The flooring of the Russian stock exchange by malware earlier this year served as a wake-up call for many financial institutions and at the same time brought to mind a recognised computer attack technique: take a system down prior to launching the 'real' attack.
When a malware attack occurs, businesses are typically so anxious to get back online that they will get themselves up and running again with many of their security measures compromised. This period – directly after a first attack - creates an ideal window of opportunity for the 'real' attack to take place. A hacker's favourite is getting through the default administrator password which is invariable available to them at this point. Alternatively, they may hope to find the latest patches have not been reapplied thus reopening a previously fixed vulnerability. This creates an alarming scenario.
Hackers may have targeted the Russian stock exchange for a number of reasons, including intellectual challenge, extortion or as a prelude to a potentially more rewarding and therefore more damaging application-level attack. By rushing to get themselves 'online', are companies losing focus of what is of real value to the business and getting blindsided to what thieves are really trying to steal?
According to analyst firm Datamonitor, a single virus attack could cost a business £66,000. The firm estimated an average cost to businesses of £26,000 for more 'serious' incidents, while 11 per cent of survey respondents said their companies had suffered greater than £66,000 losses from a single incident. A single malware attack can indeed wreak significant havoc on the business but many companies are failing to realise that while directing their attention to tackling viruses, they may well be leaving themselves open to substantially more damage, not just in terms of hardware cost, damage to reputation and legal liability but in terms of mission critical assets. US credit bureau, ChoicePoint, for example, was recently fined over $15 million after a hacker falsified credentials used to sign up for sensitive ChoicePoint services and access account information for 163,000 consumers. If prior to, or indeed after, an attack such as this, where vulnerabilities in the applications enable the hacker to gain unauthorised information, focusing solely on boosting reactive security tools such as network firewalls leaves a company seriously exposed.
When a Chinese gang, codenamed Titan Rain, penetrated secure US sites, it showed that it is possible to gain access to secure systems, steal or modify information, and then exit - leaving minimal clues. These attacks leave businesses with little doubt that there needs to be increased investment in security. But, companies need to decide which assets to prioritise and therefore where to focus the expenditure?
To justify increased investment, any business needs to assess where its key assets lie. For a bank, for example, it may lie in the brand. People trust a brand, and when that trust is broken through a security breach, the company image can be damaged irreparably almost overnight. So, does a company protect this trust, its core asset, at all costs?
A reasonable approach, that could satisfy any post-incident analysis, would involve the specific protection of the most obvious web facing vulnerability: The business' applications available to partners, clients and employees. These applications are designed to be remotely accessed by a wide variety of individuals and therefore represent a ripe source of stepping stones for a persistent and determined hacker.
Web application firewalls (WAFs) are simple to install yet raise the complexity barrier for a would-be hacker as they sit invisibly in front of multiple web application services and protect the integrity of each application. Fine tuning mechanisms that exceed the limitations of a traditional IPS (Intrusion Prevention System) enable a combination of reactive measures (blocking standard attack methods) with proactive techniques that define authorised and desirable behaviour. As the WAF is invisible to hackers, they have no idea what they need to attack. It also means that they are much less likely to be able to crash the web servers that host mission-critical applications.
However many security experts perceive that this type of deployment comes with a significant trade-off against performance. This need not be the case.
Steps need to be taken to protect the core assets and taking a proactive approach to security by using a web application firewall, for example, not only provides protection against web attacks, but also helps a company to make money as they provide several opportunities to accelerate the whole customer experience.
A web application firewall accelerates SSL traffic using established technologies; it caches the most frequently requested standard pages, thereby providing an instant response without recourse to actual web application; and by eliminating all erroneous messages, it massively reduces the workload on the web servers. Compression techniques complete the picture: The overall impact of a WAF is to improve customer response times in the range of two to nine times, depending on the nature of the application. It achieves this result because it is dedicated to web-enabled applications.
In addition, with a web application firewall, server patching ceases to be the immediate task that it currently needs to be. The web application firewall effectively inoculates the web servers from the outside world – and can filter internal web application traffic too – so there is no direct access for a would-be hacker. Thus organisations are able to schedule patching as a regular activity once a month or once a quarter – depending on their own preference.
The above factors support the claim that intelligent security can not only save money, but also help generate revenue. But, to reap the full potential, businesses have to take the time to do the necessary calculations regarding how much extra profit they anticipate from taking the application via the Internet; capture their appetite for "risk"; measure how likely is an attack and how sensitive the business is to a successful attack. Armed with this information it is possible to assess the costs associated with migrating an application set to the Internet with and without web application firewall protection. A robust ROI model will compare and contrast these approaches and assist a business make an informed decision.
Some hackers may be motivated by the challenge of hacking into a well-established financial institution with a so-far glowing brand image, but for an increasing number, the ultimate driver is financial gain. Although the real reason behind the Russian Stock Exchange breach may never be uncovered, it serves as yet another reminder that businesses must be ever vigilant.
For the time being, the need to deploy solutions that combat the raft of malware attacks has far from disappeared. In addition, while businesses omit to take on board the issue of proactive security approach, application level attacks will continue to be an easy option for the hacker with a relatively small chance of getting caught. Those security professionals that ensure that they implement a proactive and reactive security approach will not only be helping to close that window of opportunity on the data thieves but will also be better placed to generate real revenues from their security investment.
The author is UK country manager of Deny All
