|
Who
is minding your store?
Network security:
Thieves share information, why can't
companies?
May 13, 2002
Burke Campbell and Murray Conron
Financial Post
Is your information secure? If not, your company could be
placed in dire financial straits. In our knowledge economy, having the best
information is crucial to success. With the advent of computers and the
Internet, however, protecting this information from unwanted intrusions has
become a major challenge.
Whether stored as computer files or distributed over global
networks, a company's digital assets -- from strategic business plans and
proposals, customer profiles, proprietary formulas and processes, passwords and
licensed software -- are vulnerable to theft, fraud and other misuse. To secure
such information, companies are implementing safeguards and enforcing
copyrights, through legal and technological means.
Cybertheft costs businesses billions of dollars annually.
Whether by agents inside or outside the organization, including buyers and
suppliers, cyber-intrusions into North American businesses have increased
fourfold in the past two years. Almost 70% of dot-coms that reported theft of
their intellectual property were put out of business within two years. These
cybercrime stats are recorded by organizations such as CERT (www.cert.org), a
government-funded research and development centre in the United States.
In Canada, a new e-business survey by Ernst & Young
entitled The Fabric of Risk, estimates that 93% of the top 1,000 companies
maintain corporate Web sites, while 88% use e-mail to communicate with clients
and suppliers. With such dependence on information flow, security is paramount.
Yet many cybercrimes go undetected and even more go
unreported. According to the U.S. Fedeal Bureau of Investigation, 60% of
companies report cybercrime. More like 99% are victims, notes Doug MacPherson,
an IBM Canada security specialist. Corporations are reticent to report their
vulnerabilities and find that if they claim they are fortified, they become
targets for increased attacks.
Hackers are opportunists who seek easy entry into computers
using widely available Internet tools that attack well-known system and Internet
flaws.
Counting on organizations to take only partial measures in
blocking the common vulnerabilities, hackers scan networks for entry points. A
Top 20 list of common entry points and precautions is periodically drawn up by
the Systems Administration, Networking and Security (SANS) Institute (www.sans.org).
It is also a lot easier than many companies may think for
their data to end up in the wrong hands.
Ira Winkler, chief security strategist for HP Consulting,
the consulting arm of Hewlett-Packard, helps his clients design and fortify
security systems. Hired by security managers to be an industrial spy, Mr.
Winkler chats up employees, rummages through waste bins, eavesdrops on monitors
and walks off with strategic and confidential information on CDs, floppies or
hard copy. By agreement the smuggled assets are returned, documenting the
security holes.
Mr. Winkler's penetrations underscore why cybercrime is so
difficult to detect or trace. In most cybertheft, the unwitting victim retains
the original "goods."
Many companies routinely gather intelligence on their
competitors and do so surreptitiously. Professional snooping is contracted out,
and in several stages, blurring direct involvement and intent.
"It's much easier to hack [gain unauthorized access
to] a computer system than to protect it. Implementing security measures takes
real skill, and that's reason enough not to hire hackers to fortify
systems," says Mr. Winkler. He finds the protective measures companies take
are not comprehensive. Security experts may focus on separate issues such as
encryption, intrusion detection or physical security, but it is the combined
application of the tools and consistent practices that is most effective.
Theft and fraud are compounded in "identity
theft," where credit card and social insurance numbers, health or passport
data result in assumed identities for fraudulent transactions. Computer
technology makes the theft faster and fingerprint-free. A recent Canadian poll
by Ipsos-Reid suggests many shoppers are shy of buying online because of
concerns for theft of their credit card numbers or other identification.
The Net's easy connectivity and universal reach have also
contributed to the appeal of cybercrime -- and because it spans the planet, a
local crime can easily turn into an international one, involving disputes
between governments concerning legal jurisdictions and extradition treaties.
Ultimately, the most effective safeguards may be a
combination of technology and psychology, rather than legislation.
"The criminals tend to share the knowledge behind
their successes, identifying the easy hits, while the good guys in the private
sector, vendors and government, have proprietary interests and don't share tips
or co-operate with one another," says Marc Rogers, director of secure
e-Business at Deloitte & Touche.
These obstacles to effective countermeasures have led to a
co-operative undertaking in the U.S. called InfraGard (www.infragard.net)
between government and an association of businesses, academic institutions and
law-enforcement agencies. It encourages all parties to exchange openly their
experience with attacks, breaches and effective countermeasures, so the owners
and operators of infrastructure can better protect themselves.
Cyberattacks generally come from three groups:
- The first is unstructured, composed of corporate insiders
and recreational hackers.
- The second is structured, from the ranks of organized
crime, industrial espionage and terrorism.
- The third comes from intelligence agencies that threaten
national security with "information warfare" -- using cyberspace to
spread lies or disrupt the flow of crucial information.
A key factor in stemming cybercrime is studying the
psychology of what motivates these criminals and what makes the victims so
appealing as targets, Mr. Rogers says.
"If we look only at technical controls and not at the
individuals who are running the tools and committing these crimes and defending
the systems, then we are never going to solve the problem, only see the
symptoms."
|
pressdudes
