Photo: Claudio Gennari
Last week, Sony’s CEO, Howard Stringer, declared to the company’s shareholders that “cyber terrorism is now a global force.”The statement came after several months of attacks by hackers specifically targeting Sony’s systems. The damages from the attacks are expected to result in billions of dollars in losses to the company, before taking into account the loss in trust of its users.
Sony, reportedly, was targeted specifically in retaliation for its prosecution of a 21-year-old computer programmer who had found a way to modify the company’s PS3 game consoles to play unauthorised games. Stringer, however, painted a picture of a much broader problem. “If hackers can hack Citibank, the FBI and the CIA,” he said, “then it’s a negative situation that governments may have to resolve.”
The question for most business owners is how are these attacks carried out, what are the real risks, and what can a company do to protect themselves?
DIFFERENT TYPES OF CYBER ATTACKS
Cyber attacks come from a number of different sources and varieties. The type of attacks on Sony are generally known as SQL Injection Attacks, designed to cause Sony’s computer systems to reveal information that would otherwise be locked away.
SQL is the language that computer databases speak. Whenever you fill out a form to purchase a product through a website, your entries are translated into SQL and entered into a database. If a particular web form has been poorly designed, an attacker can enter information to trick the database into revealing information it was not intended to.
Since the database contains information not only on your transaction, but also on all the other people who have interacted with the system, an attacker can potentially fool it into revealing sensitive information. In Sony’s case, attackers appear to have been able to steal and publish vast customer lists including email addresses and credit card information.
FILLING THE TUBES TO DENY SERVICE
Where a SQL attack attempts to steal information from a database, other types of attacks aim simply to disrupt a website. The CIA, for instance, was hit last week with what is known as a denial of service (DoS) attack. This type of attack targets any system bottleneck and attempts to fill it with enough garbage requests that legitimate requests cannot get through.
While the late Senator Ted Stevens was maligned for suggesting it, at some level the Internet really is just a “series of tubes.” If the “tubes” get filled up with garbage, the legitimate traffic cannot get through. In the case of the DoS attack against the CIA, thousands of computers around the world were used to generate false requests for the agency’s website which were enough to keep legitimate requests from getting through and, effectively, knock it temporarily offline.
RISKS VARY BY ATTACK
These different types of attacks present different risks. In the case of a SQL attack, the attacker’s aim is to steal private information or corrupt the victim’s database. These types of attacks can either be general, where attackers are scanning the web looking for a vulnerability that is common across a widely used content management system, or they can be specific, as appears to have been the case with Sony.
SQL attacks rely on a flaw in the underlying code that powers a website. Generally, web forms should be secured to only allow specific actions involving the database. However, if a programmer neglects to put in these basic security measures then an attacker can often escape out of the form’s defined behaviour and interact directly with the database.
Unlike SQL attacks which need a flaw in the underlying code of a website, denial of service attacks can take advantage of any bottleneck. Since connectivity and computing power are not infinite for any organisation, given enough resources, any attacker could knock any website offline simply by flooding it with more requests than it can handle.
WORST THREATS FROM ATTACKERS YOU’VE NEVER HEARD OF, UNTIL THEY EMAIL YOU
The biggest Internet companies secure themselves largely by having more resources than even a determined attacker can muster. What is troubling is that, recognising this, a certain breed of attackers have begun targeting mid-sized ecommerce companies with modern day extortion. The usual pattern is for these extortionists to send a letter, typically from China or Eastern Europe, demanding payment of thousands of dollars or they will knock the site offline.
Here is an excerpt of one such extortion letter a CloudFlare customer shared with us:
Through our monitoring, Your company website will suffer in the near future a strong attack. If you want to avoid a loss, Please in 12 hours, will $10,000 transfer to the following account, we will endeavour to ensure the safety of the website of your company.
Unfortunately, these are often not idle threats. When companies do not pay the extortion money, their sites are hammered for weeks on end with so much traffic that no legitimate visitors can get through. While the attackers going after Sony may get media attention and brag about their exploits on Twitter, the extortionists running this highly profitable racket draw little attention to themselves and often have the biggest cannons. From what we have witnessed at CloudFlare, the extortionists’ attacks typically dwarf those run by attackers simply trying to make a political point or embarrass an organisation.
PROTECTING YOUR DATA
Different attacks require different protection techniques. The key to protecting your website against SQL attacks, is ensuring there are no flaws in your web software that would allow a hacker to retrieve data from or modify your database in any way that is not intended. That is easier said than done, but it starts with some simple guidelines.
First, you need to ensure that your web application software is up to date. While desktop software and even mobile apps are easy to upgrade, often web software can be a chore to upgrade. As vulnerabilities in web software are found, patches are usually released. The problem is the patches themselves point attackers to the vulnerabilities in the unpatched software. Most successful breaches are not from unknown exploits, but instead from known problems that could have been prevented if the company had stayed up to date with their software upgrades.
Second, if you are storing sensitive data like customer information or credit cards, you should install a web application firewall (WAF) that watches for attack signatures and stops them before they reach your application. This new breed of firewall comes either as an appliance, made by companies like Imperva or Barracuda Networks, or as a cloud-based service, like CloudFlare.
Third, regular scans of your site for vulnerabilities can uncover problems and make you aware of software that needs to be patched. Known as penetration tests, or “pen tests,” the most thorough scans can be performed by third party consultants like Qualys, or you can use software like Metasploit to look for vulnerabilities yourself.
USING THE CLOUD TO STAY ONLINE
Even if your web application software is free from the defects that lead to Sony’s breach, it can still be knocked offline through a denial of service attack. If the goal of these attacks is to fill up the “tubes” that connect your website to the Internet with garbage traffic, the solution ultimately is to have a bigger tube than the bad guys. Unfortunately, it is impractical for every organisation to pay for an enormous network connection in order to have the capacity to defeat an attack only to use a small fraction of it most of the time.
One of the benefits of moving some of your infrastructure to the cloud is the ability for network resources to scale elastically in order to mitigate these attacks. If you host your site on Google’s AppEngine, Amazon’s EC2, or RackSpace’s Cloud, the services have the infrastructure in place to continue to run even under what would be a withering attack to a traditionally hosted site.
At CloudFlare, we’ve taken this a step further by allowing you to keep your website hosted wherever it currently is but add the benefits of scalable network security resources as a layer of protection in front of your current network connection. This approach allows sites to use only the resources they need under normal conditions, but still not be overwhelmed when an attack occurs.
KEEPING OUT OF THE HEADLINES
Sony’s experience demonstrates the public relations damage that can be done to a large organisation that is targeted by hackers and fails to adequately protect their web application. However, risks are not reserved for only the biggest companies anymore. As cyber extortionists quietly search for new targets, increasingly small- and mid-sized businesses with an online presence will be targeted. Anyone doing business online should consider how they can keep their data secure and how they will weather an attack if one comes. The attention that these attacks have received is likely to encourage more bad guys to look for vulnerabilities. Hopefully it will also encourage more of the good guys to ensure they are protected.
Matthew Prince is the CEO and Co-Founder of CloudFlare (www.cloudflare.com). CloudFlare is bringing the performance and security previously reserved for the Internet giants to the rest of the web. CloudFlare’s service makes sites twice as fast and protects them from a broad range of attacks without requiring hardware or software. In addition to his work at CloudFlare, Matthew also teaches at the John Marshall centre for Information Technology and Privacy Law.
NOW WATCH: Ideas videos
Business Insider Emails & Alerts
Site highlights each day to your inbox.