The Extortion Plot
Now that Hannibal had his much desired data, it was time for him to cash in. He sent an extortion note to Clarice Commerce bouncing his e-mail connection again, as shown in Figure 10. The extortion e-mail said:
From: Security Consultants R Us
To: Web Admin
Subject: Hire Us to Help Fix Your Poor Security
It has come to our attention that your Web site and internal network have serious security vulnerabilities! We would like to offer our services to help you fix those problems. Because we know you are very busy, we have worked hard to make this simple for you. We have a qualified, professional staff that can remotely access your systems and apply the patches without any work on your part!
Keep in mind that these vulnerabilities are major and can be used to extract sensitive data about your customers. For example, we know that a moderately skilled attacker could easily grab the following real information from your systems:
John Doe Cred Card # XXXXXXXX
Fred Smith Cred Card # YYYYYYYY
To accept our offer, please transfer $25,000 into our offshore account #ZZZZZZZ.
Keep in mind that if you do not transfer this money by tomorrow at 5:00 P.M. eastern time, it is quite likely that nasty computer attackers will release your data on publicly available Web sites all over the Internet, causing certain embarrassment for you and potential client loss! To avoid such unfortunate circumstances, please send the payment for our security consulting services immediately!
Figure 10 The attacker sends an extortion note, jumping off an intermediate point.
The Clarice Commerce Web administrator received the message and did not know what to do with it. The administrator thought it was probably just some kids messing around, so he deleted the message. Unfortunately for Clarice Commerce, however, Hannibal followed through on his threat. He released information about a dozen client accounts to a public mailing list, hinting that Clarice Commerce might be having some security difficulties.
Mistake #8: Clarice Commerce did not have adequate security awareness activities for their employees. Without knowledge about how to handle these situations, the Web administrator did not know how to alert the security organization to mobilize an incident-response team. Further compounding the problem, Clarice Commerce did not have an established computer incident-response team to quickly and professionally handle this problem. Your organization must have clear awareness training for employees, directing them in security issues ranging from selecting strong passwords to reporting security incidents. Also, you should form an incident-response team made up of security, technical operations, legal, human resources, and public relations personnel. This team should agree on incident-response procedures to be utilized if and when an attack occurs.