A police department in the UK found its Web site hacked, presumably in protest of the bombings in Pakistan. Using a SQL injection, the vandal left the message, “Ur security sucks UK police this is my revenge against u,” and forced the Web site to shut down.
Throughout the world, government entities on every level are increasingly finding themselves the subject of cyber attacks.
“Most government agencies are particularly weak when it comes to fraud detection relative to the private sector,” Avivah Litan, analyst with Gartner, told me. “So we have found that fraud against government is relatively easier to perpetrate than it is against the financial services industry. For example, estimates of Medicare fraud range in the hundreds of billions of dollars annually.”
With limited budgets, the money isn’t always available to develop a highly secure site or to hire top-notch IT personnel, adds Phil Neray, vice president of security strategy for Guardium. And that can result in security flaws like SQL injections.
“According to a recent data breach report from the Verizon Business RISK Team, a staggering 90 percent of records compromised during 2009 involved groups identified by law enforcement as engaged in organized crime,” says Neray. “Russian hackers broke into a Rhode Island government Web site a few years ago and stole credit card information from individuals who had done business online with state agencies. The Russian hackers claimed to have stolen 53,000 credit card numbers during this attack.”
To better protect themselves, Neray suggests implementing continuous, real-time monitoring to immediately identify unauthorized or suspicious access to sensitive data and enforce corporate policies; regularly conducting automated vulnerability assessments to identify unpatched databases, misconfigured database privileges and vulnerable procedures; and implementing automated data discovery to find where your sensitive data is located.
Finally, he adds, don’t assume that just because you’ve implemented perimeter firewalls and antivirus systems, and passed your audit, you’re secure. “PCI-DSS and other regulations are important, but PCI is just a starting point for a comprehensive security framework,” he says. “Security audits only represent a snapshot of your security posture at a given point in time, and your posture can change from one day to the next with a single accidental configuration change.”