---------- Forwarded message ----------
From: Simon Gardner <juniper@cix.compulink.co.uk>
To: aaa-list@access.org.uk
Profits Embolden Hackers
By Tim Wilson, InternetWeek
Conventional wisdom says that most IT security threats come from inside
the company, not outside. Any guess who's reaping the greatest benefit
from that little piece of wisdom?
Hackers and computer criminals.
In two separate studies completed this month, Fortune 1000 companies
reported more financial losses due to computer vandalism and espionage in
1997 than they ever experienced before. Several corporations said they
lost $10 million or more in a single break-in. And reports of system
break-ins at the Computer Emergency Response Team site are the highest
they've ever been.
Despite recent security product and technology developments, computer
networks are becoming more vulnerable to outside attack, not less.
"The base level of ability required to break into the most vulnerable
[companies] is not as high as it used to be," said Kevin Poulsen, who
recently completed a five-year prison term for breaking into a variety of
major networks and systems, including those of Pacific Bell and the U.S.
Department of Defense.
"I know about 95 percent of [the vulnerabilities] I am going to find at a
company before I even get there," said Ira Winkler, president of the
Information Security Advisory Group -- a firm that specializes in
penetrating business security systems to expose vulnerabilities -- and
author of the book Corporate Espionage. "I can steal a billion dollars
from any [corporation] within a couple of hours."
And the Internet, which makes business systems more accessible than ever
and provides the means for hackers to publish tools and techniques quickly
for piercing corporate defenses, is turning a pastime for mischievous
teenagers into a paying proposition.
"It used to be that hackers held to [the hackers' code of ethics]," said
Jeff Moss, director of the penetration testing service at Secure Computing
and founder of Def Con, the world's largest annual hacker convention. "But
when you throw in the big dollar mix [generated by corporate espionage],
you get some crazy people and all the rules go out the window."
IT managers say they are worried about hackers and computer criminals, but
they sometimes feel at a loss to stop them. "When you see hackers hitting
sites at the Pentagon, it's very concerning," said Terry Hamidi, network
administrator at Colonial Savings, a mortgage and banking firm, referring
to a hacker break-in to nonclassified systems at the Pentagon earlier this
month. "We don't spend a tenth of what [the Pentagon] spends on security.
If they can't stop it, how can we?"
In a study to be published next month, WarRoom Research found that the
vast majority of Fortune 1000 companies have experienced a successful
break-in by an outsider in the past year. More than half of those
companies have experienced more than 30 system penetrations in the past 12
months. Nearly 60 percent said they lost $200,000 or more as a result of
each intrusion.
In a separate study published earlier this month by the Computer Security
Institute and the FBI, 520 U.S. companies reported a total loss of $136
million from computer crime and security breaches in 1997, an increase of
36 percent from the year before. The Internet was cited by 54 percent of
the respondents as a frequent point of attack, about the same percentage
of respondents that cited internal systems as a frequent point of attack.
"The 'conventional wisdom' that says the internal threat is much greater
than the external threat is turning out to be conventional naivete," said
Mark Gembicki, executive vice president of WarRoom Research. "The audit
trails for internal intrusions are much better, and the perpetrators are
easier to find, so the numbers are skewed that way. But a lot of external
intrusions are never found, and those that are are usually not reported."
IT managers are reluctant to report security penetrations to law
enforcement agencies because they fear that customers and partners will be
chased away by negative press, according to Gembicki and Robert Walsh,
special agent in charge of the FBI's San Francisco office. Of the
companies that detected system break-ins, only about 12 percent actually
reported the crime, according to the WarRoom study.
What You Can Do
One universal piece of advice came from hackers, hackers for hire and
those who collect computer crime data: When your vendor issues a software
patch, install it immediately.
"The biggest mistake people make is that they underestimate the threat,"
Moss said. "They don't put in the patches, they misconfigure their
firewalls, they misconfigure routers."
If you can't afford to put top security on every system or every business
unit -- and most organizations can't -- you need to evaluate the value of
your information, experts said. "The first thing I look at is what there
is to steal," Winkler said. "To hack every computer in a company is
totally worthless."
It may sound trite and tired, but many companies are robbed or vandalized
because their employees don't follow the corporate security policy. Most
hackers don't use technical methods to get into a corporate network.
"A hacker calls the help desk posing as a new employee and says he forgot
his remote access number. The help desk gives it to him," Moss said.
If you're using intrusion detection tools or other methods to scan for
external attacks, it's important to remember that the one thing a computer
criminal fears most is being detected.
And it's not enough just to detect the criminals, Gembicki said. "What
makes an intrusion detection valuable is not what it can detect, but how
useful the information might be in prosecuting an offender," he said.
The key to reducing computer crime will be not only to detect criminals,
but to catch and effectively, even publicly, prosecute them, Kabay said.
"You have to work with law enforcement agencies to know what you will do
when you catch [intruders]," Kabay added.
-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated
Received on Tue Mar 24 12:00:24 1998