The Tickle: the business of Business
@dexterdyne #PeepAnon

The Tickle: the business of Business

Jonathan Blanchard Jonathan Blanchard

Jonathan Blanchard

the skills shortage is a canard

Published Apr 7, 2015
+ Follow

This Week Last Month: Lloyds of London Issues Cyber Guidance

Except for a very lucky few, the business of most modern businesses is IT.

And looking at it from an operational standpoint - billing, tax filings, customer records, e-marketing initiatives, credit and debit card solutions, accounting, VOIP and e-mail - the statement stands up.

But, as you will know if you've managed to stay in business for any length of time, this is not a complete picture as the other business of every Business is Insurance.

And the intersection of IT and Insurance is about to get a lot more complex in the next couple of years given recent guidance from Lloyds.

At the end of last month's column in the Nova Scotia Business Journal we left you with a little assignment to quietly ask round your organization regarding who exactly is responsible for monitoring and fixing hacks on your web site when they happen.

Like pretty much every other organization in the world at the moment, the answers you got back in light of the top 10 ten hacked Maritime web sites column above likely ranged from collective shrugs to rather involved discussions about backup and restore strategies.

Mostly, it appears your hosting service is on the bubble if the web site is hacked which, unless you have a specific contract notation for managed services regarding upgrades after a site hack, probably lead back to that backup discussion.

Which is commonly where what was a simple web site deface should suddenly become a much more serious discussion about all the other network of things that make up your organization's IT loadout.

The problem being that the people who are going to attempt to hack you and the Liability groups who insure you when they succeed are coming to better understand the conversations you've just had.

Google is your friend on this one - but the important bit you need to know today is that almost all successful hacks happen to small businesses with under 200 employees and on average - you are going to be on the bubble for somewhere between $5,000 and $100,000 to remediate the problem after the fact depending on the depth of collateral damage caused when it happens to you.

And alarmingly, those seemingly breath taking figures for something that you have been assured is repaired by reinstalling from backup do not as yet include the coming tide of Liability claims most serious Insurance companies are starting to worry about.

The core issues in play for a very long time in the murky world of hackers remain threefold .. The difficulty of a given hack, the length of time a hack might remain in place if achieved and the profitability or public impact of a given organizational hack, balanced against the potential legal risks in play for the breach.

Over time, on the business side, the risk of being hacked has escalated as the complexity of your IT infrastructure has evolved as automated interconnected solutions that were once the exclusive purview of fortune 500 organizations have trickled down to your shop - sans the Information Security staff to monitor it.

And therein lays the problem - while your organization now has the data tools and enterprise solutions to compete with anyone of any size on the planet - so do the hackers. Which was why we asked you to ask around.

You will have no doubt heard the expression 'bot' in relation to hacking. In most cases, you may assume a 'bot' (short for Robot) is what first finds then compromises your web site.

But much more importantly - the bot knows it succeeded and is now monitoring its hack on your web site. Indeed, it may even be that a completely different and unrelated 'bot' may have simply found a well known hackers 'tag' on your site and is also monitoring it.

This is because what you do next provides insights regarding the first and second questions - the difficulty of a given hack/how long a given hack might remain in place - by using an almost completely automated evaluation process that scores your web site remediation.

Why? Because running out of date, unpatched Joomla or Wordpress websites or not updating your install *before restoring from backup, says a great deal about how things are going to look behind your organizational firewall.

Moreover, if you don't find a website hack for a long time (say a week or so) - it provides a very good indication that if a hack can be achieved deeper inside your organization, it is likely to remain in place for a very long time - more so if it isn't as obvious as a public image upload to your web site.

Then, the moment a restoration from backup happens - guess what?

Being as the original hole that allowed the compromise is still in place, the bot(s) will now attempt to upload a much more discrete file called a 'webshell' in place of the original hack - if it hasn't already installed one somewhere outside the web site root in the first pass.

In addition to being much more discrete - potentially invisible in fact - a Webshell is actually a much more powerful and meaningful compromise that allows the bot or the hacker to run very deep commands inside your server.

Commands like reading the server administration upload logs or re-coding the web interface so links and functions in place on your web site are no longer doing exactly what you thought they are supposed to do.

For example a webshell might start emailing plain text versions of every password and ID that logs into the server back to the hacker. Or it might just monitor the server for the network location and the tool sets people are using to update the site.

And these insights then provide reliable, actionable data into question three - what is the potential profitability or impact of a given hack and how likely are the hackers to get pinched if they proceed?

If they have been careful, the site still looks like it operates as it should and nobody notices the webshell and eventually it gets backed up - usually inside the company somewhere on the network. Because having been hacked and having decided it was time to update it - you need a current copy to test the updates or perhaps remake the site if the updates don't work.

Bingo - the WebShell pings home that its moved and here is the firewall address behind which it is stored.

And it is at that exact point, even though nobody knows it as yet, that your insurance company becomes very much more interested in your public Liability and Business operations insurance policy.

And really, thinking about it for a moment, what would you do if you ran an Insurance company that had to report back to its own shareholders? What would you do if your crew of hackers needs to keep on bringing home the readies at the minimal level of risk?

So - hoping to see you at the Atlantic Security Conference April 16th and 17th because if the business of Business is to increasingly become Insurable IT - there is most assuredly a lot you need to know about the curious world hackers of before your next renewal here in the Maritimes.

--

Hope to see you back here for a follow up on what you found out.

This month's Tickle: Chasing Lighting - is online right now at The Nova Scotia Business Journal

Jon Blanchard is a Systems Manager and IT Team Leader looking for work in Halifax and contributing Technology news and views to TCMedia, Postmedia News, the Globe and Mail. Occasionally annoying those unaccustomed to being annoyed. Follow on Twitter @Dexterdyne

To view or add a comment, sign in

More articles by this author

See all

Insights from the community

Others also viewed

Explore topics