From now on, every company with an online presence can be the target of attacks
This article was written by Fabrice Perrin, a Practice Manager at blue-infinity, and was published in the April/May edition of Market magazine. The original French version can be viewed here.
Recently, the world saw a rise in the power of social networks in Middle Eastern countries, where the sites played a role in the coordination of demonstrators and the dissemination of information on the activities of the authorities. But this progression was also felt in Western countries, with a key example being the group Anonymous.
Anonymous is an online collective that is associated with acts of hacktivism, organizes protests and takes action against web sites or organizations which it deems to be against its values and beliefs. Members communicate as one shared entity, Anonymous, in order to hide individual identities, and on the rare occasions where members assemble in public, they conceal themselves with disguises such as Guy Fawkes masks, made popular in the book and film V for Vendetta. Anyone can be affiliated with this group and take part in coordinated attacks without having any specific technical expertise, simply by using software such as LOIC or Botnet. These programs allow someone to participate in DDoS (distributed denial of service) attacks, when a Web site is saturated by an overload of sometimes up to a million requests simultaneously. The participants can be experienced hackers or just ordinary people who believe they are acting for a just cause, without necessarily understanding the extent of their actions. At the beginning of December 2010, Anonymous denounced Visa, MasterCard, Paypal and PostFinance on its blog, finding them guilty of refusing to handle donations for Wikileaks. The websites of these organisations were targeted by Anonymous, and were rendered offline for several hours, tarnishing the reputation of these companies and exposing their vulnerability to attacks. Here are several strategies that will help you to manage risk and decrease your vulnerability from attacks such as those perpetrated by Anonymous..
Strategy #1: Maintain your technical infrastructure When these sites were attacked by Anonymous, the companies found themselves unable to respond to the millions of simultaneous requests generated by the DDoS attack programs. Any company whose online visibility is critical should have a contingency plan against these types of attacks, including the possibility of the portal to go into secure mode with a text displayed to inform users about the unavailability, and the availability of a team of specialists who are able to react and reconfigure servers and firewalls. Also, look out for defacement, as nothing is worse for your reputation than having your homepage hijacked and most often vandalised. Correctly configured spyware protection software should allow you to detect all suspicious activity, switch over to contingency mode when needed and alert the technical teams.
Strategy #2: Pay attention to social networks Monitor what is being said about you. Monitoring and engagement companies will be able to identify the networks that are relevant to your industry, and put you in contact with influential participants of these social networks, helping you to maintain good relationships. Monitoring social networks will also allow you to understand better what your clients and the wider general public think of you, and to act in the event that this perception is negative. It is vital that you can react quickly should you notice a developing crisis. Through monitoring, you can quickly identify rumors being spread about your company, or conversations that may be fostering negative sentiment on platforms such as Facebook or Twitter. Imagine a campaign of mass disparagement: how would you get your point across on these networks? You need to ask yourself this question before a crisis happens, consider your options and put appropriate teams in place.
Strategy #3: Monitor domain names Keep an eye on domain names that could be associated with your company, your brand or your services. Large-scale defamatory attacks should be expected here. And, worse still, the use of your name in the context of phishing (online fraud) is very much conceivable. Could someone using the domain www.name-of-your-company-switzerland.com and adopting your logo and your colors defraud your clients?
Strategy #4: Train your teams Your employees or colleagues most likely use social networks on a regular basis, whether they are professional sites (LinkedIn, Viadeo, etc.) or not. They may be exposed to both positive and negative comments about your company, and even be judged by other social network users for their involvement with your organization. It is imperative that your employees are trained to know how to respond professionally in different online situations. Provide your employees with rules of engagement on social networks; a simple foundation for which can be formulated using the three Rs: be clear with your audience about what you represent, be responsible about what you say, and show respect for other Internet users.
Strategy #5: Beware of the Streisand Effect
In 2003, Barbara Streisand demanded that Pictopia.com exclude a photo of her house from a collection of 12,000 online photographs of coastline scenery. The result was that her demands drew attention to the issue, and ultimately the photograph in question. As of the following month, more than 400,000 people visited the site to find out why she had wanted to censor it. Are you being attacked on a forum or in an online/offline discussion? Wait a moment before reacting, as the fire may die down. Trying to smother it immediately can, on the contrary, fuel it! Keep the incident under surveillance, determine which criteria (number of posts you were cited in, propagation to other sites, etc.) should prompt you to take further action, and in the meantime, carefully prepare a response and explanations, just in case! This article has been adapted from the article written by Fabrice Perrin, Practice Manager at blue-infinity for Market magazine. The original French version, which was published recently, can be viewed here.