Forensics firm warns of 'the inside job'
Do you know what everyone at your company is doing right now? According to computer security experts the biggest threat to a company comes not from hackers trying to break into its network from the outside, but from those clever enough to gain access from within.
This may come as quite a shock to companies that have spent millions on shoring up their computer security, but evidently the old fashioned methods are still the best for computer spies.
"The simplest thing to do is to get a job there," says David Litchfield, senior security analyst at Arca Systems Inc, a British computer forensics firm called in by businesses to gather evidence of computer crime from hacking and data theft, to embezzlement and espionage. "That's what professional hackers will do if they've been asked to get information about one company for another. It's easy for companies to be so worried about attacks from outside that they neglect their internal network security."
This sort of computer crime may also have serious repercussions for anyone who gets in the way. Often the best way for a professional hacker to cover their tracks is to implicate someone else in their crime. According to Litchfield, this is not an uncommon occurrence. He says: "If someone's good that's what they'll do. They'll make it look as if someone else, the managing director, for example, carried out the attack."
This is, of course, a form of espionage in itself. Litchfield gives the example of a company director whose email address was "spoofed" and was deliberately implicated in fraud. Although he could probably have proved his innocence, that potential security scandal forced him to resign. This is a sobering thought for anyone who thought the only thing at stake was the data on their hard drive.
Companies have a better chance of surviving this sort of attack if they have effective security measures in the first place. This is not just a question of preventing attack, but it can help greatly when it comes to tracing and seeking to prosecute someone for one. Litchfield explains: "You can't prove anything in court unless you have forensics. Whether you can gather forensics will depend on whether a company has a good security policy."
Litchfield also claims that although computer espionage is rife and growing fast among British businesses, the police and the public are largely in the dark. One reason this sort of computer crime gains very little publicity is that it is far more organised and professional than the usual denial of service or website defacement stunt. Another is that the companies are loath to reveal they have had their security breached.
"It's much more common than people know," he says. "Even though Industrial espionage will cause far more damage -- in terms of cost -- to a company than hobby hackers ever will."
DC Paul Cox, investigator at the Metropolitan Computer Crime Prevention Unit, admits that this is a serious problem, but says the police are powerless to change things on there own. He argues that the main problem is that companies will never willingly reveal that they have been hacked.
"We hear about these things, but we don't see hardly anything. The main concern is that if it is on the public record, it will effect people's confidence and a company's share value. Another problem is that ISPs won't give details to the private companies called in to investigate. To make things better we have to all work together."