Home > Information Security News > The TCS Website hack: Don't let your company join the list
Information Security News:
EMAIL THIS

The TCS Website hack: Don't let your company join the list

By Dhwani Pandya, Principal Correspondent
09 Feb 2010 | SearchSecurity.in

Enterprise IT news roundup
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google

In what has become a cause of major embarrassment to the Indian IT community, leading Indian IT company Tata Consultancy Services' (TCS) Website was hacked on February 7, 2010. The breach is believed to be a domain name system (DNS) hijack, similar to the breach that social media Website Twitter faced in 2009. 
Quick takeaways
A Website is the public face of your company. But sad to say, Indian organizations place the least importance when it comes to securing this facet. It's critical to note at this point that typically only corporate Websites which host sensitive applications (like e-commerce or online auctions) are secured in the best possible manner.

  • Conduct regular vulnerability assessment and patch management of your service providers' servers.Strong SLAs can achieve this.
  • When evaluating a service provider, conduct a detailed risk assessment of the service provider. Follow this up with a third party assessment if feasible.
  • All security audits should include your Web hosting providers as well.
  • Review meetings with the vendors should include the results of security audits as well.
  • Have a strong incident response management plan (backed up by effective damage control mechanisms to counter losses) in place to deal with Website security breaches.
The hacker(s) altered TCS' name server entries, and also put up the domain for sale. After the hack, Website visitors could read a clear message of "The domain name is for sale, please contact us for further information" in English and French. Ironically, the breach happened just a day before the Nasscom India leadership forum 2010, a major Indian IT industry conference.

According to TCS' official statement, its website www.tcs.com was disrupted, and restored subsequently. "Initial investigation reveals a DNS redirection at the domain name registrar's end." claims the TCS official spokesperson. The domain name registrar in this case is Network Solutions LLC.
 
The jury is divided on whether organizations can avoid such DNS-based attacks. According to K K Mookhey, the principal consultant of NII consulting, such attacks have become a popular ploy of hackers who don't actually hack into the TCS.com website, but instead break into the DNS server. "So people who ended up using the hacked DNS server, landed on a compromised page. On the other hand, those who accessed the unaffected DNS server got the actual TCS website," says Mookhey. According to Mookhey, there is not much that TCS could have done to avoid such a breach, as the DNS servers are not in its control.  Giving an example, he explains, "Let's suppose that TCS was using any of the Indian service providers as its Internet service provider. In this case, TCS is using the service provider's DNS servers to access the Internet. So if the DNS servers get hacked, TCS can't do much."

Sameer Ratolikar, the CISO of Bank of India classifies the TCS Website as a typical Web 1.0 pharming attack, which led to the DNS servers' compromise. He believes that such issues arise due to non-timely patching of vulnerabilities in the DNS server. Ratolikar recommends that in cases where a company hosts its name server(s) on a third party data center, regular vulnerability assessment and patch management of these servers are essential. These can be achieved though strict SLAs with the partner.
 
The source, location and intention behind compromised TCS website is yet to be identified, but this has already raised questions against the company's information risk assessment capability. Although the fault may be external, it does not save TCS from the reputation loss, believes Dinesh O'bareja, an independent information security consultant. "My take is that if the world looks up to you for excellence, then it's very important to keep your house in order. Tata has a large data center and hosting facility. Tata Communications is also an ISP, so why does TCS need to involve outside vendors?" questions O'bareja.

Both Mookhey and Ratolikar have observed a rise in DNS attacks in the recent past. Ratolikar points out that attack vectors have shifted from email based phishing to pharming. Mookhey sees a possible pattern in such attacks, where hackers are now probably working on the DNS records of bank websites for future breaches that will involve more than just loss of reputation.

Tags: Enterprise risk management strategiesBusiness compliance managementIncident response management best practicesRisk Management StrategiesVIEW ALL TAGS

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google



RELATED CONTENT
Enterprise risk management strategies
Noted cryptographer on SSL, encryption and cloud computing
What's a risk management strategy worth to your S&P credit rating?
ISO 27001 certification: Preparation in four steps
Two factor authentication gets token agnostic at Central Bank of India
Considering two-factor authentication? Do cost, risk analysis
PCI tokenization push promising but premature, experts say
Clientless SSL VPN vulnerability and Web browser protection
Information rights management helps L&T protect its knowhow
Cloud Security Alliance releases top cloud computing security threats
Voice data security risks on the rise, say experts

Business compliance management
Noted cryptographer on SSL, encryption and cloud computing
What's a risk management strategy worth to your S&P credit rating?
ISO 27001 certification: Preparation in four steps
Two factor authentication gets token agnostic at Central Bank of India
PCI tokenization push promising but premature, experts say
Information rights management helps L&T protect its knowhow
Voice data security risks on the rise, say experts
Firewall audit tools aid compliance
Interest in data leakage protection, event log management rises
Improving regulatory compliance management through log analysis, SIEM

Incident response management best practices
Improving regulatory compliance management through log analysis, SIEM
SIEM systems streamline compliance processes, offer security benefits
First step in forensics: Create a bootable Windows environment CD
Nishith Desai Associates keeps business risk at bay with infosec
Managed security service for risk management: The Kotak Mahindra story
Best practices to tackle (small) botnets
CISO reporting to board of directors: Myth or for real?
Business Model for Information Security: Security right the first time
9 ways to improve application security after an incident
Online IT risk management strategies that drive Ticketvala.com

RELATED GLOSSARY TERMS
Terms from Whatis.com − the technology online dictionary
knowledge process outsourcing (KPO)  (SearchSecurityIN.com)

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary

HomeNewsTopicsITKnowledge ExchangeTipsMultimediaWhite Papers
About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
SEARCH 
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2009 - 2010, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts