The cyberattacks on the websites of Brazil's big banks and a couple federal systems recently did more than embarrass their IT departments. They triggered consequences that directly affected international companies with operations in Brazil, as well as raised the issue of outsourcing IT security services.
Brazil's financial institutions are renowned for their software and their IT systems prowess, so you can expect that their IT security is pretty well done and thorough. If the ciberativistas can break into the bank, so to speak, it's reasonable to assume they can crack the security of your average IT services provider, partner, or business customer. (And surely this is the premise that all people in charge of IT security proceed from.)
Besides the strikes on the banks, which were apparently distributed denial-of-service attacks, some hackers brought down two government systems used to process electronic invoices. This news story from Computerworld Brazil has the details, but for those who don't read Portuguese or want to jump to the Bing translator, I'll summarize:
Someone attacked the servers of the government agriculture departments in the states of São Paulo and Bahia. These apparently were also DDoS strikes. No data was lost, reportedly, but users of the systems that process invoices were unable to access those systems. Experts say the government systems are set up so that in event of attack or outage, processes are redirected to contingency servers, and apparently this all worked fine last week.
What is more cautionary about this tale is the ripple effect that resulted from the hacks, sort of like in the last Die Hard movie.
As a consequence of the hit on the government servers, some multinational companies with offices in Sao Paulo could not access their ERP systems back at home headquarters. Government security systems, in response to the hacks, had blocked international network links, the same routes foreign businesses use to connect with servers at the home office. A representative of the German company Heller confirmed to Computerworld that the firm's employees in SP could not access their ERP data until the government cleared its IP address. That took about two hours.
Whether or not this was an intended consequence the hackers had in mind isn't clear, but it does remind us that every CIO and IT security manager needs to think about the unintended consequences.
The episodes in Brazil, for any right-thinking company, will be a reminder to re-evaluate security practices. As one expert in the Computerworld story says, government, business, and vendors of IT security products and services should collaborate to build a safer online world.
What every business that relies on the Internet needs to do – especially anyone involved in an outsourcing relationship, where constant communication channels are essential to getting the work done, and secure channels are obviously needed to safeguard intellectual property – is ask themselves if their security is up to snuff. Are systems and contingency systems able to respond adequately to unintended consequences? While it's true that nobody expects the Spanish Inquisition, it's helpful to know that the Spanish Inquisition is lurking out there.
If defending against the unexpected is not something your IT department is capable of, and there's nothing wrong with admitting that, consider whether you need an alternative solution. Lacking this expertise in-house is one good reason why businesses outsource their security. Cost-effectiveness, as security guru Bruce Schneier argues, is another compelling reason.
Of course you've also got to analyze the risks. Some companies have said "no way" to outsourcing IT security and with good reason. These questions are a good place to start deciding if managed security service is right for your company.
Every time there's a big hacker attack, it's an opportunity for everyone, victim or not, to regroup and reassess. If you think your operation is ready, then fantastic. By no means is this post pushing for outsourcing security. Heck, your IT guy or security consultant might be a former hacker who can get you as prepared as anyone else. But anyone with doubts, investigate finding someone who can make it so you don't have to worry about someone unexpected bursting through the door.