You might be wondering why this situation seems to be getting worse, and what (if anything) can be done to mitigate this digital crisis. For a better understanding of the current state of cybersecurity, we spoke with tech industry veteran Eric Robichaud, CEO of Woonsocket, R.I.-based 401 Consulting LLC and a highly respected writer and commentator on high-tech business issues.
Q: In view of the cyber attacks that have occurred with greater frequency, is it possible to completely prevent digital miscreants from successfully carrying out such attacks on a company website?
Eric Robichaud: The reality is that you can never stop hacker attempts. Until we eliminate greed and evil from the world, people with ill motives will always try. Therefore the key is to harden security and put counter-measures in place to mitigate risks.
In very broad terms, most “attacks” fall in two camps: infiltration and Denial of Service (DoS). The former is an attempt to gain access into a network in order to steal data or otherwise harm or corrupt it, while the latter refers to attempts to simply “take down” a website by overwhelming it with traffic.
For example, in the case Target’s cyber attack, it was a security breach in which outside hackers infiltrated the network and stole credit card data. That data was then used to create fake credit cards to use as cash, and sold on the black market. That type of cyber criminal work is all about theft and greed. Government and corporate espionage fall within this realm, as well.
The best ways to mitigate these risks are to work with security experts to harden network access via hardware, software and policies. Companies can also consider questions about what data really needs to be stored and retained. For smaller clients, we often recommend that credit card information not be retained after it is processed in real-time so that if a hacker gains access to the server, there’s no critical data there anyway. It’s when a company starts storing and retaining that data that it becomes a gold mine and thus a target for attack.
DoS attacks, however, are a very different animal and in some ways more complicated to deal with. In the case of a DoS attack (as they’re called), the attacker never gains access to the network and never even tries. They merely blast high volumes of data at a website in order to overwhelm it.
This happens in two ways. First, if the volume of incoming requests is high enough, it can make the website server so busy processing all the requests that it backs up. CPU goes to 100% utilization and the server gets into a logjam trying to process a never-ending stream of requests. The server hasn’t even finished processing the first request and four more come in.
The second way a DoS attack can succeed is simply overloading the network itself. Even if the web server has plenty of power to handle all of the traffic, the network itself (the data lines, routers and firewalls) may get too congested with all of the fake traffic and thus prevent “real” customer traffic from flowing, much like a traditional traffic jam on a highway.
In the early days of DoS attacks, the solution was fairly simple – big, fast routers could be installed that would simply ignore (i.e. filter out) any traffic coming from the offender. When a DoS attack occurred, the network administrators would figure out where it’s coming from and then setup filter to ignore the traffic, making the router act like a force-field keeping the traffic from reaching the target network.
In order to both hide the attacker’s tracks and make filtering more difficult, evil minds concocted the Distributed Denial of Service (DDoS) attack. In this case, the attacker enlists thousands of different servers to all open the virtual firehouse of traffic aimed at the target server. This makes it much more complicated to filter out the offending sender because now it’s coming from all sides. To combat this evolving threat, firewalls and security hardware appliances have evolved as well and become much more sophisticated.
One common question we hear is: how does an attacker get their hands on thousands of computers to initiate a DDoS attack in the first place? The reality is that attackers use malware (viruses, Trojan Horses, etc.) to infect desktop computers. You know that anti-virus software that is installed on your Windows desktop computer? This is what it protects against. Some of the more common malware is actually software that installs itself onto a desktop Windows computer in stealth mode, hiding behind the scenes, and then secretly connecting back to a centralized server to get further instructions like a hypnotized soldier.
These desktop machines are sometimes called “zombies” or “bots” and together form a huge “bot net.” They lay in wait while the attacker amasses and army of hundreds of thousands of infected machines, and then one day issues the “kill” command to wake up the entire bot net and have every machine start blasting one target server with website requests.
The end user typically sees their computer bogging down and getting slow, and doesn’t understand why – they have no idea that their computer is secretly processing tons of network data. Their own Internet access will slow to a crawl, and the computer can become maddeningly slow.
Security experts will use forensic diagnostics to attempt to capture an active zombie PC and track it back to the owner and take down the controller, akin to cutting the head off a snake. Microsoft has teamed with government and private sector security experts to take down several massive botnets over the past few years. Thus, the approach is three-fold: protect individual desktop machines from being infected, protect target servers with better firewalls and security appliances, and go after the botnet controllers.
Q: Cyber attacks inevitably rattle the confidence of people that rely on the websites that are under siege. How can companies successfully assure people that their sites are secure?
Eric Robichaud: Large, public corporations such as banks and pharmaceutical companies, government agencies, and so forth employ entire security teams to combat these issues. But what can a smaller business do?
The answers here can get quite complex depending on unique circumstances, but the basic high-level answer is to install an advanced network security appliance with intrusion prevention capabilities such as a SonicWall or Cisco PIX device, and establish a communication channel with your upstream internet provider so that you have an escalation number to call in the event of an emergency where you may need filtering help upstream, before the offending traffic reaches your own network.
Another good step would be a “social engineering” approach of making it clear in the appropriate technical spaces within a website that credit card and confidential financial information are not retained (assuming this is true, of course), to deter attackers from even considering the site. This is akin to putting the home security sticker in your window – a thief may not know for sure that you really have one, but it’s easier to not take the chance and simply skip that house and move to the next one on the block that doesn’t indicate an alarm is present.
Attackers won’t waste time and effort on a site if there’s no golden prize to be had.
In terms of handling attacks, it’s important for companies to quickly disseminate truthful and accurate information to their customers, so that misinformation does not fill the vacuum. This “information” should include a bit of education. For example, in the case of a DoS attack, it would be important to relay that people overloaded the network with traffic so that the servers were not accessible from the outside world, but at no time was any security actually breached and intruders never penetrated the network nor ever had any access to data.
Q: Microsoft announced that it will no longer support Windows XP, which is still used by many companies. Should companies running Windows XP be afraid that they will be vulnerable to attack?
Eric Robichaud: Absolutely! Ending support for Windows XP does not just mean that future products may or may not be compatible – it means Microsoft is no longer spending resources patching security holes. Any new security loopholes found in the operating system will never be fixed.
Over time, these systems will continue to become less and less secure, posing huge security risks for corporation. And at this point, the technology is getting so outdated that companies are losing productivity by clinging on. It will be far more productive and cost-effective to upgrade to a current, supported OS.
Q: In your opinion, why hasn’t the high-tech world successfully been able to get cyber attacks under control?
Eric Robichaud: Because there is no solution. Why do banks get robbed? Aside from the classic “because that’s where the money is” answer, it’s because the world will always have greed and evil. No matter how many police we put on the streets, laws we pass, or rules we enforce, there will always be someone trying to game the system.
In the same way, there will always be criminals looking to exploit the holes, thrill-seekers looking to take down sites just to prove they can, and political movements looking to disrupt the competition. This is a human issue, not a technical one.
401 Consulting is online at www.401consulting.com.
Phil Hall has been (among other things) a United Nations-based radio journalist, the president of a public relations and marketing agency, a financial magazine editor, the author of six books and a horror movie actor. Also, as you will discover, he is not shy about stating his views.