The past few weeks have sent ripples of concern through the UK Retail landscape as giants Marks & Spencer (M&S) and the Co-operative Group (Co-op) found themselves battling significant cyber attacks. 
These attacks have caused significant operational disruption, with M&S suspending online orders and both retailers experiencing stock availability issues. M&S confirmed that hackers accessed personal customer data including names, contact details, dates of birth, and online order history, but not usable payment information or passwords. Similarly, the Co-op reported that hackers accessed members' personal data such as names and contact information, but assured that financial details and passwords remained secure; however, they narrowly avoided a full ransomware deployment. 
Adding to the unease, Harrods also reported fending off a similar attempt. While the immediate impact on operations and the worry of data breaches is undeniable, these incidents offer a potent learning opportunity for businesses of all shapes and sizes. I wanted to highlight some key takeaways we can already learn. 

Beyond the Headlines: Understanding the Threat
It's easy to see these attacks as isolated incidents hitting big corporations. However, the reality is that cyber threats are pervasive and constantly evolving. The alleged involvement of groups like DragonForce and the potential link to the notorious Scattered Spider highlight the sophistication and organised nature of modern cybercrime. These aren't just opportunistic hackers; they are often well-resourced entities employing a range of tactics, from ransomware deployment to the insidious art of social engineering.

Lesson 1: Cybersecurity Isn't Just for the IT Department
The disruptions experienced by M&S and Co-op – from online order suspensions to stock shortages leaving shelves empty – underscore that cybersecurity is no longer a niche IT concern. 

It's a fundamental business risk that impacts every corner of an organisation, from customer experience and sales to supply chains and reputation. 

This necessitates a shift in mindset, with cybersecurity becoming a boardroom-level priority, integrated into overall business strategy and risk management.

Lesson 2: The Human Element Remains a Weak Link
The suspected use of social engineering tactics, potentially including SIM swapping, is a stark reminder that technology alone isn't a foolproof defence. Attackers are adept at exploiting human psychology, tricking employees into granting access or divulging sensitive information. 

This emphasises the critical need for comprehensive and ongoing cybersecurity awareness training for all staff. Employees need to be vigilant about phishing attempts, understand the importance of strong password practices, and be aware of the red flags that could indicate a potential attack.

Lesson 3: Multi-Layered Security is Non-Negotiable
The fact that attackers may have bypassed initial security measures highlights the importance of a defence-in-depth strategy. Relying on a single layer of protection is no longer sufficient. Organisations need to implement a multi-layered approach that includes robust firewalls, intrusion detection systems, endpoint security, multi-factor authentication (MFA), data encryption and 24/7 monitoring for abnormal behaviour. 

Regular security audits and vulnerability assessments are also crucial to identify and address potential weaknesses before they can be exploited.

Lesson 4: Incident Response: Planning for the Inevitable
Even with the most robust security measures in place, the risk of a cyber attack can never be entirely eliminated. This makes having a well-defined and regularly tested incident response plan absolutely critical for any business size. Knowing how to react quickly and effectively in the event of a breach can significantly minimise the damage, contain the spread of the attack, and facilitate a faster recovery. This plan should outline clear roles and responsibilities, communication protocols, and steps for data recovery and business continuity.

Lesson 5: Transparency and Communication are Key to Maintaining Trust
In the aftermath of a cyber attack, how a company communicates with its customers and stakeholders is paramount. M&S's proactive approach in informing customers about the data breach, while reassuring them about the security of payment information, is a crucial step in maintaining trust. 

Open and honest communication, even when the news is difficult, demonstrates accountability and can help mitigate long-term reputational damage.

Looking Ahead: A Call to Vigilance
The cyber attacks on M&S and Co-op serve as a wake-up call for businesses of any size across all sectors. They underscore the evolving sophistication of cyber threats and the potential for significant disruption and financial loss. 

The lessons learned from these incidents are clear: cybersecurity is not just a technical issue; it's a fundamental business imperative that requires a holistic, proactive, and people-centric approach. 

