When the member of staff found the floppy disk, it looked as if it had been accidentally dropped on the floor by someone from the human resources department. It was enticingly labelled: “Strictly confidential – pay and bonuses 2003”.
Who could resist? But when he slipped it into his PC and double-clicked on the “payroll.xls” file, an error message, “file corrupted”, flashed up on the screen. So he did the next most responsible thing and returned it to the grateful HR director. She, of course, tried it too, only to be greeted with the same error message.
Yet the disk did not contain salary details, but a Trojan horse program that was installed when any one of the files was activated. The error message was just a smokescreen; a hacker had successfully compromised not one, but two machines behind the firewall. That is the kind of lateral thinking that a determined hacker will put into breaking into the systems of their targets, warns notorious hacker turned security consultant Kevin Mitnick. He should know: although Mitnick was eventually caught and convicted, he claims he was thwarted just once in a 15-year hacking career.
Most computer crime, especially when fictionalised, is usually portrayed as being carried out with the aid of an arsenal of geeky tools – and sometimes it is. But Mitnick often found it easier to simply phone individuals at a company whose network he wanted to access and get them to divulge useful information or even passwords for sensitive systems. All it took was a pinch of inside knowledge, a little chutzpah and a phone call or two.
These are the same kind of tricks that Cable &Wireless chief security officer Bill Hancock used to get up to when he was the chief technology officer of a New York security consulting firm. When an organisation hired his firm to conduct a security audit, its staff would typically expect a team of nerds at the other end of a modem to be scanning for open ports and trying to crack the passwords of sensitive systems. They did not expect him to travel to their offices and stake the place out.
Realising that the company’s security card was straightforward, he knocked up a copy on his laptop computer, put a strip of black tape across the back where the magnetic stripe should have been and set off to enter the building. There, he simply told anyone he came across that it did not work properly and “would they be so kind as to let him in?”
They dutifully obliged, all the way to the computer room, where he loudly declared that a security audit was underway, ushered everyone out and locked himself in, there to gather the information he needed at leisure. Game, set and match.
Both examples illustrate the nature of the worsening security crisis that is now enveloping technology-reliant corporations across the world, and which is already costing billions of dollars a year. The threats from armies of hackers, remote fraudsters, cyberterrorists and so called ‘hacktivists’ has never been greater, and has sparked a wave of investments in hardware and software.
But the most common strategies for dealing with these threats – installing firewalls, encryption software, and intrusion detection systems, for example – scarcely begin to address the challenges now facing managers with little experience of criminal behaviour and whose main priority is to make profits.
Delegating information security to a technical expert does not solve the problem – for two reasons. First, the prize for successfully breaking into a mission critical computer system has become greater as corporate dependency on computers has grown – and that means attackers will in turn go to greater lengths, including attempting physical break-ins or using so-called ‘social engineering’ – what might once have been called ‘a confidence trick’.
And second, while many security problems are deeply technical in nature, the real area where businesses are most likely to prove vulnerable is in their processes and their management of people.
Enter the Chief Security Officer
That is why many companies, especially in the US, are making a new appointment to the senior management team – the chief security officer (CSO). The brief, in its widest sense: to oversee all aspects of corporate security, physical and digital – from firewall management to pass-key distribution, from executive safety to post room procedure.
It may be a small triumph, but many experts argue that at least one line of attack for the corporate hacker has been largely closed off. Hackers used to find relatively easy access via misconfigured firewalls, but this hole has been closed by easier to install software. “When you install a firewall these days, it tends to be pretty good out of the box,” says Philip Huggins, managing security architect at consultancy @Stake.
But that doesn’t mean software problems have been overcome – they have just been moved. In fact, 2002 was another record year for hacking activity, according to computer security consultancy mi2g and the Carnegie Mellon University’s Computer Emergency Response Team (CERT). Mi2g counted 87,500 electronic attacks, of which two thirds were traced back to Brazil (the country’s lax anti-hacking laws encourage many hackers around the world to route their attacks through systems there).
While many of these attacks have been repelled by firewalls, the number of security vulnerabilities found in software packages by CERT rose from 262 in 1998 to over 4,000 in 2002.
This growth has partly been driven by the Internet-enablement of pre-Internet software in which common flaws that were once hidden from the world at large can be exploited when an application is put online. “That’s part of it. The other part of it is that even the software that comes out today is not built for security of any kind,” says one concerned chief security officer.
Armed with this knowledge, hackers have turned their attention to insecure applications running over the Internet, using tools to automatically scan entire net blocks for the vulnerable software. Just one corporate Internet connection can be scanned 14,000 or more times in just one weekend.
Buffer overflow vulnerabilities are a particular favourite target for hackers. These involve the attacker inputting a longer string of data into a field than it is able to handle. The excess spills over and instructions contained within that string can then be executed. In this way, a hacker can take control of the application or fire queries directly at the back-end database.
