In o ne example a 700 to o lkit mp ack v 86 was used

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: ays true, so all reco rds will be deleted). Yikes! In this case, so meo ne entering the kind o f co de yo u’d learn in the f irst chapter o f SQL fo r Dummies co uld annihilate a site’s entire user ID f ile using o ne o f the site’s o wn Web pages as the attack vehicle.B. Schneier, “Oklaho ma Data Leak,” Schneier o n Security, April 18, 2008. Related pro gramming explo its go by names such as cro ss-site scripting attacks and HTTP header injectio n. We’ll spare yo u the technical details, but what this means f o r bo th the manager and the pro grammer is that all systems must be designed and tested with security in mind. This includes testing new applicatio ns, existing and legacy applicatio ns, partner o f f erings, and SaaS (so f tware as a service) applicatio ns—everything. Visa and MasterCard are amo ng the f irms requiring partners to rigo ro usly apply testing standards. Firms that aren’t testing their applicatio ns will f ind they’re lo cked o ut o f business; if caught with unacceptable breaches, such f irms may be f o rced to pay big f ines and abso rb any co sts asso ciated with their weak practices.“Inf o rmatio n Security: Why Cybercriminals Are Smiling,” Kno w ledge@Wharto n, August 19, 2009. Push‐Button Hacking No t o nly are the list o f technical vulnerabilities well kno wn, hackers have created to o ls to make it easy f o r the criminally inclined to auto mate attacks. Chapter 14 "Go o gle in Three P arts: Search, Online Advertising, and Beyo nd" o utlines ho w Web sites can interro gate a system to f ind o ut mo re abo ut the so f tware and hardware used by visito rs. Hacking to o lkits can do the same thing. While yo u wo n’t f ind this so rt o f so f tware f o r sale o n Amazo n, a casual surf ing o f the o nline underwo rld (no t reco mmended o r advo cated) will surf ace sco res o f to o ls that pro be systems f o r the latest vulnerabilities then launch appro priate attacks. In o ne example, a $ 700 to o lkit (MP ack v. 86) was used to inf iltrate a ho st o f Italian Web sites, launching Tro jans that inf ested 15,000 users in just a six-day perio d.“Web Threats Whitepaper,” Trend Micro , March 2008. As an industry executive in BusinessWeek has stated, “The barrier o f entry is beco ming so lo w that literally anyo ne can carry o ut these attacks.”J. Schectman, “Co mputer Hacking Made Easy,” BusinessWeek, August 13, 2009. Network Threats The netwo rk itself may also be a so urce o f co mpro mise. Recall that the TJX hack happened when a Wi-Fi access po int was lef t o pen and undetected. A hacker just dro ve up and perf o rmed the digital equivalent o f crawling thro ugh an o pen windo w. The pro blem is made mo re challenging since wireless access po ints are so inexpensive and easy to install. Fo r less than $ 100, a user (well intentio ned o r no t) co uld plug in to an access po int that co uld pro vide entry f o r anyo ne. If a f irm do esn’t regularly mo nito r its premises, its netwo rk, and its netwo rk traf f ic, it may f all victim. Other tro ubling explo its have targeted the very underpinning o f the Internet itself . This is the case with so -called DNS cache po iso ning. The DNS, o r do main name service, is a co llectio n o f so f tware that maps an Internet address, such as (http:/ / www.bc.edu), to an IP address, such as 136.167.2.220. 220 (see Chapter 12 "A Manager’s Guide to the Internet and Teleco mmunicatio ns" f o r mo re detail). DNS cache po iso ning explo its can redirect this mapping and the co nsequences are huge. Imagine thinking that yo u’re visiting yo ur bank’s Web site, but instead yo ur netwo rk’s DNS server has been po iso ned so that yo u really visit a caref ully craf ted replica that hackers use to steal yo ur lo g-in credentials and drain yo ur bank acco unt. A DNS cache po iso ning attack launched against o ne o f China’s largest ISP s redirected users to sites that launched malware explo its, targeting weaknesses in RealP layer, Ado be Flash, and Micro so f t’s ActiveX techno lo gy, co mmo nly used in bro wsers.J. Lo ndo n, “China Netco m Falls P rey to DNS Cache P o iso ning,” Co mputerw o rld, August 22, 2008. Physical Threats A f irm do esn’t just have to watch o ut f o r insiders o r co mpro mised so f tware and hardware; a ho st o f o ther physical threats can grease the skids to f raud, thef t, and damage. Mo st large f irms have disaster-reco very plans in place. These o f ten include pro visio ns to backup systems and data to o f f site lo cales, to pro tect o peratio ns and pro vide a f all back in the case o f disaster. Such plans increasingly take into acco unt the po tential impact o f physical security threats such as terro rism, o r vandalism, as well. Anything valuable that reaches the trash in a reco verable state is also a po tential security breach. Hackers and spies so metimes practice dumpst er diving, sif ting thro ugh trash in an ef f o rt to unco ver valuable data o r insights tha...
View Full Document

Ask a homework question - tutors are online