Interview with Edward Farrell – Hacklabs
The Distribute.IT hacking incident that destroyed the web hosting provider served as a reminder as to just how serious the threat of cyber crime is. Even with what was considered as ‘industry standard’ security measures in place, it still wasn’t enough to protect the data of thousands of customers. In your view, what else could Distribute.IT have done to prevent this attack? [list]
- Distribute.IT was technically pretty solid when it came to security, however there were some small gaps that the hacker was able to exploit.
- The servers that were not recoverable contained the data of ‘brochureware websites’ which caused angst and gave the perception that the organisation was incapable of responding to what took place.
- Although the organisation had responded appropriately from a technical standpoint, their biggest downfall was the public reaction that resulted from the attack, particularly the reaction on Twitter.
- Penetration testing could have assisted in identifying any vulnerabilities and their consequence.
- In doing so, businesses can also evaluate response systems to these potential threats and evaluate the security of their network.
- Backing up plays a role, but only forms a small part of the greater picture. Ongoing appreciation of the threat and how to response appropriately is crucial.
[/list] Consequently, Distribute.IT was unable to recover from the hacking disaster and the business was forced to close. In your opinion, what could Distribute.IT have done differently to increase their chances of recovering from this incident? [list]
- How they were viewed publicly caused the biggest downfall, namely the Twitter meltdown and the subsequent reaction from the Australian Communications and Media Authority.
- Technically, Distribute.IT did everything they could to recover the websites however damage was done to their reputation and as a result, they lost their authority to function as a domain name registrar.
- What can be taken away from this is the requirement for effective response systems, including PR to handle the media backlash.
We saw the devastating effect the Distribute.IT hacking incident also had on its customers, most of whom lost their websites and all associated data. What are some of the ways SME’s can ensure their businesses don’t suffer the same fate? [list]
- The ‘maturity of resilience’ of a business is extremely important; it is not purely about a backup or a protective measure, rather the business needs to understand from all facets what they’re likely to encounter during a ‘cyber’ event.
- Are we doing the right things now and can we sustain this level of performance during times of stress or as environments and risks change?
- Be prepared in the event a threat materialises – how are we going to react if this happens?
- Also important to understand the competitive advantage technology is providing for you – what are your core business activities and how heavily do they reply upon technology? What are the critical enablers, what are their requirements and subsequently what are their targetable vulnerabilities.
[/list] As well as cyber attacks to third parties such as Distribute.IT, what are the common cyber threats Australian businesses face today? [list]
- The obvious one at the moment is Heartbleed.
- Can be broken down into three categories:
- The technical threat – should a vulnerability exist technically it can be exploited. This not only incorporates vulnerable code but practices such as excessive privileges, poor response to malicious code or even the absence of monitoring and alerting.
- The threat actor – understanding who and why you’re going to be attacked is critical. Whilst some of these are technically oriented or have their foundations in technology, this is no less different to how one might evaluate threat actors in the physical world; and
- Systems and processes – As technology exists to address or augment a business process or requirement, the absence of sound systems and processes enhance the impact of the threat. Whilst these are numerous, examples that come to mind are not applying due diligence to the work of an outsourcer to evaluate their technical threats or not adequately defining an incident response process.
Recently, the internet has been rocked by a serious threat to security by what is known as Heartbleed. It is apparent that the sensitive data of many companies has been compromised by the bug, allowing access to passwords, usernames and credit card details to name a few. What steps do you recommend businesses take to firstly determine if their security has been breached, and what actions they should then take to rectify the breach and ensure their business is no longer vulnerable? [list]
- It is not unreasonable to assume that if you have an internet based system that is currently vulnerable to Heartbleed, that you have been already attacked.
- To identify if a system you own is vulnerable an organisation, such as HackLabs, would be happy to verify this, or provide assurance that the organisation is not affected. HackLabs is happy to do this free of charge for any Internet facing systems.
- If a business has been affected, it is critical that the following measures are taken:
- Patch OpenSSL (or the affected software) to the latest version;
- Reissue the private certificate on the affected service;
- Force all system users to change their password; and
- Evaluate the likelihood that internal or associated systems have been compromised as a result of this.
Interview with James Crowther – London Australia Underwriting
The Distribute.IT hacking incident that destroyed the web hosting provider served as a reminder as to just how serious the threat of cyber crime is. Even with what was considered as ‘industry standard’ security measures in place, it still wasn’t enough to protect the data of thousands of customers. In your view, what else could Distribute.IT have done to prevent this attack?
In my opinion no organisation can be 100% secure from a cyber-attack, however in addition to having an in robust defence system and security processes in place, these also need to be constantly reviewed and tested to keep up with continuous advancement in threats. A good way to do this is to engage a third party security firm to conduct a security audit. Such an audit could be designed to highlight weaknesses in the network and recommend additional risk management processes, such as ensuring there is a secure offsite back up facility utilized.
Consequently, Distribute.IT was unable to recover from the hacking disaster and the business was forced to close. How can cyber insurance assist businesses in recovering if this type of incident were to occur? In your opinion, could Distribute.IT have recovered if they had the correct insurance in place?
Cyber Insurance is designed to cover network and information security breaches, and the consequential loss that an organisation suffers whether it is civil liability arising from a breach of security or privacy brought by a client of the policyholder or loss of business income and other costs such as public relations, forensic investigation, legal, customer support etc. which are incurred by the policyholder due to a security breach. It is hard to know if a Cyber Insurance policy would have led to Distribute.IT recovering as the damage to the brand may have been catastrophic, but the insurance policy could have certainly provided the compensation needed to protect the business and shareholders from financial ruin.
We saw the devastating effect the Distribute.IT hacking incident also had on its customers, most of whom lost their websites and all associated data. What are some of the ways SME’s can ensure their businesses don’t suffer the same fate?
- Ensure that your data is backed up at a secure offsite facility.
- Understand your critical IT service providers network security. Is there an external security audit conducted?
- Look at your service providers contract. Are there limitations to your right of indemnity under contract?
- Have an annually tested business continuity plan in place.
- Always remember you get what you pay for!
As well as cyber attacks to third parties such as Distribute.IT, what are the common cyber threats Australian businesses face today?
More often than you might think. Symantec conducted a study last year which stated that 63% of small to medium enterprises experienced an attack in 2013. Often overlooked is that a third of data breaches occurred inside the company. This shows you that organisations must treat network security as a serious risk or they will become a statistic. Invulnerability doesn’t exist in the world of information security because new vulnerabilities are discovered daily, but the key is to be vigilant. Threats are out there every day whether it is Ransomware or internet security bugs such as Heartbleed but for me the biggest risks to the largest number of organisations is still the action (or inaction) of employees – whether deliberate or accidental, nefarious or well meaning.
What are the types of cover available under a cyber insurance policy to help protect businesses against the potential impact of a cyber attack?
Please visit – http://www.lauw.com.au/ci-what-is-cyber-insurance.php
Read more about Cyber Insurance.