In June of 2011, web hosting provider Distribute.IT suffered one of the most malicious cyber-attacks to occur in Australia. The hackers launched a highly sophisticated and coordinated attack on the Distribute.IT servers. The hackers compromised the data, websites and emails stored on four of their servers, as well as destroying all backups that would have allowed the business to restore the websites of their clients.
Such was the damage caused by the hackers that the information was deemed unrecoverable, resulting in approximately 4,000 websites disappearing with no chance of recovery. Despite every effort by Distribute.IT to recover from this devastating incident, the company was forced out of business, selling their assets to fellow online provider Netregistry.
This occurrence launched cyber security back into the spotlight and as recently as this month, it has been discovered that the ‘Heartbleed’ bug has left countless websites exposed through a flaw that allows harmful sources to access a website’s data including passwords, credit card details and usernames.
Now more than ever, it is imperative that businesses are prepared and protected against potential cyber threats, but where do you start?
Ensuring Your Business Is Prepared
In a time where businesses are conducting a significant amount, if not all of their business activities online, it has become apparent that the requirement for increased cyber security measures is necessary. In the case of Distribute.IT, the business was “technically pretty solid when it came to security” according to Edward Farrell of security consulting company, HackLabs, however “it is not purely about a backup or a protective measure, rather the business needs to understand from all facets what they’re likely to encounter during a cyber event”.
“The maturity of resilience of a business is extremely important’ says Mr Farrell. “Is it important for a business to assess if they are doing the right things now in terms of cyber security, and can they sustain this level of performance during times of stress or as environments and risks change”.
It is therefore recommended businesses perform a number of assessments to ensure they are adequately protected against cyber threats. According to Mr Farrell, penetration testing may have assisted Distribute.IT in identifying any vulnerabilities and their consequence. By carrying out the testing, “businesses can evaluate response systems to these potential threats and the security of their network”.
James Crowther of London Australia Underwriting agrees. Constantly reviewing and testing security processes to keep up with continuous advancements in threats is essential in addition to having a robust defence system.
“A good way to do this is to engage a third party security firm to conduct a security audit. Such an audit could be designed to highlight weaknesses in the network and recommend additional risk management processes”.
As well as engaging companies who specialise in ‘ethical hacking’, Mr Farrell notes that while backing up plays a role in preparing from cyber threats, it “only forms a small part of the greater picture”.
Risk Management Strategy
Mr Crowther has suggested a number of ways businesses can adequately protect themselves from potential cyber attacks as a part of their risk management strategy:
- Ensure your data is backed up at a secure offsite facility
- Understand your critical IT service providers network security. Is there an external security audit conducted?
- Look at your service providers contract. Are there limitations to your right of indemnity under contract?
- Have an annually tested business continuity plan in place
- Always remember you get what you pay for!
Recovering From A Cyber Attack
As seen in the case of Distribute.IT, as well as suffering a significant blow to their business through the loss of data from the four servers, the media backlash that resulted was just as crushing for the business.
PR and Brand Management
“How they were viewed publicly caused the biggest downfall, namely the Twitter meltdown and the subsequent reaction from the Australian Communications and Media Authority” says Mr Farrell.
“Technically, Distribute.IT did everything they could to recover the websites however damage was done to their reputation and as a result, lost their authority to function as a domain name registrar”.
This again highlights the importance of implementing effective response systems, including PR to handle any potential media backlash.
Whilst also having the correct systems in place to ensure your business is protected from potential cyber threats and the events that may follow if a cyber threat materialises, Mr Crowther suggests businesses consider Cyber Insurance as a part of their risk management plan.
“Cyber Insurance is designed to cover network and information security breaches, and the consequential loss that an organisation suffers whether it is civil liability arising from a breach of security or privacy brought by a client of the policyholder or loss of business income and other costs such as public relations, forensic investigation, legal and customer support to name a few, which are incurred by the policyholder due to a security breach”.
While Mr Crowther agrees damage to the brand may have been catastrophic, “an insurance policy could have certainly provided the compensation needed to protect the business and shareholders from financial ruin”.
At current, many businesses who operate using the OpenSSL software are at risk to Heartbleed. Mr Farrell suggests it’s not unreasonable to assume that if you have an internet based system that is vulnerable to Heartbleed, that you have already been attacked.
“To identify if a system you own is vulnerable, an organisation such as HackLabs would be happy to verify this, or provide assurance that the organisation is not affected”.
If you find your business has been compromised by the Heartbleed, Farrell suggests the following measures are taken:
- Patch OpenSSL (or the affected software) to the latest version
- Reissue the private certificate on the affected service
- Force all systems users to change their password and;
- Evaluate the likelihood that internal or associated systems have been compromised as a result of this
With the staggering statistic resulting from a study carried out by Symantec last year that 63% of small to medium enterprises experienced an attack in 2013, it has become apparent the dire necessity to ensure your business is protected and prepared for any type of cyber threat.
Not doing so could result in disastrous consequences to your business and its reputation as demonstrated by Distribute.IT. Mr Crowther highlights, “organisations must treat network security as a serious risk, or they will become a statistic”.
HackLabs have kindly offered to assess any internet facing systems for Heartbleed free of charge for readers of this article. Please contact HackLabs for further information.