Attacks of this kind can yield substantial rewards. Using a known flaw in Computer Associates’ Ingres database software, for example, a crime syndicate broke into the database of a number of big-name companies and stole credit card and other financial information. Then, it demanded a ransom for the safe return of the data.
Most paid up – it was only when a major credit card organisation went to the police that the criminals were apprehended. Most victims preferred to keep quiet for fear of the adverse affect any publicity might have. In a separate incident, criminals tried to extort money from financial services company Bloomberg in the same way. But Bloomberg called in the Federal Bureau of Investigation straightaway, resulting in a high-profile prosecution.
Perhaps the most extraordinary feature of such attacks, however, is they are almost always completely preventable (although not necessarily in the examples mentioned). Many security flaws are spotted and ‘patched’ by the software supplier long before they are exploited by criminals.
Once again, it is all about management. Analysts and security consultants have started to place great emphasis on the importance of timely and efficient software patching. “The best thing that anybody can do if they want to be secure is to apply patches, no matter what else they do,” says Huggins of @Stake.
“At Cable &Wireless, we patch security devices first, network devices second and work our way towards systems and applications,” says Hancock. But most IT departments are lax in their application of patches. Nine of every ten attacks will exploit known security flaws for which a patch is available or a solution known, according to analysts at IT industry watcher Gartner. Similarly, CERT says that 19 out of every 20 attacks it deals with either take advantage of configuration errors or of known vulnerabilities for which patches are available.
The best example: A patch was readily available for the Code Red virus, which is estimated to have caused hundreds of millions of dollars of damage. Another virulent virus, Nimda, exploited the same flaw.
This lack of awareness is frequently combined with ignorance. “Some customers won’t put in any security technology whatsoever because they think it degrades performance, which is not true. Then they get hit and wonder why,” says Hancock. For all the money spent on intrusion detection and firewall technologies, arguably the greatest threat to a company’s IT infrastructure remains the disgruntled employee. And, once again, it is a problem that proper security management should eliminate.
Beware the Insider
The annual survey conducted by the FBI and the Computer Security Institute (CSI) tells the story: In four-fifths of attacks, it is not an unknown outsider that is responsible, but an insider.
Staff with privileged access can be particularly dangerous. “One organisation had a contacts database that was critical to its business that was deleted. The user that had deleted it was an administrator they had sacked,” says Huggins.
If an organisation does not have strictly enforced processes for withdrawing access after a member of staff has left, it scarcely matters what firewalls, intrusion detection and other security systems are in place.
In one of the most audacious cases to date, a former systems administrator for Wall Street financial services group UBS PaineWebber appeared in court in December charged with sabotaging two-thirds of the bank’s IT systems, in an effort to profit from an induced fall in the company’s share price.
All of this calls out not just for better security management, but for better integration with those managing IT and physical security. After all, there have been plenty of cases where outsiders have gained access to buildings in order to steal or access systems.
That is why many companies are embracing the idea of a chief security officer (CSO) – a role that increasingly includes responsibility for aspects of security beyond IT. This position is not for the ‘ex-army jobsworth who manages the night watchmen’, but requires a specialist capable of understanding and solving both the technical and managerial issues surrounding security. And the CSO must be able to articulate issues in a way that the senior executives can understand.
This, says Steve Hunt, research leader at Giga Information Group, means that the CSO must also have an understanding of risk management and be aware of where to make the compromise between cost, convenience and perfect security.
Bill Hancock, chief security officer at Cable &Wireless, concurs: “When a crisis happens, I have to be able to speak about how routing works with the technical guys and then turn right round to my management and explain why we have to spend money on some hardware or software to stop it happening again.”
People with such skills are rare – but then, in Europe, at least today, so too are CSO positions. Often, financial institutions have a CSO (or equivalent) because of the obvious danger of fraud – but they are typically focused on specific banking frauds; telecommunications companies often employ people for similar reasons. But beyond this, there is usually a clear division: the IT director, or a technically adept employee, manages information security, usually somewhat patchily; and the head of security manages staff, visitors and physical assets as well as any ‘criminal activities’. It is a classic brain versus brawn division – and one which clearly fails to address the growing areas of overlap.
Even where there is a CSO, he or she lacks resources, staff, or clearly defined authority. “[Today] the chief security officer is neither a chief, nor an officer,” says Steve Hunt, Giga Information Group vice president of research. But analysts, plotting the trendlines for security breaches, security spending, and the type of crimes being committed, can see where this is heading.
Business is suffering a high-tech crime wave that has only just begun. And it is not just big, and very expensive, but it is also multifaceted. The threats could come from inside or outside, be physical or digital, and could be motivated by mischief or malice. Sooner or later, though, most businesses will conclude that the only way to respond effectively is to address the threat in a much more strategic and holistic way – whether that is through the appointment of a CSO or not.