Information Security

by Andy Taylor

Internet attacks

Internet attacks can cause such havoc that they deserve separate consideration. You will almost certainly require specialist advice, from within or outside your business, so this is just a breakdown of the main types of attack.

Malware attacks

Malware (or malicious software) takes a multitude of forms. These range from the simple virus infection that damages data (known as a payload virus) through to those that duplicate themselves and automatically send themselves on to all your email addresses. These non-payload viruses may not destroy data, but still cause damage because of the huge increase in emails.

The effect, in general, is much reduced today because of the advances made in anti-virus software, but only where the software is kept up to date with the latest virus signatures. The consequences of a virus attack are many and varied. When an unsuspecting boss issued a newsletter to all his staff (3,500 of them spread over several networked sites), little did he know the virus with which he infected all the machines would take twelve weeks to clear up. The loss in productivity of his staff was only the start of the real costs.

Spyware attacks

Spyware is much more prevalent today, although, as with virus attacks, a well-managed computer system is unlikely to suffer this type of attack. Spyware is designed to track the user’s actions on a computer screen or keyboard and then to transmit ‘interesting’ information, such as the logon to internet banks, to a third-party rogue site, where it is used for nefarious purposes. This can also be achieved through hardware devices plugged into the keyboard or screen, unseen to the user. This would normally be done by either a disaffected employee or a rogue maintenance engineer.

Phishing attacks

This method involves rather more effort than the simple malware, but is becoming the vehicle of choice for the more ‘professional’ hackers. An email is received purporting to come from a reputable organisation, such as a bank or courier company. This usually has some very convincing text, saying that the organisation takes security very seriously and has therefore taken steps to safeguard the individual’s information even more carefully. There will then be a link that supposedly takes the innocent reader to the ‘official’ website where, for example, their account details can be checked to ensure they have been transferred to some new system correctly.

Naturally, after the check the reader will receive a comforting message saying that their details have been verified and all is well. Except that the site is not the genuine article and all the reader has done is to enter their banking details into some crook’s system, enabling them to gain access to the account in question. A variation of this is a courier email saying the company has tried to deliver something, but has failed, and asking for a small sum to allow the redelivery. Once again, this is fraudulent – the charge has simply gone into the crook’s bank account.

Trojans

In this case, an innocent-looking attachment or download, such as a video clip, music track or picture, has a ‘Trojan’ in it. This piece of programming looks fine, but contains some other, more dangerous, malware, such as a worm, which not only infects your system but duplicates itself and sends itself to addressees in your email or contact address book. This type of attack is also sometimes known as a ‘drive by’ attack, since it can originate from someone who simply clicked onto an infected web site and ‘collected’ a Trojan or other malware for their trouble.

DDOS and botnets

Distributed Denial of Service (DDOS) attacks tend to be used to attack bodies with a major public presence. DDOS attacks can take several different forms, but the end result is similar – the system under attack, which might be an internet web site providing information or an e-trading facility, becomes unavailable and suffers financially or through a loss of reputation.

A Robot Network (botnet) is often deployed to achieve this DDOS. Essentially, this takes over victims’ machines. The compromised machines are all then ordered to access the target network or web site. If enough machines can be compromised to take this action, then the target system becomes overloaded and so is not available to genuine customers.

Social engineering and fraud

These are often regarded as the domain of the spy and security service world, but in reality they can and do affect all types of business. A disaffected employee is offered large sums of money to provide information on their company to a competitor, perhaps about research and development or key customers. Or perhaps an employee uses the company computer systems to move small amounts of money into a new account. This is set up in a fictitious name to which they alone have access – over time the sums build up and they leave with the cash. This happened a number of years ago in a UK bank. At that time there were still half pennies in circulation, but the banks didn’t record them, so the employee devised a scheme whereby any amount of money with a ½p in it was stripped of the extra, which was placed into his own account. After some considerable time he left with many thousands of pounds, but didn’t get too far.

Fraud has taken many forms over the years, but the latest batch includes the lottery scam, where a victim is assured they have won a large sum in a fictional lottery, or the ‘Nigerian’ scam where a distant supposed relative of some rich elder has died, leaving huge sums of money to be moved to a new part of the world. There are many other varieties of fraud, but in general the warning still stands that if it is too good to be true, then it is probably not true! Some class this type of fraud as social engineering, insofar as the victim is persuaded to give valuable information to a criminal. Whatever it is called, the end result hurts.

Data leakage

The loss of critical data through any number of means has been a problem ever since we started to move information around. In recent years, there have been some very high profile data losses, in both the public and private sectors. Many incidents were down to staff forgetfulness – forgetting to retain papers, lock up computers or send disks in an appropriate way. Others were down to hackers gaining inappropriate access to major databases of client information. Stories of staff leaving and taking the client database with them and setting up in a rival company are many and varied, but most have the ring of truth about them. In all cases, the end result was similar – as a minimum, significant embarrassment for the organisation plus extra effort required to recover the situation.