The news is replete these days with antics of script-kiddies, password thieves, virus infection, mobile hostile code, denial of service and various other cyber-perpetrations so numerous one is tempted to yawn and think "So what else is new?" Online crime, if it can be called that, is no longer exceptional -- remember the Philippine student who was found to be the loveletter virus author and who walked away without being charged due to national "lawlessness." Instead, online attacks are to be expected and woe be to those who ignore the armaments and techniques mandated for a modicum of protection.
Still don't have your attention? Consider the expected $1.6 trillion in attack costs this year according to a July, 2000 study conducted by PricewaterhouseCoopers LLP and InformationWeek Research.
Naked with the whole world watching
Now the opposite is news: cracked companies are the highlights instead of those who hacked them. Curious minds want to know which organization's computication security was weak enough to allow the amateurs, the unsophisticated, and those without a life to stumble inside for selections from the mayhem menu. Menu specials today include information theft, data destruction, password access, Trojan code, slave platforming, graffiti, account information, funds transfer... the list goes on. Should we really be worrying about those without demands on their time, those who devote themselves to disorder? Hardly.
Consider the First Online Bank Robbery. How would you like to be senior management at Egg.com -- one of Britain's high-profile online banks serving 1.1+ million customers?
Eighty percent owned by Prudential, Egg's security image has suffered serious damage after widely varying news reports suggested substantial financial losses on one hand and stolen account information and financial leaks on the other. Reported revelations made by law enforcement created a PR nightmare that couldn't help but damage Egg's reputation and stock value. To make damage control even worse, what was thought to have been an act committed by organized crime was later attributed to amateurs who didn't know how to cover their tracks. Perpetrator skill will only become more sophisticated while law enforcement remains strapped by funding shortages, competing priorities, and investigations yielding rec ords few firms would want to make publicly available. What's a chief security officer (CSO) to do?
New objectives, old desires
It used to be that perpetrators and rule breakers didn't have to be smart to get in trouble, just dumb enough to get caught. The 1999 CSI/FBI annual Computer Crime and Security Survey emphasizes that mayhem ensues within as well as outside organizations -- but outside incidents are climbing while inside jobs are stabilizing or declining. With e-commerce and legislative agendas challenging digital anarchy, cracker incentives are fading. In other words, dangers to the e-dumb are increasing while e-smart crackers are looking for a better risk/reward ratio.
Past cracker incentives:
- Thrill seeking
- Learning new tricks
- Knowing more than others
- Creating a life rather than facing one
- Becoming part of a "special" community (i.e., cracker)
- Taunting authority/"The Man"
- David vs. Goliath effect
- Anonymous lifestyle
- Incident adventures
- Substantial financial returns
- Upscale lifestyle
- Respected technical and professional skills within their own community
- Competitive playing field
- Both individual projects and team participation
- State-of-the-art technologies and techniques
- Goal accomplishment
- Systematic and logical techniques that underwrite success
- Top training and good education
What's a CSO to do?
There should be little doubt now that organizations are becoming the targets of a variety of invading hordes. Depending on the firm's mission, size, assets, and visibility, CSOs must continually analyze online attacks to recognize the shifting motivations of those behind them. There are steps available to minimize intrusions into likely online corporate targets.
- Conduct a risk analysis. Identify those resources that are highly desirable to prackers.
- Overprotect those assets identified in step one. Overprotection in this arena can include partial security outsourcing of high-risk assets. Insurance is an option at this level. Double protection results: specialized and dedicated protection/coverage from the outside and focused oversight inside.
- Conduct periodic vulnerability assessments to maintain internal assurance and external vigilance.
Dr. Goslar is Principal e-Security Analyst and Manager of E-PHD, LLC - an e-security research and analysis firm. He is also on the editorial board of the International Journal of Electronic Commerce and can be reached at Comments@E-PHD.COM.