Downloadable exploits accelerate security concerns

For hackers or 'script kiddies' to attack and severely damage a Web site or corporate server it's almost a point-and-click exercise using widely available 'downloadable exploits'. And according to local security industry experts, most Australian organisations are more vulnerable than ever and are struggling with the know-how to deal with security issues. Stephen Brennan, senior security analysts, global information security services at CSC, said a 'downloadable exploit' is a tool or 'exploit' made publicly available after it has served its purpose in the "black-hat community".

"Once the exploit has made its way through the hacker channels and black-hat community, after they've got no more use for it, the hackers usually publish their exploit to get credit [from their peers]. By this time it's so user-friendly, with instructions on how to use it, it's almost a point-and-click exercise [to then hack into an organisation's Web site or corporate server]," Brennan said.

These sorts of attacks are the most worrying, he said, as it is now so easy to download, understand and use a downloadable exploit.

Of particular concern, he said are people who don't understand "the full extent of what they are doing when they download an exploit, and cause far more damage then they ever intended. "But of course there are those out there who get a thrill out of hacking and getting access into places where they are unauthorised."

Downloadable exploits are one of the biggest issues facing organisations today, according to Martin Creighan, product marketing manager, SecureNet.

"The tools, code and instructions on how to hack and take advantage of exploits is readily available on the Internet. As much as the Internet allows organisations to do business online, at the same time it is dramatically increasing the risk, unless organisations take security issues more seriously," Creighan said.

He said it is amazing how few organisations have security policies in place, including electronic and network security.

"The most dangerous exploits are the ones that allow administrative access to a system, giving the hacker full control to destroy or deface the Web site. Once you've got into that server there's a 99 per cent chance you've [reached] the DMZ (demilitarised zone which provides high level of security due to facing the public network) of their network and can use that as a launching pad to get further access," Brennan said.

He pointed out another chilling factor; that downloadable exploits can be undertaken from anywhere, such as sitting at a coffee shop and attacking an organisation.

Anton Handley, director, systems risk management at PricewaterhouseCoopers, said it is critical that all Australian organisations keep on top of their security environment. "With exploits coming out regularly, it is imperative that organisations understand the risk they face if they don't protect their systems. At the minimum, companies should be monitoring their vendor sites, patches to operating systems, routers and firewalls," Handley said.

Brennan said the people writing the exploits are feeding years and years of hardcore technical knowledge into packages and putting it into the hands of some unskilled users who are unaware of the full potential.

"A lot of the time it's just experimental, like kids playing with matches. And they don't expect it to have the impact it does. If you can use e-mail and a Web browser, that's your qualification to be able to use these downloadable exploits. Everyday users, armed with exploits have the ability to create as much havoc as that of a person with 40 years experience in computer science," Brennan said.

Brennan said IT managers and CIOs need to be vigilant, and keep on top of patches, which "may seem like an administrative nightmare, but it is something that has to be done to help ensure protection". He said organisations need to take a multi-tiered approach to security, including firewalls, network intrusion detection, hosted-based intrusion detection and more.

Graham Pearson, Websense Australia's regional sales manager, said it doesn't take an Einstein to obtain an exploit and hack into an average unsecured Web site.

"There are thousands of hacking Web sites worldwide which give instructions. It doesn't matter whether you're a six-year-old child or an IT professional, they teach you to hack," Pearson said.

Daniel McHugh, research analyst, IT trends, Asia Pacific at Gartner, said security is seen as a growing initiative this year and into 2003.

"Security is top of mind when it comes to CIO's priorities. And where there's spare money, that's where it will be spent. The events of last year have brought a change in attitude and organisations are taking their security more seriously. If not, then they should be," McHugh said.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lauren Thomsen-Moore

Computerworld
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?