism or “digital protests", they are far more likely to be the target of and victim of a cyber crime, as cyber criminals tend to go after poorly secured small companies for quick money instead of spending a lot of effort attempting to breach a larger organisation’s better protected system.
This is an opinion shared by Kapse, who believes that “attackers are always seeking to maximise their ROI and will go after the path of least resistance. As organisations become more risk aware and secure their networks, attackers will target other low-hanging fruits".
And for those organisations that are under the belief that they are not worth targeting or don’t store credit cards, Kapse’s warning is simple: “As long as you have customers, there will always be some kind-of ‘customer data’ worth targeting. It’s not a question of if but when.”
To ensure that local business are secure against any potential attacks, the rule of thumb seems to be to put information far out of reach from the attacker, including keeping as little sensitive data as possible and as far away from the Internet as possible.
“If all of that’s not possible and clients must have access to their own data online, make sure that they either have the application penetration tested by a reputable consultancy firm that actually tests by hand, rather just scans for known vulnerabilities,” Adbilla said.
Kapse advises local businesses to not fall into the trap of thinking that technology alone will protect them.
“Before you rush to deploy the next hot piece of security technology, understand that security is more of a visibility problem. If you are serious about security you must be proactive and look at IT governance, risk, compliance with a holistic view.”
Clearly aware of the high profile breaches suffered by its competitors in the gaming industry, Microsoft is continually taking steps to ensure that it won’t be the next victim of a large scale cyber attack.
“The security around our Xbox Live service and member information is our highest priority,” said a Microsoft spokesman when interviewed for this story.
“While we don’t share specific details, we invest considerable resources to preserve network safety and ensure customer information remains secure.”