Downloadable exploits accelerate security concerns

For hackers or 'script kiddies' to attack and severely damage a Web site or corporate server it's almost a point-and-click exercise using widely available 'downloadable exploits'. And according to local security industry experts, most Australian organisations are more vulnerable than ever and are struggling with the know-how to deal with security issues. Stephen Brennan, senior security analysts, global information security services at CSC, said a 'downloadable exploit' is a tool or 'exploit' made publicly available after it has served its purpose in the "black-hat community".

"Once the exploit has made its way through the hacker channels and black-hat community, after they've got no more use for it, the hackers usually publish their exploit to get credit [from their peers]. By this time it's so user-friendly, with instructions on how to use it, it's almost a point-and-click exercise [to then hack into an organisation's Web site or corporate server]," Brennan said.

These sorts of attacks are the most worrying, he said, as it is now so easy to download, understand and use a downloadable exploit.

Of particular concern, he said are people who don't understand "the full extent of what they are doing when they download an exploit, and cause far more damage then they ever intended. "But of course there are those out there who get a thrill out of hacking and getting access into places where they are unauthorised."

Downloadable exploits are one of the biggest issues facing organisations today, according to Martin Creighan, product marketing manager, SecureNet.

"The tools, code and instructions on how to hack and take advantage of exploits is readily available on the Internet. As much as the Internet allows organisations to do business online, at the same time it is dramatically increasing the risk, unless organisations take security issues more seriously," Creighan said.

He said it is amazing how few organisations have security policies in place, including electronic and network security.

"The most dangerous exploits are the ones that allow administrative access to a system, giving the hacker full control to destroy or deface the Web site. Once you've got into that server there's a 99 per cent chance you've [reached] the DMZ (demilitarised zone which provides high level of security due to facing the public network) of their network and can use that as a launching pad to get further access," Brennan said.

He pointed out another chilling factor; that downloadable exploits can be undertaken from anywhere, such as sitting at a coffee shop and attacking an organisation.

Anton Handley, director, systems risk management at PricewaterhouseCoopers, said it is critical that all Australian organisations keep on top of their security environment. "With exploits coming out regularly, it is imperative that organisations understand the risk they face if they don't protect their systems. At the minimum, companies should be monitoring their vendor sites, patches to operating systems, routers and firewalls," Handley said.

Brennan said the people writing the exploits are feeding years and years of hardcore technical knowledge into packages and putting it into the hands of some unskilled users who are unaware of the full potential.

"A lot of the time it's just experimental, like kids playing with matches. And they don't expect it to have the impact it does. If you can use e-mail and a Web browser, that's your qualification to be able to use these downloadable exploits. Everyday users, armed with exploits have the ability to create as much havoc as that of a person with 40 years experience in computer science," Brennan said.

Brennan said IT managers and CIOs need to be vigilant, and keep on top of patches, which "may seem like an administrative nightmare, but it is something that has to be done to help ensure protection". He said organisations need to take a multi-tiered approach to security, including firewalls, network intrusion detection, hosted-based intrusion detection and more.

Graham Pearson, Websense Australia's regional sales manager, said it doesn't take an Einstein to obtain an exploit and hack into an average unsecured Web site.

"There are thousands of hacking Web sites worldwide which give instructions. It doesn't matter whether you're a six-year-old child or an IT professional, they teach you to hack," Pearson said.

Daniel McHugh, research analyst, IT trends, Asia Pacific at Gartner, said security is seen as a growing initiative this year and into 2003.

"Security is top of mind when it comes to CIO's priorities. And where there's spare money, that's where it will be spent. The events of last year have brought a change in attitude and organisations are taking their security more seriously. If not, then they should be," McHugh said.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lauren Thomsen-Moore

Computerworld
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?