In February, we saw an unprecedented salvo of denial-of-service attacks against major e-commerce sites, including Yahoo Inc., EBay Inc. and Amazon.com Inc. These attacks have cost millions of dollars in lost revenue, not to mention the intangible impact on customer confidence. In fact, one estimate is that the cumulative damages may total as much as $1.2 billion.
The underlying technical method of attack is not new. The Internet community has seen similar attacks for at least the past five years, and the theoretical basis for the attack has been known for decades. With tools that allow for distributed attacks, there is little that a diligent system administrator can do to avoid becoming a victim of a distributed denial-of-service attack. However, in their concern about becoming a victim, many corporations are missing the larger issue: They could become a facilitator of an attack against another organization.
When the dust settles, the real issue is downstream liability. These distributed denial-of-service attacks are only successful because the attacker is able to compromise numerous systems and install zombie software that will be used in a coordinated attack. This means that the compromised hosts have become part of a distributed-attack platform. Did the owners of these compromised hosts practice due diligence with respect to their security? If they are not being diligent, they may be liable for damages resulting from the attack.
Here are some steps that your organization can take to achieve a minimal level of due diligence and ensure that your systems are not used as an attack vehicle against someone else. Every organization should:
Establish a formal security programA dedicated security program operating with the support of senior management will create and manage dynamic security policies that evaluate risk, implement procedures and appropriate safeguards, and provide training and awareness for all employees. Keep software and systems currentMake sure your company is running current versions of all operating systems and software. A majority of intrusions are conducted using known vulnerabilities that could have been easily mitigated by installing a vendor patch. Your information technology staff should diligently monitor vendor Web sites and e-mail lists to ensure that they are not running insecure software versions. Perform periodic vulnerability assessmentsThe best mechanism for determining the vulnerability of your enterprise is to have an independent company conduct a full-scale vulnerability assessment. Make sure that the company conducting the assessment is not also under contract to provide products or implementation support. A company that has provided technology implementation support to your enterprise is less likely to report vulnerability exposure. Recognize the value and limitations of information security toolsIn many organizations, too much emphasis is placed upon the use of buzzword security fixes like firewalls, virtual private networks and intrusion detection. These are often equated with total security, which is certainly not the case. While security tools are vital, they need to be part of a comprehensive security program and must be configured to match the organizations security policies. |
Every organization connecting to the Internet has an obligation to maintain an appropriate level of due diligence for information security. Corporate executives spend a lot of time worrying about whether they will be the next victim of an attack, when in reality they should be worrying about whether their organization is unknowingly participating in attacks. Have you been diligent?
By Matthew G. Devost
Originally published inElectronic Business Magazine