Hacktivist groups are out to expose, embarrass and damage businesses, and it can only take one small mistake in coding to leave a company vulnerable to a hacking attack. So why are businesses still not investing in their data security, and what should they be looking out for?

There are many reasons why a managing director might dread their work mobile phone waking them in the middle of the night, but a call from a frantic chief information officer telling them that their website has been knocked out and all the company’s confidential customer data is already available for download on The Pirate Bay must rank among the worst.

In recent months, a string of attacks by high-profile ‘hacktavist’ groups, Anonymous and LulzSec (see box ‘The hacktivists only in it for the “lulz”), along with strikes on Google, possibly by Chinese hackers, have shown that security is something that no company can take for granted.

If anything, the hacks that have made the news may only be the tip of the iceberg. “We’re aware of the high-profile break-ins that have been announced by the publicity-seeking hackers,” says internet security expert Tom Scott.

“[But] how many of those companies would have gone public themselves if they were compromised by more private, ‘black hat’ groups? How many would even have noticed the intrusion? It’s impossible to quantify the ‘real risk’ other than as vague, meaningless estimates.”

But while the threat is hard to quantify, the potential for damage is easy to see. “The main risks to a company are brand damage, losing customers – which can have a knock-on for share value and net value – losing intellectual property and losing their competitive advantage,” Trend Micro director of security research and communication Rik Ferguson says.

“It’s clear that we are seeing more and more attacks, although this is partly driven by the fact that, after Google went public about being hacked, more companies are following their lead. We still don’t have full disclosure, but legislation in the USA now obliges companies to tell their customers if they feel that their customer data has been compromised.”

Many of the current attacks seem to be acts of revenge. In May 2011, LulzSec targeted Fox.com, after a presenter called the rapper Common ‘vile’, and managed to leak passwords, LinkedIn profiles, and the names of 73,000 X Factor contestants.

In June, LulzSec hit Sony in retaliation for its prosecution of a computer expert for ‘cracking’ the Playstation 3, promising it would be the “beginning of the end” for the company. The group claims to have compromised over a million Sony customer accounts, although Sony says the number was actually 37,500.

How they do it

The majority of hacker attacks are either massive DDoS (distributed denial of service) attacks – where thousands of malware-infected ‘zombie’ computers are prompted to contact a website over and over again until it breaks down – or alternatively off-the-shelf programming scripts are inserted into site databases to steal information. The latter, in theory, should be far easier to defend against.

“If [a firm’s] website contains customer data, it should ask its web team about the phrases ‘SQL injection’ and ‘cross-site scripting’,” Scott says. “Those are the names of the most common attacks – the low-hanging fruit. If your web team doesn’t understand what those mean and how to defend against them, you can start worrying.”

As with any business risk, the key is a methodical assessment. “Effective penetration testing by a third party, both internal and external, is essential,” Ferguson says. “This is especially important, going forward, as more and more companies are relying on public and private cloud virtualisation. Don’t start at the server, start at the edge of the data and build out. Use plenty of encryption.”

Where attacks that compromise data hit hardest seems to be where corners may have been cut. “I’d wager that SQL injection attacks have been successful because websites have been launched under budget, without testing, and without proper thought to information security,” Scott says. “In the worst case, it can take only one mistake while coding a site for that door to be unlocked.

“For 99% of people and businesses, the main threats are bitter ex-partners, business rivals, and so on – and they’re more likely to try to guess your Facebook password than to leak your customer list.”

The personal approach

It’s worth remembering that hacking isn’t only a technical problem, and a company’s workforce can also become an unwitting conduit for an attack, something hackers refer to as ‘social engineering’.

“If someone is targeting your company specifically, there are many ways they could get customer details,” Scott says. “[They could] mail someone in your company a malware-loaded USB key, call up and pretend to be your technical support and try to sneak onto your wireless network.

“There are two million or so registered businesses in the UK, and the fact is that most of them really aren’t that interesting to hackers. But someone’s going to be unlucky of course, and ‘they probably aren’t interested in me’ isn’t an excuse. Making sure you have good security for your customers’ data is a legal requirement under the Data Protection Act.”

In the end, data security is a matter for every single employee – not just the IT department – and managers need to understand just how broad their company’s vulnerabilities are.

Otherwise, they could be getting that unwanted late-night call. SR

PayPal comes under attack

On June 5, anyone who followed online payment company PayPal on Twitter had a shock: "PayPal can freeze your funds for no reason, do not use PayPal!!" came the tweet. This was the followed by: "All your PayPal accounts are now frozen while we clean up this mess." There were also multiple links to PayPalSucks.com, a website that campaigns against the company.

It is widely suspected a disgruntled customer was behind the attack; Twitter accounts are protected by a simple password that can sometimes be guessed, or stolen.

What damage the attack actually did to PayPal is impossible to quantify. Although the company quickly suspended the account, confirmed it had been hacked and sought to reassure its customers that their data was safe, the web was already aflame and their brand - so critical in financial services - has undoubtedly been compromised.