Yule be sorry
- Posted:
- 13:33 12 Dec 2003
- Topics:
- Security | Business Continuity
IT security threats are a year-round headache, but the season of goodwill seems to bring them out in sackloads. You should take precautions, writes Lindsay Nicolle.
Christmas is coming and the goose is getting fat, but amid so
much seasonal joy, there is a darker side. Hackers, virus writers
and organised criminals are anticipating rich pickings over the
Yuletide holiday in the knowledge that commercial battlements will
be staffed by a skeleton crew, and attention will be more focused
on the office party and new year celebrations than on the mundane
job of protecting businesses from IT security threats.
The sad truth is that businesses are ripe for plucking at this
festive time. Money flows into companies, especially in retailing,
and the number of banking transactions rockets. Christmas is a
great time to get noticed if you want to disrupt commerce, simply
enjoy the havoc caused, or snatch some cash.
The list is long: denial of service attacks, industrial espionage,
capitalising on inherent product vulnerabilities - even natural
disasters seem to occur more often at Christmas, challenging
companies with power surges, blackouts and floods.
Of course, IT security threats can occur throughout the year, but
Christmas seems to concentrate the minds of the greedy, and those
with a playful or malicious intent.
"The IT threats that businesses face are the same all year round,
but Christmas is a time to be extra vigilant. Because of the amount
of trade conducted online there is the potential for more victims,"
says detective chief superintendent Len Hynds, head of the UK's
National Hi-Tech Crime Unit. "In particular, wherever the money
goes organised crime will follow, and we should be alive to that
issue at this time of year."
Hynds' 55-strong team is already busy investigating the use of
technology to aid extortion, fraud, child abuse and class A drug
trafficking, as well as pursuing of virus writers and
hackers.
So are businesses as security conscious as they need to be?
Research suggests that although money is being made available to
plug gaps in IT security, it is not always being spent
wisely.
Company spend on IT security is increasing every year and is poised
to reach the landmark figure of 5% of total IT spend, according to
research firm Gartner. But research conducted on behalf of IT
services firm Unisys reveals that more than 50% of European
companies employing 500 or more staff do not have a formal disaster
recovery plan to cover all their IT infrastructure.
Of those that have disaster recovery plans, 30% either do not test
them, or are unaware they are ever tested, even where they affect
technologies vital to the running of the business. Moreover, nearly
20% have no disaster recovery plan at all.
So just how great is the IT security threat to businesses?
According to the latest quarterly internet risk report compiled by
the X-Force research arm of Internet Security Systems, security
incidents increased by 15% in the third quarter of 2003.
The report lists 725 new product vulnerabilities, citing gaps
exposed in the Microsoft operating system - which were exploited by
the MS Blast virus and Nachi/Welchia worms. The attacks occurred
quickly after the disclosure of the product's vulnerabilities, soon
enough to compromise many unpatched systems. X-Force also documents
823 new viruses and worms - an increase of 26% over the preceding
quarter.
Network breaches are common over Christmas. One in three network
managers expects to be called at home over the holidays to deal
with a security breach, according to an informal poll by internet
security firm WatchGuard Technologies. Small and medium-sized
companies are particularly vulnerable to seasonal spam,
non-work-related web surfing by staff and temporary staff who may
not understand or comply with security policies and procedures,
says WatchGuard.
For large enterprises, perhaps the greatest IT security fear is
being the victim of a denial of service attack.
This year East European gangs have been using hacking techniques to
launch waves of denial of service attacks on company networks,
costing victims millions of pounds in lost business and exposing
them to blackmail.
The National Hi-Tech Crime Unit is investigating how one betting
site was targeted, but there are also reports that web retailers
and payment providers have also been attacked. Blackmailers
typically demand up to £30,000 for one year's "protection"
from attack.
Other horror stories include damage to online payments services,
such as that suffered by Worldpay in early November, although it is
reported in that case that blackmail was not involved. Microsoft's
website was hit twice in August, and the root servers of the
internet were attacked last year.
Digital fraud is another recognised enemy of business. In the
summer, online banking customers of Smile and Barclays were
subjected to a scam which attempted to capture account details to
aid fraudulent withdrawals. A bogus e-mail asking customers to go
to a web page and provide their log-on security information as part
of a technical update formed the basis of the scam. These so-called
"phishing" attacks involve the mass distribution of spoof e-mail
messages with return addresses, links, and branding which appear to
come from banks, insurance agencies, retailers or credit card
companies.
Supplier Tumbleweed estimates that these e-mails are so convincing
that up to 20% of recipients may respond to them, resulting in
financial losses and identity theft.
