The enemy within
Companies are letting hackers rummage in their information systems far too easily - and the people raiding private data are likely to be sitting in the next office. But what can the powers that be do to prevent their privacy being abused?
If your view of a hacker is a spotty, pony-tailed teenager holed upfar too easily - and the people raiding private data are likely to be sitting in the next office. But what can the powers that be do to prevent their privacy being abused? in a bedroom somewhere in suburbia, or a James Bond-like villain on an espionage mission - think again. Ex or disgruntled employees in the firing line are firmly in the framework when it comes to threats of violating company information.
Seventy per cent of hackers come from within the organisation being attacked. And when social and economic factors - such as redundancies and downsizing - kick in, cases of hacking multiply. With the doom and gloom merchants out in force, arguing that the UK economy is teetering on the brink of recession, the threats to information security are more potent than ever.
According to Stephen Cobb, certified information system security professional and ex-director of special projects at the International Computer Security Association, companies that don't take action against hackers are putting their businesses at great risk.
'One of the things that has emerged in the past couple of months is that the slight chill the economy is catching casts a different light on the threats we are experiencing,' says Cobb. 'Threats to information security are not constant, but increase when times are tight.'
And, as technology becomes increasingly pervasive due to the rise of the internet, a growing number of hi-tech-savvy users now have the skills to wreak electronic havoc. 'Private data is now travelling on a public network,' says Cobb. 'How many people can surf the Web and have got email accounts? In the US, everybody has. Unlike 10 years ago, just about everybody in a company knows how to use a computer. The "erase the hard drive before you leave" syndrome is multiplying.'
Companies are also fuelling the risk in the mad dash to get connected. 'Companies deploy the technology before it's secure, then have to go back and make it secure. We are discovering vulnerability on the fly,' says Cobb. 'We are now playing catch-up to problems that have been around for a while.'
Add to this the mass shift to distributed computing and it means that system vulnerabilities are no longer limited to a central mainframe, presenting more points of attack for corporate enemies. Once e-commerce starts to take off, the security stumbling blocks which surround it will leave firms and customers even more vulnerable.
A recent Ernst & Young Computer World survey, based on 4,000 responses from 29 countries, reveals that 73 per cent of European companies say information security risks have increased in the past year.
And the perceived security threats make interesting reading - 'computer terrorists' received 28 per cent of the vote; authorised users were close behind with 26 per cent; former employees, 24 per cent; unauthorised users, 23 per cent and contractors, 19 per cent.
More than half of the companies polled admit they lack confidence that their systems would withstand a hacking attack. As Cobb says: 'If 55 per cent don't have confidence in their security that must be a matter of some concern.'
He believes the outlook is bleaker still. His US company, Miora Systems Consulting, which has Bay Networks, Hewlett Packard and AT&T among its clients, offers a 'penetration testing' service where it attempts to hack into a customer's IT system to evaluate its security. Out of 50 assessments over the past 18 months, 'the number of systems we've failed to penetrate is zero', says Cobb. Worse still, the average skill level required to hack is marked two on a scale of one to five. 'We don't use cutting-edge technology in most cases,' he adds.
Even where security is tight, companies are increasingly networking themselves to their trusted business partners, which can provide a way in for hackers if system security is not controlled further down the chain. For example, distributors with secure IT that are linked to resellers via an electronic distribution system can leave themselves vulnerable to attack if the resellers do not secure their own systems adequately. 'The best of friends may not have the best of security,' Cobb warns.
Access to company Websites is also multiplying the threat of hacking, since Web pages can provide a path to internal systems. 'If there's a connection between a Web server and other computers, then there's a path up which to hack,' He explains. It may not be a direct path, but a Website can 'leak' signposts and hackers can glean the information they need to get through to a company's entire internal IT system - usually within a matter of hours of hacking the Website.
Some hackers are content to stop at hacking the Website only, but this, too, is something businesses should not take lightly. The harm to a company's reputation is im-measurable. Time, customers and customer confidence will be lost if companies are using their site as a marketing medium, while for those involved in e-commerce, revenues will be hit directly.
'If not today, then down the road it's going to be a problem,' says Cobb.
