Your website is just like any other business, whether it be a bank or a restaurant or a hardware store, a large majority of visitors are honest and enter with an intent to browse your information or perform a transaction. All legitimate customers follow a similar pattern. They browse your public HTML pages and perhaps interact with public fields and forms displayed on your site. Just like in a brick and mortar store, a normal cyber customer will observe basic rules of etiquette and stay within the boundaries of your web presence.
A hacker, on the other hand, is not likely to behave in any way close to a normal customer. If they did, they would not be very successful. A hacker will pound your website with force looking for a weaknesses. They will probe every nook and cranny of your web server until they find something to exploit. Their entry point could be one of those old orphaned web pages that you do not advertise, or they might create their own hole by inserting an SQL command within a URL. These kind of probes are way out of the ordinary and glaringly out-of-place.
Hacker intrusion is analogous to someone entering a brick and mortar store and proceeding to tip over shelves while scrounging on the floor for spilled documents. Imagine a customer asking rude questions to the sales clerk, and rattling doors off their hinges. At the very least, this behavior in the physical world would prompt a call to the police and a disorderly conduct charge.
So why is hacking so prevalent? Why isn’t the hacker immediately spotted and removed?
In many cases, hackers are detected and blocked, but all it takes is one. Just like my bank that is constantly turning off my credit cards every time I travel, a good business practice would be to err on the side of caution. Even accidentally locking out 1 in 1000 customers from your website is a much better proposition than letting one hacker in. The economic damage from a hacker is typically far worse than a short-term potential 0.1 percent drop in web visits.
In our opinion, there are several reasons why this solvable problem is so prevalent:
1) Broadbase security tools that try to do everything.
Businesses are sold an expensive set of tools that do many things unrelated to intrusion prevention. A tool that removes viruses from e-mails, prevents DOS attacks, or runs the generic firewall, is useful but the investment in a heuristics-based intrusion detection system is often on the light side of the all-in-one. Money spent on the broad-based tool is usually out of proportion with the potential economic damage of a real attack.
For example, you might lose a day of business if a virus gets loose in your enterprise and brings down a few workstations; however, the potential loss of stolen property and the damage to brand reputation that can be wreaked by a hacker is a magnitude above a nuisance virus infecting your laptops.
2) Businesses may not have the resources for an expensive tool, so they use what is at hand as best they can. We can certainly understand cash flow issues and where to spend resources. Look for some breakthroughs in cost with commercial hacker prevention tools in the near-term. A focused tool can be put in place at a reasonable cost, and does not require an IT staff to maintain.
3) Businesses cultures can get hung up on analysis of data, and don’t realize they must trust their security to a computer that makes decisions now. A hacker must be detected and blocked immediately. Many businesses may hesitate to use an automated tool, as it certainly may make a mistake and block a friendly user. However as we have mentioned above, blocking an occasional friendly user can be mitigated. Explaining the loss of 10,000 credit card numbers is hard to recover from.
So how does a good intrusion tool stop a hacker without an army of IT people?
It simply needs to quickly quantify abnormal behavior and block the IP immediately, with no questions asked or any hesitation. There really is no need to wait. The signs of intrusion are so different from a normal customer that you can with 99.99 percent accuracy toss them out before damage is done. In the coming few months we will be introducing a new turn-key product that will work like this.
Won’t the hacker try to subvert a heuristic tool once they suspect it is guarding your site?
Even if the hacker is trying to break through a heuristic based tool, the problem for the hacker is in order to get access to something they are not supposed to have, they will have to do something odd at some point, acting normal won’t cut it, and acting abnormal will get flagged. The tool will alert administrators to suspicious behavior and block the IP address of the malicious user. Now, with their increased alertness, administrators can lock down interfaces, manually review logs, and focus their diligence on the attack at hand.
Editor’s note: update 01/23/2012
A wall street journal article came out today exposing how easy it is to hire a hacker. If you think about it, the media likes to portray a hacker as some kind of amazing brilliant savant with super human powers. The truth is, tools to hack are readily available, and anybody with a background in computers and suspect moral character can do it. It also supports our premise that stopping a hacker is just a matter of plugging the common holes and entry points.
Editor’s note: update on 02/01/2012
Today APconnections, maker of the NetEqualizer, released a new intrusion prevention system (IPS) product, the NetGladiator, which is designed to detect & prevent network intrusions. You can learn more about NetGladiator at www.netgladiator.net or by calling us at 303.997.1300 x123.