Just before the EU summit it became known that the EU Commission was under attack. This suggests a d-dos attack, but from this article in the Register it becomes clear that this is not a one off. So what seems to have been going on? Are there ways to avoid computers that are infected because of actions of your own employees?
The EU attack
It looks like this has been an attack that was maybe staged long ago or staged over months in the form of e-mails directed to individual Commission employees in the hope that they open the attachment in the e-mail. This is the easiest way to infect computers: human negligence or curiosity to click on whatever is presented to them on line.
This news implies that Commission computers may have been infected for months on end. Who knows what confidential policy and other information was passed on to …? What was found out about what or whom? Have individual Commission employees become subject to black mail, because what was found on their computer? Yes, a very strange question. But what if? The hack would last long beyond the hack itself, wouldn’t it? We just don’t know. As always Chinese government hackers are mentioned.
What if this was your organisation or company?
Imagine that your company was hacked. You just did. Too bad, you probably have to except that you are or have been. From what I read it is almost common practice. If you are not hacked, you don’t have something which is worthwhile to someone, somewhere. If you are hacked, you’re systems are open to the world. This implies that someone, somewhere knows your secrets. The secret behind your product(s), confidential policy, reported conversations, etc and maybe even your tender for that contract you really need. In short the sort of knowledge you do not what your competitor or other governments to know.
Prevention measures at human level
There are innumerable software protection measures, but they can do a lot, not all, except prevent you from human failure. So how can an organisation secure itself against these sort of hacks? Just looking at employees, I’d suggest to consider measures like these:
If you are interested, contact me for 10 quick tips on how to proceed or a presentation to create awareness. firstname.lastname@example.org
Hacked computers are no exception
Of late this sort of news is regularly found in the papers. Beware, this is only because for whatever reason it has recently become fashionable to report these sort of attacks. They have been going on for years as Richard Clarke shows in his book “Cyber war”.
This week U.S. CERT reported on cyber incidents in the U.S. (all sorts, I admit) for the fiscal year 2010. 107.000 plus is a lot, but beware, this is only what the U.S. government CERT was able to compile. Most companies do not report incidents, e.g. because they fear bad publicity. So figures may actually be much higher, spectacularly higher.
It looks like it happens all over the place, doesn’t it. Maybe it is time you start devising a policy on it.
Wout de Natris, De Natris Consult
Leiderdorp, 25 March 2011