He cites the Ford Motor company as an example. If the company Website is defaced, the average customer driving a Ford, thinks: 'If the company can't protect its Website, what about its product?'
Incidents are not isolated, Cobb adds. In a three-week period in February, 80 sites were reported as hacked on a Website tracking violated sites.
Then, the site listing the hackings was itself hacked.
Where internal systems are attacked, the bottom line can be left reeling.
Cases are difficult to find, since the majority of companies are reluctant to have reputation-damaging incidents splashed in the press. But statistics show they are widespread and indiscriminate - the 1998 US survey by the Computer Security Institute (CSI) and the FBI showed that 64 per cent of companies have had incidents of unauthorised use of computer systems in the past 12 months. Cobb cites the example of US telecoms player Southwestern Bell, which took a $500,000 hit as a direct result of a hacking incident.
He also has a conspiracy theory about the New York Stock Exchange (NYSE), which recently saw trading halted for an hour because of a computer problem - a switch that went down. Cobb points out that the NYSE has a 99.99 per cent uptime standard and a complete replica system running in tandem with it continually. 'Could somebody hack the stock exchange? Could that happen?
My feeling is that it could,' he says.
One of the most common forms of computer abuse is the spread of viruses, dubbed Ripper, Laroux and the like. The internet has given them a new lease of life, particularly since many companies do not use anti-virus software correctly. While there are tens of thousands of viruses known to anti-virus researchers, there are usually about 200 'in the wild', Many are not designed to do any damage and some say viruses do not pose a significant threat.
Cobb disputes this, arguing that one US bank which became infected by a virus saw its operations brought down for two days and 90 per cent of its 300 file servers were infected. As a result, it lost $400,000 - and the virus was not intended to do any damage.
He says: 'It can be very expensive. I've talked to people that claim they have lost as much as $1 million in a single virus incident.'
While altering or destroying electronic information has an obvious impact on businesses, theft of proprietary information also hits where it hurts.
The CSI/FBI study showed that over the past year, 18 per cent of respondents had experienced this first hand. 1996 saw the first ever conviction for economic espionage after an employee stockpiled company secrets and offered to sell them to a competitor. The FBI was tipped off and set up a sting.
In a similar, well-documented case, Volkswagen stumped up a $100 million settlement after a General Motors employee downloaded thousands of text pages of trade secrets via the GM extranet onto VW's computers. You can't be too careful, says Cobb: 'There are (US) government-sponsored espionage campaigns going on now.'
There are four basic lines of defence that businesses can draw up to protect themselves from security breaches. One of the most popular security devices is the firewall, which controls the flow of data between networks, helping to prevent unauthorised access.
Second is 'intrusion detection' - a user pattern recognition system that looks for anomalies such as increased activity on a server at night, then triggers an alert.
Encryption means users can scramble data, keeping information private even if it is accessed.
At the most basic level is authentication, which controls access to information via secure identity smart cards, pin numbers, fingerprints, signatures and other digital certificates.
But none of these methods is without flaws. While firewalls, installed between an internal network and a Web server, can restrict traffic between networks, they do not police traffic on internal networks. Nor do they control internal network traffic, warn of internal abuse, or encrypt data. And a firewall will not be effective at all unless it is configured and maintained correctly.
Intrusion detection is a relatively new product area which, according to Cobb, is 'not foolproof'. 'People have to be careful they don't put too much faith in them,' he says, describing 'under the radar attacks' where hackers distribute their attack via different entry points to avoid setting off alarms. 'You can bet that as soon as a product comes on the market there will be attacks tailored to try to beat it,' he adds.
Unless businesses use encryption, any email they send over the Net can be read by anyone. Encryption is a powerful technology, but with a significant overhead and an additional time factor which means it's not that user-friendly.
Cobb warns: 'Flawed encryption gives a dangerous false sense of security.
Every company should be looking at improving their authentication beyond a password.' Not least, he says, because most people choose 'password' as their password. One delegate at a recent London conference claimed he knew of a company that had 2,000 workstations all with the same password.
The latest buzzword in information security in the US is computer misuse detection system (CMDS), which is apparently set to hit the UK soon. This is a system that uses artificial intelligence to track user patterns and identify changes - and so possible misuse. The software was developed by the US government to catch spies and has led to six prosecutions Stateside.
