With all that has been going on lately you could be mistaken for thinking that the online world was under serious threat, too dangerous to visit and subject to a Foreign Office travel warning.
There have been a plethora of headlines reporting data breaches into household name companies or banks. From Sony to Citibank, it seems that no-one was safe. Wave after wave of threat from the latest online group of so-called hackers turned political activists.
I say ‘so-called’ because ‘real’ hackers, at least to my mind, are not out for gain or profit, rather to search for truth and knowledge. But there are always bad eggs in every walk of life. Most of the people driving the spate of recent attacks are not hackers in the true sense, just people with a bit of knowledge and a lot of time, with which almost anyone can execute a hack of some sort.
What can you do to protect yourself? Well it all comes down to the application, in most cases. Particularly the Citi example, where a very simple parameter tampering attack let the attackers simply change the URL and access other accounts. To be honest this is basic web app security and I know the guys at OWASP would have something to say about it.
All it takes is a single computer to execute a slow post attack which can bring an entire website to its knees. It is actually as simple as that.
What we did not hear about are the other sites and companies who were not breached, and we never will. They were attacked but their defences stood up to the test.
What was the difference?
Without knowing all the details, a safe bet is that successful defences comprised a comprehensive web app security policy: a layered defence strategy including firewalls, application delivery controllers, web app firewalls and continual reviews.
If we have learned anything over the past few months, it is that nothing and no-one is safe. You need to protect your applications with regular code reviews, web app firewalls, and clever use of your application delivery controller to mitigate DDoS and other types of service interrupting attacks.
Build your defences, test them, fix them, rinse and repeat..... It will never end and we have to be vigilant all the time.
It’s worth it. The cost of mitigating these attacks is almost certainly more then what has been stolen from bank accounts. Look at the cost to Citi to replace 30,000 credit cards, to replace pin numbers etc. It very quickly adds up, and that when you add damage to the brand into the mix…ouch.
Here is some info on using iRules to mitigate some of these DDoS attacks....
It does seem that there is some ‘honour amongst thieves’. It seems that the now-disbanded LulzSec was targeted by fellow hacker groups for their 50 day rampage because there was no apparent reason for their activity.....