NEWS ANALYSIS: Hack on LG Australia’s website a result of “weak fundamentals": security professionals
- 18 November, 2011 12:41
The hack on LG Australia’s website in October is wake up call for local business, according to a pair of security professionals.
The technology vendor’s website (lge.com.au) was breached and defaced with a taunting message before it was eventually pulled down, an attack which Lumension security and forensic analyst, Paul Henry, saw on the underlying Web server itself.
“They didn’t necessarily run a SQL injection or any of the more common things that we see being done out there today,” he said.
With people having the tendency to always go for the less expensive solution, Henry saw this as a case of a company “not taking care of the fundamentals for network security” in order to lower costs.
“If, for example, you’re paying $US39 a month, do you really think there is any security involved in that?” Henry asked.
The approach Henry adopts for security is if someone’s content or reputation is of great enough value, “I’m not going to farm that out, I’m going to do it myself and I’m going to do it right.”
In the case of LG, he expects that they farmed out the operation of the site outside their control, and that became a ticking time bomb for the company.
“It’s not a matter of having the right, gold plated, holy grail, gateway solution," Henry said, "but a matter of people skipping on the fundamentals to try to save costs and it bites them every time.”
M86 Asia-Pacific vice-president, Jeremy Hulse, sees the LG website as another victim in the numerous attacks that have occurred in 2011.
“For every website that is openly breached, consider how many hundreds or thousands of other websites are being silently breached and loaded with malicious code,” he said.
He points out that a brazen attack like the one on LG, where someone has openly declared that a website has been breached, is at least "a known fact and can be fixed, while the silent attacks that are undisclosed nor detected can remain there indefinitely", causing damage until cyber criminals decide to move on to another site.
“Of great concern right now is that the volume of high profile breaches are in danger of making us complacent about the risks we face,” Hulse said.
“There seems to be a belief amongst businesses and individuals that being hacked in simply inevitable, no matter what protection they have in place.”
He hopes that people will have the determination to continue to fight the threat, as it was not going to go away and cyber threats will simply “evolve alongside the increasing sophistication of our security protection technology solutions".
Since local attacks such as the one on the LG website have made the threat to local business very real, and Lumension’s Henry advises organisations to re-evaluate how they invest in their online security.
“If the value of your content or reputation is great enough, you really should consider handling security literally yourself,” he said.
“Going out for the lowest bidder is not going to provide you with the highest level of security.”
Henry claims cheaper providers “tend to have to cut costs somewhere", and security is generally the first place where they do it.
His warning extends to move to the Cloud that is happening right now.
“People aren’t moving to the Cloud because it’s the most security, but because it’s going to save them money,” Henry said.
“There will be major issues with the Cloud, and again they’re expected.”
To illustrate his point, Henry has been hosting his own site for many years.
When looking at the economics, it was cheaper for "to reduce the value of the content he had on the website and to farm it out" to a third party provider.
While he admits that it may not be the case for everybody, it is something for businesses and individuals to consider.
“I do a lot of public speaking and training, and I became a very valuable target for the bad guys,” Henery said.
“It’s a nice notch on the belt to take out the speaker, and what I found was by eliminating the interactivity on my blog, there’s a less chance for harm.”
In the event that his website suffers a defacement, Henry has the ability to wipe and reinstall the website every 30 minutes, if needed.
M86’s Hulse advises that Australian companies should follow easily available and published best practices for website security to ensure that their own website doesn’t get breached.
“Regular testing of the website is also recommended to identify possible breaches,” he said.
It is also important that companies ensure their employees don't inadvertently downloading malware from a “known good” website - more than 80 per cent of malware today is found on known legitimate websites.
“With the number of websites registered in the world increasing exponentially, it is not possible to test all websites regularly enough with traditional techniques such as reputation based filtering to reflect a website’s safety at any point in real time,” Hulse warned.
With M86 finding that new malware releases are “breaking away from signature and heuristic based detection methods", the detection rates of malicious code hosted on known "good" websites has at times been seen to be less than 40 per cent using the traditional anti-virus, URL and reputation-based techniques.
Hulse’s advice is that an organisation should supplement the traditional security methods with the latest in Web threat mitigation through the addition of real-time code analysis that checks every Web page accessed through a Web gateway, identifies both known and unknown malware, blocks the malicious code and then delivers a safe page to the user.