For most organisations, spam is the single greatest threat to the
security of their e-mail systems, says Matt Cain, vice-president at
analyst firm Meta Group. Even "innocent" spam is a major threat to
business continuity, he says.
The increasing number of companies that are being sent multimedia
Christmas cards by e-mail risk viruses and clogged up
networks.
"Organisations should acquire integrated tools that handle multiple
e-mail hygiene duties, including anti-spam. These types of tools
promote efficiencies at the operational level and at the management
level, as well as minimising supplier product conflicts," says
Cain.
Corporate websites are popular targets for attack from disgruntled
employees, hackers and criminals.
In 1999, biotechnology company Aastrom Biosciences watched its
website in fascination as its share price seemingly soared on the
Stock Exchange, until management realised the company was the
victim of a hacker. Someone had modified information on a web page
to increase the apparent value of the company's shares.
Some hackers are turning to industrial espionage to earn more money
in the shadowy world of spyware. Spyware is software that covertly
gathers and transmits data about the usage of a machine. Some of
this software can record all keystrokes, passwords and other
confidential information, then send data off to competitors.
One in three companies has detected spyware on a network, says
Frank Coggrave, UK regional director at Websense. "In the US
recently, an investment broker lost £23,000 after installing
what he thought was a market analysis program, which turned out to
be spyware which was transmitting his account log-on details to
hackers," he says.
Companies often choose to downsize over the Christmas period, axing
staff when they think others will not notice, or cutting bonuses.
It is common to hear tales of unhappy employees who corrupt or
delete corporate data, plant viruses timed to cause future
devastation, or who spike corporate networks from afar.
In Australia, one disgruntled ex-employee hacked his previous
employer's systems and succeeded in flooding the grounds of a hotel
with raw sewage.
Things can quickly get out of hand, says Jim Burtles, director of
business continuity specialist Total Continuity. "A disgruntled
employee can cause devastation if allowed to continue to access
corporate systems remotely - many companies are slow to cancel user
authorisations and privileges when staff leave," he says.
"Even innocent incidents, such as poor staff planning, can be a
company's undoing over Christmas, for example, not hiring enough IT
support staff to cope with seasonal demand. Companies should have
plans in place and resources available over the season to ensure
their businesses remain unaffected, whatever happens."
Companies also need to ensure they have the necessary resources to
carry out any upgrade projects planned over the Christmas period,
when the pressure of everyday work may have eased. But even here,
there are inherent IT security dangers.
"The risks of infrastructure disruption can increase if you try to
do complex upgrades when staff and suppliers are not in the mood,
or simply not available," says Colin Griffin, IT manager at Surrey
County Council, who is a member of the Survive Information Security
Special Interest Group.
What, then, is the answer to the perennial IT security problem at
Christmas?
Tarek Meliti, technical director of server hosting company TDM
Group, suggests outsourcing the responsibility for your IT systems
to a third party. "Let them deal with the headaches, not you," he
says.
It sounds appealing, providing the third party has adequate IT
security of its own.
Meanwhile, Gartner predicts that by 2005, nearly 20% of enterprises
will have experienced a "serious" - beyond a simple virus -
internet security incident, and the clean-up costs will exceed the
prevention costs by 50%.
While you are worrying about all these threats, remember, the
security measures you put in place in the festive season will stand
you in good stead throughout next year.
Twelve threats for Christmas
Copy-cat websites
Hackers
Industrial espionage
Infrastructure faults
Natural disasters
Network overloads
Organised criminals
Product vulnerabilities
Robbery
Staff
Terrorists
Virus writers
Security advice
Every security threat calls for some kind of counter-measure:
intrusion and detection software; firewalls; a new corporate policy
on staff vetting; or just more physical locks.
Whatever the threat, it would be foolhardy not to address the
basics of IT security - namely, back up your data regularly,
conduct a realistic risk assessment, and devise and regularly test
a plan designed to mitigate a range of likely disasters.
Detective chief superintendent Len Hynds, head of the UK's National
Hi-Tech Crime Unit, campaigns for businesses to adopt a holistic
approach to IT security.
"Companies should look at how their technology is configured - have
up-to-date firewalls, anti-virus software and intrusion detection
systems in place - and they also need to build staff vetting
procedures into their HR strategies," he says.
"They need to look at the processes by which they recruit and
retain staff and consultants. They should also re-examine the
physical security around the buildings they work in to ensure it
protects all technologies. For example, they could examine the
security processes they have in place for protecting valuable data
on laptops using wireless Lans."
More information on internet threats www.iss.net
