IT security is constantly changing. Once upon a time, security breaches were about lone individuals overcoming security solutions for political reasons or bragging rights. But as the internet has become increasingly commercialised, security breaches have become more sophisticated, indirect and, above all, financially motivated. “What we’ve seen happen over the last few years for hackers is it’s a lot more about the financial game now,” comments John Dryden, CTO of IT support provider IT Lab. “It’s about what they can gain commercially from an attack.”
However, it’s not just a case of an outsider busting in to swipe some credit card numbers. While an etailer is obviously a sizeable target for any attacker, it pays not to forget one of the key tenets of the technological age: big data equals big bucks. “There’s obviously a huge black market for private information,” comments Dryden. The information stored in an enterprise’s database has a very real monetary value – whether it’s sold for illicit purposes such as data theft or merely passed on to marketing companies who may not be aware of the nature of the information they’re buying, it’s a given that the individual behind an attack will be able to profit from the information they access. “It’s not just credit cards,” he continues. “The size of a user database is almost more important.”
Taking this into account, the importance of protecting against external attacks cannot be overstated. But ascertaining where the real weaknesses and holes in security are means understanding the methods a malicious party uses to gain access, which are often incredibly insidious. “People don’t appreciate that the days of people trying to force their way into your network have gone,” says Dryden.
Security breaches and attacks are in fact often very passive from the perspective of the perpetrator. “Most attacks are initiated from the inside,” says Dryden. This is something the public has begun to latch onto, with even the most technophobic individuals being fairly wise to the threat of trojans and spyware posing as legitimate software, but there are plenty of exploits that many still fail to consider. A common threat is a ‘drive-by attack’. “The user might visit an otherwise innocent website that had malicious code in it,” he says. Without them knowing it, their computer would execute the code and leave them vulnerable, while showing no sign that anything untoward had happened.
While the more tech-savvy of us at this point might be tempted to roll our eyes and put this down to an ignorant individual not carrying out due diligence in avoiding untrustworthy sites, it’s worth bearing in mind that it really isn’t all that straightforward.
“In the old days, it was easy,” says Dryden. “You told people: ‘Don’t go to dodgy sites because you might get infected’.” But the game has changed and if a legitimate site has been compromised, it may be impossible for anyone to know until it’s far too late. One real world example he gives is the homepage of a high profile American football club; just a small piece of malicious code had been inserted without the administrator’s knowledge. As a result, all of the visitors who accessed it during that period were exposed. He explains: “There was nothing wrong with the website; you’d never dream of blocking people from going there, but no one knew the site had been compromised.”
Obviously, for a business, this has huge ramifications. Better staff education and a ‘smart browsing’ policy alone aren’t enough to protect a network, as the exploits involved are becoming increasingly subtle. But there are plenty of things an enterprise can be doing to keep itself safe. “I’d always start with a perimeter firewall and what we’d term as next-generation firewalls as an immediate solution,” advises Dryden. Modern firewalls do far more than merely monitor the perimeter and external sites; instead, they examine every incoming packet of data and ensure that anything suspicious is identified before it’s able to reach the network. Additionally, he recommends regular penetration tests are conducted, simulating known exploits and evaluating how well the network responds to malicious attacks.
However, installing a few solutions and slipping back into complacency isn’t anywhere near enough. “You absolutely cannot be 100% protected,” says Dryden. “You can set something up as best you can but without monitoring and constant updating you can still be at risk.” Security needs to be managed and needs full-time attention. Any organisation that faces significant losses in the face of a data breach cannot expect to set up some tools in a single day and be covered from then on. He comments, “There isn’t a ‘set it and forget it’ answer to security. It’s never just going to look after itself.”
Unfortunately, security is an arms race and new threats are constantly emerging. “There are several sites you can visit, where you can subscribe to see how many exploits there are and it’s just incredible how many don’t get publicised,” Dryden says. And what may have offered significant protection once, rapidly becomes obsolete as more advanced techniques arise. “Take your eye off it and tomorrow someone could come up with a new exploit,” he says. “I think the best you can do is do it once, do it really well but make sure you go back regularly and revisit.”