By prioritising cybersecurity, investing in robust defences, educating employees, and preparing for the inevitable, organisations can better protect themselves and their customers in an increasingly interconnected and threat-filled digital world.
 

While the world was captivated by the first Harry Potter movie, cybercriminals were busy launching one of the first major web server worms.

What Was Happening in the World:
The 9/11 attacks in the United States profoundly shifted global security policies, increasing focus on cybersecurity and national defense. In the meantime, the United States was preparing for military action in Afghanistan in response to terrorist threats.

Euro currency had been introduced in electronic form, changing the financial landscape in Europe.

In sports, Brazil won the Copa América 2001, and the world was preparing for the 2002 FIFA World Cup in Japan and South Korea. 

Alicia Keys’s Fallin’ was the top song in the US, while Kylie Minogue’s Can’t Get You Out of My Head dominated European lists.

The Attack:
Code Red spread autonomously, exploiting buffer overflow vulnerabilities in IIS web servers. It defaced thousands of websites, replacing content with the message: "HELLO! Welcome to http://www.worm.com! Hacked By Chinese!" It also launched denial-of-service (DDoS) attacks against various targets, including the White House.

The worm infected over 350,000 servers within hours, causing millions in financial losses and disrupting critical online services.

Just like the ILOVEYOU virus, the hackers’ goal was to be recognized as such. They were not seeking financial gain or state-sponsored objectives such as industrial or political espionage, as we will see in the upcoming chapters.

How WatchGuard Would Have Stopped It:
WatchGuard’s IPS for Fireboxes and Endpoint Security products would have detected and blocked the exploit before the worm could take control of vulnerable systems.

Computers seem to be virtually limitless in their abilities – they can send and receive digital information, serve content via many defined protocols, compute algorithms much faster than a human can, and even provide countless hours of fun and entertainment. One very common use of computers is indeed serving content to consumers, a technological concept known as client / server model. A simple metaphor: a consumer (or a client) goes (makes a connection request) to a place of business (or a server) and peruses the content therein. The bottom line is that a server hosts and provides resources and content to clients requesting said resources.

The way the clients and servers communicate is in terms of protocols, or a predefined method of communication between multiple networked hosts. A prominent protocol used nowadays is the HTTP protocol in our ever-beloved usage of the Internet. Other protocols that make our lives much simpler, without diving too far into their technical details, include: TCP, or really the TCP/IP suite, that essentially allows communication between computer systems (identified by IP addresses) in a reliable manner (TCP); DHCP, which saves many network administrators the headache of manually assigning IP address to their userbase; DNS, which negates the need of humans to remember yet another numerical identifier (or multiple IP addresses of their favorite websites); NTP, that allows for proper time alignment; and ARP, which works with MAC and IP address matching on a local network. If you’re interested in other common networking protocols and a description of the above protocols and more, refer to this article.

This article is written based on the client / server architecture model and discusses perspectives based on the model, though other architectures work in similar ways. That is, any network communication you have between multiple networked hosts will more or less follow the same basis as the client / server architecture.

How Servers Serve Services

Let’s assume that a business wanted to serve certain content to their userbase. They can create a website describing the business that is accessible using the HTTP protocol. In addition, they can offer file downloads (if applicable) that are accessible via the FTP protocol, or any of the other abundant protocols available. It is also entirely possible to serve content multiple ways from the same machine to meet the needs of varying clients – some may not want to use web access and prefer downloading content via FTP, for instance.

The way a server knows which service to serve is by the requested port number indicated by an incoming connection request. A sample connection may include: source IP address, destination IP address, source port, destination port, as well as protocol being used. When the server receives the connection request over a port, that server system (physical hardware itself) should have server software with an available socket that is bound on that port. For instance: port 80 is the common port for HTTP, 443 is for HTTPS, and 21 is for FTP. Once a connection is established, that is, the kernel sends the request to the appropriate software listening on that port, the server may offload that request internally to allow for further incoming connection requests on that same port. This StackOverflow post is rather technical but provides great insight on how this is done.

