Last week’s attack on the Hong Kong stock exchange’s news website was a wake-up call for the city’s financial community, with internet security vendors reporting a spike in interest from firms asking how they can better protect their systems from hackers.
As with most things, the simplest answer is to spend more money. Linda Hui, a managing director at F5 Networks in Hong Kong, estimates that companies in the city typically spend around 3% of their IT budget on security. “That’s too little,” she said in an interview with FinanceAsia this week. “A reasonable amount would be about 10%.”
The threat from hackers is on the rise, according to a report by Infonetics Research for the first quarter of 2011, with the awareness of threats at an all-time high in what the firm called a “hostile environment”.
“The volume, variety, and complexity of threats continues to grow, and the industry that now supports commercial development of threats is the most obvious culprit; from commercial toolkits to botnet rentals, the business infrastructure that supports attack creation and distribution is growing to support hacker demand,” said Jeff Wilson, principal analyst for security at Infonetics. “This increase in visibility translates into increased budget visibility for security solutions.”
Still, it is easy to ignore the risks. After all, under-spending doesn’t cause any problems — until it is too late. “Security is a journey,” said Hui. “You can never achieve 100%, so it’s hard to prove the value. You can’t measure it. Managers normally make decisions that help them to make more money or that save them money. Security doesn’t fall into either category.”
But the problems at the stock exchange have caused alarm, particularly among financial firms in the city. Hui said that she has since been contacted by banks, securities companies and insurers all asking for advice and reassurance that their systems are protected from a similar attack.
That is hard to guarantee because the kind of attack used against the stock exchange is crude but surprisingly effective — and often used against websites for no other reason than to cause disruption. These so-called denial-of-service attacks typically target a website’s server by overloading it with thousands of simultaneous requests, which can make it impossible for regular visitors to access the site. And, as the stock exchange incident showed, even the simple act of crashing a website can cause big problems.
Security systems, however, have traditionally focused on keeping intruders out of their networks with rule-based firewalls and intrusion prevention systems.
“A firewall will just allow people to come in through the front door, but not though the window or other doors,” said Hui. Sitting in front of the firewall, an intrusion prevention system is like a nightclub bouncer with a list of names, though in this case you can only get in if your name is not on the list.
Such systems offer little defence against sophisticated denial-of-service attacks, which do not happen at the network level. Hackers probe the site in search of information about the type of software and hardware used to serve the web pages, and then exploit known vulnerabilities to take the site down before the traffic even gets to a firewall.
Even so, these attacks have typically focused on obvious targets such as bank websites and credit card payment gateways rather than websites that simply provide information. “The attack on the stock exchange really shows that all websites are exposed to being hacked,” said Hui. “A 16-year-old can ruin your day now.”
To combat such attacks, vendors such as F5 place a switch between websites and the internet that manages traffic and offers security against most denial-of-service attacks at both the network and application level. But the battle against hackers is a constant one. Firms need to audit their security regularly and commit to investing in fixes for known vulnerabilities, said Hui.
On the upside, the high-profile nature of the attack on the stock exchange in Hong Kong has heightened awareness of the problem. Hui noted that the requests for advice she has received since the attack have come from senior managers, reflecting that the problem is being taken more seriously.
