1 February 2002
Reuters reports that fears are growing once more that companies operating on the Internet may not be equipped to ward off electronic sabotage after anonymous 'hackers' forced a small British firm out of business.
According to Reuters, CloudNine, one of Britain's oldest Internet Service Providers (ISPs), shut down late January 2002 with the loss of eight jobs in what computer experts believe is the first instance of a company being hacked out of existence.
CloudNine, six years old, was forced to sell its business and hand over 2500 customers to its rival Zetnet.
"The basic reasoning was we would have needed to bring the network offline for far too long (to make repairs). We just came to the conclusion that we could not continue," said co-founder Emeric Miszti. According to Reuters, two other recent victims of DDOS attacks were the British Internet portal of the Italian ISP Tiscali, whose service was halted for several days, and the British Internet provider Donhost, whose outage lasted a few hours.
"It is not just a game of taking down one server," said Stephane Huet, acting chief operating officer for Tiscali UK. "It affects portal revenues if the rest of the world cannot access it. It has a powerful business impact."
The motivation for such attacks is diverse, with many hackers simply in it for illicit thrills, while others seek publicity for a particular cause. For example, it is now common in wars, especially civil ones, for each side to sabotage the other's websites.
It is also common cause that any number of programmes that can shut down computer systems by overwhelming them with data requests are freely available on the Internet. In the case of CloudNine, the DDOS attack prevented users served by the company from logging onto the Internet and shut off access to websites hosted on its network.
"It was a very methodical attack," said Miszti.
"It occurred over a number of months. Their objective was to map out our network, identifying the key servers and determining their capacity. Then they knew how to attack with the appropriate force."
Miszti says he is not sure why his firm was targeted and has no clear idea who was behind it. Reuter's reports that both he and Tiscali are both working with police, but suggests that DDOS investigations are rarely successful due to the difficulty in tracking the culprits.
"If (a hacker) takes reasonable precautions, it would be very difficult to track them down," said Gary Milo, managing director of security start-up Webscreen Technologies, which has developed software to protect companies against such attacks.
Ignorance may no longer be bliss.
Clearly there is still a tremendous degree of ignorance about the risks businesses face as they open their networks to the world. More ominous in my mind, is the belief that good corporate governance comprises 'full disclosure' in Annual Reports by listed companies. A fat lot of good that did CloudNine!
At least here in South Africa the heat is about to be ratcheted up a notch or two with the King Commission II Report on Corporate Governance being tabled soon. In it there is an increased emphasis on business continuity issues, risk assessment, business impact analysis, and such like. Businesses will be encouraged to have a 'demonstrable system of risk mitigation activities,' a 'documented and tested process business continuity plan outlining worst case scenarios,' and plans in place which 'support business sustainability.' They should be able to provide some specific insight into their business 'operational risks,' 'technology risks' and 'disaster recover plans.'
In other words, it is no longer business as usual. Whilst we have not seen the last of the 'CloudNine' scenarios, hopefully those businesses which take their business sustainability seriously will get their houses in order. After all, its their business at stake. Just ask the staff and stake holders of CloudNine.
ps: Observant readers will notice a change to the cover design and mast-head of eSecure! This is a part of our on-going evolution of the magazine, and reflects our recent acquisition of Network Times, the magazine for IT decision makers. eSecure remains a strategic read, targeted at non-technical executive decision makers who need to keep themselves abreast of strategic e-business, corporate governance and information security issues, whilst Network Times will fulfil its role in speaking to IT decision makers specifically. Together, eSecure and Network Times form a most compelling partnership in educating business decision makers and IT decision makers alike, about the issues which affect them both, in a language that both instinctively understand.