© 2000 ZDNet UK

Hacker attacks on Web sites have cost e-businesses millions of pounds. Ignoring the threats could result in big losses, so companies should take steps to minimise their risks, reports Paola di Maio

Recent denial of service attacks on some of the most popular sites on the Web have raised security up the e-trade agenda. Last February, hackers temporarily disabled sites at Yahoo, CNN, E*Trade and ZDNet. These types of attack are costing firms millions in capitalisation costs, lost revenues and security upgrades, according to analyst firm Yankee Group.

London-based security firm mi2g has been studying such attacks for years. It has found plenty of examples. Last spring, hackers disabled systems of the Ministry of Defence and Nato for 48 hours. US hacker MagicFX broke into eBay, the largest online auction site. Guessing passwords, MagicFX managed to access and modify system software, intercept log-in identities and passwords, read users' keystrokes and amend eBay's Web pages.

On 30 August 1999 the Hackers Unite group accessed Hotmail's systems, causing a big drop in Microsoft's share value. Last September, the United Loan Gunmen (ULG) accessed the Nasdaq stock exchange network. Nasdaq also reported some 'hiccups' last month, but has not disclosed details. In January, a group known as East European Syndicate accessed online music vendor CD Universe and tried to blackmail the parent company, eUniverse. The group stole 300,000 credit card numbers and attempted to sell them over the Internet.

Risk assessment

According to mi2g, most security breaches are caused by disgruntled staff who want to damage their current or former employers.

Some hackers seek financial gain, but most see hacking as an intellectual challenge and are presumably responsible for those attacks that seem pointless to the rest of us. Others can be politically motivated, and express their dissent by disrupting their target's online activities.

'Our research concludes that 60 percent of attacks take place because of a security breach caused by bribed or angry staff, who disclose details of internal systems to third parties,' said DK Matai, mi2g's founder.

'Our recommendation is that the first level of precaution is taken within human resources management monitoring dissatisfaction among employees. Solid legal contracts should be in place that emphasise the consequences of security breaches and make clear that the company will pursue the moles with penal action,' he said.

Cyber attacks can fall into several different categories. These include:
· Denial of service Users cannot access sites.
· Surrogacy The site address is usurped.
· Piracy Data is extracted or manipulated.
· Hazards Vital operational information is manipulated to disrupt an activity.

While firms have long been able to insure against the loss of business information, such policies have failed to keep pace with the increasing risk. The proliferation of Internet applications is making business systems increasingly open and vulnerable.

New categories of risk are appearing that could make businesses lose revenue, and make host organisations liable to third parties for the loss or theft of personal information in their possession. This could include credit card information, medical histories and intellectual property.

The first step in securing a network is to understand exactly what data is available online, who has access to it, and whether adequate protection is in place.

The most widely used method of assessing the likelihood and impact of risk exposure addresses three main areas:
· Prediction What is the current state of the systems? Where are security failures likely, or actually occurring? How effective is the security policy?
· Quantification of impact and prioritisation What failures will cause the most harm? What security risks should be tackled first?
· Management What changes are occurring in an organisation's risk profile? How is security policy addressing those changes?

A survey of City of London financial institutions by mi2g found that four in 10 banks are dissatisfied with their current security provisions and that 5.5 percent had been attacked online at least once.

Some trouble can be avoided by having suitable security policies, and there are a number of IT measures companies can take. 'Firms should regularly review recovery procedures, and maybe keep a unique spare system with a different underlying operating system, so that if the main system is attacked, the spare one kicks in,' said Matai.

Matai acknowledged this is a very expensive solution. 'This option involves the cost of keeping over 50 percent of your computing resources idle, and not every organisation can afford that,' he said.

Another step is securing reference clocks. Ensuring that the date and time of systems cannot be changed is an important precaution to avoid interference with accounts.

High-risk companies should create unique security architectures so that no one knows the whole system design, thus making it difficult to break in.

There are a number of architectural tricks that can be designed into a system, said Matai. These include adding extra layers and what are called 'honey pots' relatively visible and easily accessible areas that lure hackers, leading them to believe that they are inside a network. However, they trigger alarms so administrators know the system is being hacked into.

A security policy should also prioritise remedial action and foster strong encryption, interception and pursuit techniques.

Network and Internet risk management is the combination of legal, technical, personnel and insurance provisions. However, even with proper precautions, eternal vigilance is still required.


· Recent denial of service attacks on leading Web sites have highlighted the vulnerability of e-businesses.
· Most security threats emanate from disgruntled staff.
· Companies should include stringent security rules in staff handbooks.
· Safeguards can be designed into systems. These may include hacker traps, spare systems, and restricting knowledge of the network.

Renowned worldwide for the ATCA Briefings. Subscribe now.
Home - Profile - Values - People - Careers - Partners - Contact Us
D2 Banking - Bespoke Security Architecture - Digital Risk Management - Tools

Intelligence Briefings - Brochures - Case Studies -
SIPS Methodology FAQ (pdf)
Keynote Speeches - Articles - News Feeds - Glossary (pdf)
Terms and Conditions - Privacy Policy