For hackers or 'script kiddies' to attack and severely damage a Web site or corporate server it's almost a point-and-click exercise using widely available 'downloadable exploits'. And according to local security industry experts, most Australian organisations are more vulnerable than ever and are struggling with the know-how to deal with security issues. Stephen Brennan, senior security analysts, global information security services at CSC, said a 'downloadable exploit' is a tool or 'exploit' made publicly available after it has served its purpose in the "black-hat community".
"Once the exploit has made its way through the hacker channels and black-hat community, after they've got no more use for it, the hackers usually publish their exploit to get credit [from their peers]. By this time it's so user-friendly, with instructions on how to use it, it's almost a point-and-click exercise [to then hack into an organisation's Web site or corporate server]," Brennan said.
These sorts of attacks are the most worrying, he said, as it is now so easy to download, understand and use a downloadable exploit.
Of particular concern, he said are people who don't understand "the full extent of what they are doing when they download an exploit, and cause far more damage then they ever intended. "But of course there are those out there who get a thrill out of hacking and getting access into places where they are unauthorised."
Downloadable exploits are one of the biggest issues facing organisations today, according to Martin Creighan, product marketing manager, SecureNet.
"The tools, code and instructions on how to hack and take advantage of exploits is readily available on the Internet. As much as the Internet allows organisations to do business online, at the same time it is dramatically increasing the risk, unless organisations take security issues more seriously," Creighan said.
He said it is amazing how few organisations have security policies in place, including electronic and network security.
"The most dangerous exploits are the ones that allow administrative access to a system, giving the hacker full control to destroy or deface the Web site. Once you've got into that server there's a 99 per cent chance you've [reached] the DMZ (demilitarised zone which provides high level of security due to facing the public network) of their network and can use that as a launching pad to get further access," Brennan said.
He pointed out another chilling factor; that downloadable exploits can be undertaken from anywhere, such as sitting at a coffee shop and attacking an organisation.
Anton Handley, director, systems risk management at PricewaterhouseCoopers, said it is critical that all Australian organisations keep on top of their security environment. "With exploits coming out regularly, it is imperative that organisations understand the risk they face if they don't protect their systems. At the minimum, companies should be monitoring their vendor sites, patches to operating systems, routers and firewalls," Handley said.
Brennan said the people writing the exploits are feeding years and years of hardcore technical knowledge into packages and putting it into the hands of some unskilled users who are unaware of the full potential.
"A lot of the time it's just experimental, like kids playing with matches. And they don't expect it to have the impact it does. If you can use e-mail and a Web browser, that's your qualification to be able to use these downloadable exploits. Everyday users, armed with exploits have the ability to create as much havoc as that of a person with 40 years experience in computer science," Brennan said.
Brennan said IT managers and CIOs need to be vigilant, and keep on top of patches, which "may seem like an administrative nightmare, but it is something that has to be done to help ensure protection". He said organisations need to take a multi-tiered approach to security, including firewalls, network intrusion detection, hosted-based intrusion detection and more.
Graham Pearson, Websense Australia's regional sales manager, said it doesn't take an Einstein to obtain an exploit and hack into an average unsecured Web site.
"There are thousands of hacking Web sites worldwide which give instructions. It doesn't matter whether you're a six-year-old child or an IT professional, they teach you to hack," Pearson said.
Daniel McHugh, research analyst, IT trends, Asia Pacific at Gartner, said security is seen as a growing initiative this year and into 2003.
"Security is top of mind when it comes to CIO's priorities. And where there's spare money, that's where it will be spent. The events of last year have brought a change in attitude and organisations are taking their security more seriously. If not, then they should be," McHugh said.