The IT industry must work together to do more to protect itself and help the police bring cybercriminals to justice
Imagine a world where almost all cybercrime could be detected and the perpetrators identified with their actions correlated and collaborated with pinpoint accuracy.
We would know with virtual certainty where and when they had struck - the trail of evidence could point to the boardroom, the drug baron or the terrorist.
Sadly, this is not our world and although security technology is evolving, so are the methods of cybercriminals - those who use technology and the internet for illegal, and often significant, financial gain.
Twenty years ago, who would have envisaged the possibility of renting teams of computers that could collectively target and attack specific businesses and organisations? Or that hackers could use distributed denial of service attacks to extort money from companies by threatening to disrupt their day-to-day business? Yet this is reality.
Hacking kits are freely available on the internet and even moderately skilled individuals can be instructed in how to use and abuse vulnerabilities within applications and operating systems.
Worryingly, the time between the identification and exploitation of a vulnerability is shrinking, giving us days rather than weeks to plug and patch holes. Cybercriminals could even threaten to bring a business down unless a ransom were paid - in effect, a distributed extortion attempt.
And what about key loggers? They not only pose a risk to users of online banking services, but are also a very real problem for businesses, as was clearly demonstrated by the attempted theft of £220m from Japan's Sumitomo bank in March.
Although audacious in its scale, this hack-heist was just one of a myriad of ways for cybercriminals operate. Most worryingly is that for every story that becomes public knowledge, tens of attacks will remain forever secret to protect professional reputations and corporate brands.
This situation will continue if we do not operate in a way that puts prevention, detection and safe disclosure at the top of our agenda as business and IT professionals. We need to take the initiative away from those who would undermine our right to operate without risk of harassment and use systems in grossly inappropriate ways.
First, there needs to be greater deterrence for the cybercriminal. There is a perceived anonymity for the hacker or virus writer, but when they do get to court, it is all too common for IT evidence to be inadmissible for one reason or another.
This situation has arisen because many of the IT infrastructures in existence cannot admissibly "pull" information that would be helpful in court.
I have led workshops in the UK and Ireland where I have argued for some time that protective and preventive measures are key when building secure infrastructures for businesses.
Although it is vital for systems to be "appropriately" secure and seen to contribute to cost-effective business operations, there is a growing need for crime prevention elements to be built in. In addition, those systems should be flexible enough to be used by law enforcement agencies such as the National Hi-Tech Crime Unit, if ever a such a situation did arise in your company.
But this responsibility does not just fall to IT managers and directors. We have a shared responsibility as suppliers, technology partners, business and security professionals to work together in building supportive security architectures.
These architectures must defend against the perversions of some, but also take account of the needs of fluid business operations.
We all know that security threats will increase at rates that will stagger and intimidate - viruses, exploits, malware and denial of service are here, but it is what we do about them that is important.
Most recently, new threats have arisen - spim (instant message spam) and phishing (identity spoofing exploits that encourage users to provide banking details to criminals) are becoming common.
We need strategic architectures to counter these threats, standards and policies that provide admissibility within our IT infrastructure and can give the police the evidence they need to convict cybercriminals.
Simple building blocks are needed. The IT industry must consider what the police require to catch cybercriminals and then work with them in defining scope and approaches. Technology has a critical role to play in delivering information that supports the police.
Risk strategies, design requirements and implementations could be revisited so that if ever an act of cybercriminality were perpetrated against your organisation, you would at the very least be able to provide the police with information in an admissible form for the courts.
The task is far too onerous for a single organisation to tackle alone. As an industry, we need to support each other, with the onus on everyone to do more to help the police to combat cybercriminals. To date, our efforts have been well below average.
Shaun Fothergill is security strategist UK & Ireland for Computer Associates
CA can be found at InfoSecurity at stand number 410
This was first published in April 2005