CMDS enables an effective means of monitoring internal systems usage.
However, there are significant 'Big Brother' overtones, and employers taking such action need to inform employees.
There are obvious barriers to improved defences, including high implementation costs, lack of senior management backing, user resistance and a lack of understanding. There are also issues of compatibility - encryption software being in-compatible with anti-virus software; skills shortages, with a lack of training leading to a lack of monitoring and maintenance; and internal politicking - under whose jurisdiction does information security fall?
Businesses cannot hope to protect their systems without an effective security policy in place. Defences are in many ways non-technical. Systems need to be budgeted for, implemented and independently tested. And that may still not be enough. Cobb says: 'Tested and proven systems are not enough. You have to let users know what not to do. You need to be in a situation where employees are actively supporting a campaign.'
He believes the BS7799 quality standard is set to emerge as the international security standard. BS7799 is a practical guide for managing information security compiled by a group of leading companies including: BOC, BT, Marks and Spencer, Midland Bank, Nationwide Building Society, Shell and Unilever. Not only will companies that adhere to this render themselves less vulnerable to attack, they will also instantly add value to their services.
Recent legislative changes mean there are increased requirements in terms of security standards. The EC Data Protection Act, which came into force last month (although the UK, along with several other member states has yet to comply), prohibits the export of personal data to countries that don't provide adequate protection. This means businesses will have to be able to demonstrate to auditors that they have a sound security policy and, since many do not, it's an area resellers could do well to explore.
CONFESSIONS OF A HACKER
A 'penetration test team' from information security firm Diligence was on hand at a recent London conference to demonstrate its ability to hack into a dummy company - via its Website and bypassing a firewall - in a matter of minutes.
Penetration tester and information security specialist David Litchfield is a former hacker. Before joining Diligence he was working in technical support at reseller Info'Products during the day, and 'going home and breaking into computers' at night. He says he was 'delving into software and pulling it apart', but says he did so 'with permission'.
His method was to find a machine that might have a problem and then notify the company administrator before accessing the machine to prove his point.
'You have the press image of what it believes a hacker is and what a hacker believes he is, and they are very blurred divisions,' he says.
But he concedes that hackers are a certain breed. 'We're all the same.
We're all very arrogant. We all have more than a modicum of intelligence and we're all insomniacs. I sometimes get too focused, much to the distress of my girlfriend - I go off on one.
'In my opinion, we see things naturally. Before I started with computers I was able to pick out anomalies. Sitting in English classes at school studying Chaucer's The Franklin's Tale, the teacher would say something that contradicted something on page 20 and I would pick up on it.'
Litchfield says he does not believe he is breaking the unwritten hackers' code of conduct by sleeping with the enemy. For him it's 'not anything other than finding bugs in software and fixing holes'. He says he doesn't do it for the money: 'I like breaking into systems.'
Hackers fall into a number of different categories, says Cobb. He believes there are those who do it purely for the challenge and to satisfy their ego. He parades a T-shirt from a hacking conference which bears the slogan: 'Why? Because we can.'
Cobb cites one group of hackers, the 'Cult of the Dead Cow' as a prime example. 'They are very given to media attention and theatrics.' Hackers are fairly organised, which a lot of people don't realise, and many work together, he points out.
Other hackers fall into the criminal category - those that hack for their own ends, for theft, alteration or destruction.
And the final group are 'terrorists' - those demonstrating against perceived exploitation (often political) of one form or another.
On the whole, however, he says it is 'not correct' to describe hackers as amoral: 'It's not a lack of morality, it's a different set of ethics from the social norm.' Cobb argues that most hackers have thought very carefully about what they do since many have seen friends jailed because of it. Often, he says, action is taken in anger at companies for having weak security.
Don't try this at home, though. The least serious hacking offences carry a six-month prison sentence - that is where 'intent' can be proved if a hacker uses a computer to attempt to gain unauthorised access to IT systems.
This means that even before a hacker has accessed a system he or she is starting down the road of committing the offence of 'intent'. Prison terms of up to five years are handed out to those who gain illegal entry to systems and acquire private information.