Depending on what server software is configured, a web server or FTP server, then that software determines how communications will be further handled. Each protocol is designated and specified by their appropriate RFC number. Request for Comments (RFC) are standards that detail out how each protocol will allow communication between connecting clients. There are numerous special keywords used to identify what the behavior of the software should be. For instance: HTTP has a GET keyword that queries a resource on a specific host.

Fun fact, there are 65,535 TCP ports and 65,535 UDP ports on a computer! In other words, a server can serve a lot of different services over TCP or UDP. Granted each service would share the pool of available resources (RAM, CPU, storage utilizations) on the system itself, so it may not be wise to have everything hosted on a single computer system. Another consideration in this would be how many clients are accessing the server content simultaneously. If you wanted to personally have a test server setup, I wouldn’t suspect this being an issue at all. In fact, I have a single system acting as a web server and FTP server at home, among other services.

How Do Clients and Servers Communicate

Let’s expand a bit more from the above-mentioned incoming request – which takes five bits of information (source IP, destination IP, source port, destination port, protocol).

When a client makes a request to a server for HTTPS communications, the client would use a system-generated source port number to send the request out through the local router to the server on a desired port, in this case port 443 for HTTPS communications. The client’s host itself has a random source port, the router generates yet another random source port that it keeps track of, and the request continues to the respective server. That server would return the traffic request to the originating IP address and respective source port number, in which the source IP is the public IP address where the client made the request from and the router identifies which internal client made that request based on the source port. This way if multiple clients from within the same network location made multiple connections to the same remote server, the source ports determine which client the router should send the return traffic to.

Bear in mind that traffic going out onto the Internet requires a unique IP address to be able to be identified for communication requests; that is, they’re publicly routable addresses. Internal client IP addresses are distinguished and reserved based on RFC 1918. This is where NATing comes into play, where internal clients making public server requests have their IP address rewritten by their network’s router / gateway device before sending the request out onto the Internet. The way gateway devices keep track of multiple clients is via connection tables and tracking internal client IP addresses and their corresponding source ports. Return traffic is addressed to the public IP of the network along with the source port, the one generated by the gateway device. From there, the gateway device looks up which client is associated with the gateway’s generated source port maintained within its connection table, then the traffic gets sent back to the original client.

Conclusion

The above may seem complicated, and the technical details surely are, but the concept of what it does is simple. Any computer system can be a server if appropriate software is installed on that system. This server software interacts with the hardware itself by means of system calls. In simple terms, system calls are basically API (application programming interface) calls or libraries that operating systems offer to software installed on it. The software uses the libraries, or API, that the OS offers to reach the kernel and have access to the hardware stack. Check the references for more insight on this.

One more example of Internet-bound connection requests. Suppose a local network is assigned 10.0.1.0/24. Any client (let’s say 10.0.1.50) on that network that makes a request has a random port (example, 55,087) assigned to the request and is sent alongside its IP address in the form of a packet. The gateway device accepts the request, granted it matches any preset rules for Internet traffic, rewrites the packet with its own source port (55,087 is changed to 53,798) as well as the public IP address assigned to the physical site by the ISP; for example, let’s assume it was WatchGuard.com’s IP address of 54.212.248.139. Since the public IP address is routable, the return traffic knows where to go and gets analyzed by the gateway device once again.

I added some references that greatly expand on all of this and recommend reading it, if you’re interested in the technical details at least. The complexity of computers and how they truly work on the inside, compared to the ease of use offered to consumers is just fascinating to me. My hopes are to break down complex details into easy-to-digest chunks of information.

References

Chase, J. Sockets and Client/Server Communication. Retrieved from https://users.cs.duke.edu/~chase/cps196/slides/sockets.pdf

Examcollection.com contributors. How do Common Networking Protocols Function. Retrieved from https://www.examcollection.com/certification-training/network-plus-how-do-common-networking-protocols-function.html

Mozilla.org contributors. What is a web server? Retrieved from https://developer.mozilla.org/en-US/docs/Learn/Common_questions/What_is_a_web_server