Outsourcing security

It's called denial. Let's at least get this one fact correct: The Computer Security Institute's 1998 Computer Crime Survey, conducted jointly with the Federal Bureau of Investigation, reported that the average cost of an outside hacker penetration totaled $56,000, while the average insider attack costs a company $2.
Written by Lewis Z. Koch, Contributor

It's called denial. Let's at least get this one fact correct: The Computer Security Institute's 1998 Computer Crime Survey, conducted jointly with the Federal Bureau of Investigation, reported that the average cost of an outside hacker penetration totaled $56,000, while the average insider attack costs a company $2.7 million.

by Lewis Z. Koch

29 June 2000 - Way back in 1994 when 24-year-old computer programmer Vladimir Levin, working out of St. Petersburg, Russia, hit Citibank for $10 million, he had someone on the inside, helping.

So, if you're the chief executive of a gazillion-dollar firm, where do you put your strongest computers and software defense - against outside computer miscreants who might cost you $56,000 or against the insiders - auditors, for example - sucking $2.7 million from your cash drawer or secret files?

Listen for signals, not noise

It still comes as a surprise when the ninth annual report on fraud from the Canadian branch of worldwide consulting company KPMG reveals that top Canadian executives, those involved in e-businesses or contemplating entering the e-business market, "overwhelmingly believe that the greatest threats posed to their e-commerce systems are via the Internet or from other external sources."

Such a finding saddens Gary Gill of KPMG's Vancouver, B.C., office, who handled the survey. "At the end of the day you hope they'll realize that the internal threat is still there," he said.

Gill believes corporate executives are fixated on the threat from computer thieves and miscreants who steal credit cards and engage in denial-of-service attacks - almost, it seems, without ever being caught. The more noise the media make about the danger of outsider hackers, the less executives are able to perceive the true signal: that the greatest threat lies within their own castle.

Where have all the Mounties gone?

Bill Carter recently joined KPMG straight from the Royal Canadian Mounted Police's white-collar-computer crimes division. He is less than enthusiastic about the Mounties', or the FBI's, ability to combat external or internal computer-Internet crime.

"In Canada and the U.S., " Carter said, "we have police structures over the years, where people who develop expertise in this area are not rising through the ranks of police agencies." Translation: Becoming skilled at combating computer crime gets a Canadian cop little prestige and no significant perks or salary increases.

It gets worse, according to Carter. Cops who do know something about computer crime "move on, leaving the law enforcement agencies in a terrible mess because the best are moving into the private sector, and the agencies are left with lower-level officers without the expertise. It's a vicious circle." Where are the sophisticated, knowledgeable cops going? To consulting companies like KPMG.

In other words, the responsibility for maintaining the security of the Internet is being out-sourced. That may prove to be a very good idea or a very bad one. Can you spell v-i-g-i-l-a-n-t-e?

There are a huge number of computer security companies, the newest of which offer 24-by-7 "protection." Are they replacing the ineffectual RCMP, FBI and National Infrastructure Protection Center? If so, how does the legal system interact with them? Will they hand over a suspect to law enforcement? What about evidence? Who's responsible for maintaining the "chain of custody?" And will the evidence conform to the rigorous scientific standards laid down by the Supreme Court?

There are reports that the two private computer security companies called in by the FBI to identify and examine the evidence against "Maxim," the computer thief thought to have stolen 300,000 credit-card numbers from CD Universe, have already compromised the forensic evidence so badly that, even if Maxim is caught, a conviction would be impossible.

There have also been unconfirmed reports about a fellow who uses the handle Lou Cipher - Get it? Lucifer? - who is said to have actually beaten hackers and taken a baseball bat to their computers. By day, this guy is allegedly a senior security manager. One is tempted to dismiss this as hyperbole, a fantasy that makes the movie Hackers seem like a documentary. Nevertheless, there is a growing sense of frustration with computer miscreants and thieves, as well as a disturbing willingness among top corporate executives to consider taking - shortcuts.

100 percent failure rate

Nahum Goldman's company, ADDSecure.net, is a Boston-based computer security audit boutique with a technological presence in Ottawa, providing external security auditing services for Internet and extranet servers and workstations. The company tests the hell out of computer systems, using an automated method. Goldman's security assessment consists of 300,000 tests, which take two to four hours to complete. His success rate - exposing vulnerabilities within a company's system - is "100 percent," he said, in a thick accent that proclaims his Russian heritage. No one passes.

The only way to achieve perfect security is to go out of business. And security can help force you out of business if it makes your service unpleasant or nearly impossible for customers to use. But at least a company can now make an informed choice as to the depth and reliability of its security.

Goldman's audit differs in that it's all he does. His only product is his failure-finding test. He doesn't sell expensive firewalls or other hardware, nor is he peddling software that encrypts, blocks access or guards against viruses. Goldman will point a customer to the Yellow Pages or a few Web sites, but then it's up to the client to decide on the degree of security wanted. Goldman has no hidden agenda. Too often, security firms want to line the "vulnerable" company with a gang of hardware, software and continued audits - which can quickly add up to hundreds of thousands of dollars.

The bottom line is that companies had better begin to take computer security seriously. "When the bloody thing fails," Goldman warned "- and it's only when, not if - when they're in a court of law, they'll be asked by the judge if they've done due diligence. It's then the company will take off our seal and show it to the judge and say, 'They gave us a seal of approval. It came from a company that wasn't interested in selling us anything.' Then the judge will understand the company undertook reasonable, prudent diligence."

Goldman said security audits should be as fearsome as financial audits. "Right now, failing a financial audit can result in jail time for bankers. Flunk a security audit - who cares?" Right, who's complaining? Certainly not insider thieves, who continue to be ignored while their penny-ante punk counterparts in Hackersvillle get all the publicity. Works for them!

Commentary: beware the security zealot
Asian network security leaders join forces
MS Outlook: Cloudy security
Hackers challenge Singapore government sites
AOL hit by hackers; another VB 'worm' on the loose
Court upholds hacker's death sentence
PSITE condemns computer hackers

Editorial standards