With the help of security experts, we recreate a typical hack attack on two large organisations and walk through the steps that the head of IT should follow in such a case.
Monday, 9am
Blackjack, a hacker working from an internet cafe in London, is about to launch an attack on a major government agency. His aim is to cause maximum disruption and embarrassment. And, according to security experts, his job is going to be worryingly easy.
"Most organisations have dozens of vulnerabilities they haven't patched, or aren't even aware of," said Toralv Dirro, a security strategist with McAfee. "Even if a penetration-testing service says you're not vulnerable, that only means they haven't found a vulnerability, not that one doesn't exist."
Blackjack has spent weeks researching his target, identifying names of employees, partners and current projects. He has identified a potential way into the network through People Inc, a staffing agency that provides temporary workers to the public sector and which has direct links to the government agency's website and HR database.
Using tools that are available online, Blackjack is able to identify People Inc's web server and database server and then uses a simple SQL injection or cross-scripting technique to gain access to the web server.
Even if a penetration-testing service says you're not vulnerable, that only means they haven't found a vulnerability, not that one doesn't exist
Toralv Dirro, McAfee
This is a relatively common and simple hacking technique, explained Rhodri Davies, a technical architect with security specialist Vistorm. "Basically, the attacker uses the existing interface but, rather than entering information, they write a command for the back-end database," he said. "For example, rather than entering a username, you command the database to send back a list of usernames and passwords."
Monday, 12pm
By lunchtime, the hacker has gained access to People Inc's web server, and he is able to access usernames and passwords which will gain him full network access. At this stage, there's a good chance People Inc won't even notice that its systems have been compromised, added Lee Lawson, a penetration tester with managed security company, dns. "Most corporates spend money on firewalls and intrusion-detection systems but they don't do anything to prevent web attacks," he said. "Very few have application layer gateways, so attacks on websites are very easy to miss."
With full network access, Blackjack is able to easily identify the connection to the government agency and quickly access the server that runs its payment website. Within minutes, he has identified an open port and used it to access the payment server, where he runs a malicious script to trick the server into revealing the usernames, passwords and payment histories of thousands of users.
Monday, 3pm
The government agency has more sophisticated firewalls and intrusion-detection systems than People Inc, and the IT security team are alerted by a series of odd characters and sequences that something is happening on the web server. However, it's not immediately apparent that...
