On Monday we discussed the problem with people assuming that more and more successful hacks and security breaches were the result of “sophisticated” or “state-sponsored” attackers.
Then, on Tuesday, the now-notorious LulzSec threw a new spanner into the works and opened up, via their twitter stream, the option for people to “dial in” and suggest targets for them to take out. The tweet below was taken from the @LulzSec stream on Twitter: (original tweet link)
Also, as a part of a twitter event which they have called “#TitanicTakeoverTuesday“, it seems a variety of servers have been taken down by LulzSec. These have included the popular online gaming system Eve Online (as reported here) and game-related magazine sites.
It seems apparent from both the behaviour and target selection, that LulzSec is not a state-sponsored group, is not linked to “international crime syndicates” or any of the normal suspects that are mentioned when big online systems are taken down. Despite this, they have managed to bring Eve Online offline. This highlights the fact that if you do not build security into your business from the outset you will be vulnerable. If you do business online, if you advertise online or anything, you absolutely need to review your security, assess your risks and make sure that you have an appropriate management strategy in place.
As always, the time to do that is now, not after you have been taken offline with an attack.
The last thing you want is a malicious competitor seizing an opportunity like this and tweeting your website to a group like LulzSec before you have had the chance to reinforce your defences.
Part of the problem, which all risk management groups face, is working out what level of attack to defend against. This is not helped by most sites who are taken down keeping the intricate details of the attack a secret.
The good news is that 90% of security breaches occur through very, very common routes with lack of up-to-date patches being the main one with lack of staff awareness being close behind.
Spend some time to make sure you have closed all the easy doors. Ensure you have a solid (and tested) incident management plan in place. Make sure all your employees are aware of the security policies and procedures. Make sure you are fully aware of the costs and benefits of various security mitigation options.
You may still fall victim to a hacker attack, but at least you will be well placed to deal with it and continue with your business.