Maksim Pasko - Fotolia

Where are the security blackspots in your IT systems?

The rise of the internet means that IT systems are under greater risk of attack than ever before

Every week there seems to be another story in the press outlining the horrors of some new security threat involving email or the internet. Email libel, denial-of-service attacks or credit card fraud on e-commerce sites are just some examples. It seems that the internet is exposing us to a whole host of new dangers.

Yet most of these threats are not without precedent: they are as old as computing itself. What the internet has done is to intensify the impact of traditional threats. They happen more quickly, as with the spread of viruses. They happen in a more public fashion and affect the whole of a business, not just one department, as companies like Yahoo are only too aware. The perpetrators can work more secretively and anonymously – and the relative importance of different risks is changing.

Mike Collins, European security marketing manager at systems management tools supplier Tivoli, says viruses provide a good demonstration of how the internet is intensifying traditional threats.

Early PC viruses were passed through demos of games or screen savers on disc. It would typically take six to 12 months for a virus to propagate and have an impact. The advent of email allowed viruses to be sent in attachments, but these had to be run to infect the machine and not everyone would do that or forward the virus. Nevertheless, propagation times fell from months to weeks.

More recently, we have seen the emergence of viruses such as Melissa which can propagate themselves automatically when the attachment is opened, and even viruses which can replicate without the attachment being accessed. Propagation now takes just a matter of hours and can affect whole organisations very quickly.

The internet not only helps spread threats such as viruses, it fosters their creation. Collins points out that the culture of the internet is, in general, geared to making it easier for like-minded people to find each other and spread ideas and tools. This applies to hackers and virus creators as much as anyone else.

“You can get onto the internet to find hacking and virus-creation tools and you don’t need to be a rocket scientist to have a go,” Collins says. “There is also more joined-up effort to achieve goals, such as people getting together to co-ordinate denial-of-service attacks.”

On top of that, the current wave of enthusiasm for all things e-enabled has encouraged many organisations to dive into developing internet capabilities as quickly as possible. The consequence, according to Kelvin Lack, a partner in security consultancy Insight Consulting, is that “while they are placing emphasis on security for their web activities, their internal and legacy systems have not had the same attention paid to them. If people can get through the outer defences, the exposure may be even greater.”

Ian Kilpatrick, managing director of security solutions supplier Wick Hill Group, thinks companies will be particularly vulnerable when they migrate applications originally developed for intranets to extranets or the internet.

“These internal systems won’t have been designed with the appropriate level of security in mind,” he says. “The problem is compounded by the fact that many internet and e-commerce sites are designed outside the IT group and it can be hard to retrofit security to them.”

In particular, the move to richer functionality at the client end – whether in terms of complex attachments to emails or client-side code such as Active X components and Java applets – is presenting new openings for malicious behaviour.

The growth of e-commerce will also lead to a corresponding growth in e-based fraud. Chris Heslop, internet marketing manager for content security specialists Content Technologies, points out that much attention is currently being paid to credit card fraud, with solutions such as Cybersource’s internet Fraud Screen.

But Heslop believes this is only a minor threat compared to the dangers of tampering with business-to-business transactions. Assuring the integrity and authenticity of e-based trading will be a key issue.

Employee risk

However, one thing which certainly hasn’t changed is that you are still most at risk from your own employees.

Although the internet has increased the opportunity for attacks by outsiders, Lack says this is balanced by greater use of contractors and higher levels of turnover amongst permanent staff. There are now more people working within the organisation who have both the skills to access information and reduced loyalty to their employer.

Phil Ryan, head of internet security at Peapod, adds that the internet has provided rogue insiders with a wonderful tool to steal information discreetly.

A survey by the Computer Security Institute found that 97% of all reported attacks involved some kind of insider abuse of Net access.

On top of that, Collins points out, intranets and knowledge management projects have resulted in information becoming more widely disseminated without the right protection necessarily being put in place. Even your most loyal staff can present a hazard.

“A lot of security problems don’t result from malice, but from people not observing policies such as protecting passwords,” Collins points out. “Damage can be caused inadvertently, information can get out accidentally and systems can be left more vulnerable to attack by outsiders.”

In many cases, internet technologies have been introduced without the surrounding envelope of policies on how to use them appropriately. Email is a good example.

“People don’t treat it in the same way as a paper-based letter when constructing messages, but it leaves the same permanent trail,” Heslop points out.

According to Richard Walters, European product marketing manager for systems security at security consultants Integralis, the dangers of careless email use include libel, breach of confidence, mis-statement and the formation of inadvertent contracts.

Heslop adds that the internet also provides significant opportunities for staff to appear to be working while being completely unproductive: sending personal emails or web surfing for personal reasons. This is in addition to the issue of staff committing criminal acts such as downloading pornography.

Apart from the lost productivity which results from this behaviour, you also face the cost of investigating such incidents. According to Lack, a single incident can cost £150,000 to investigate in terms of staff time, software tools and so on, aside from the potential damage to the organisation’s reputation.

Ryan thinks the greatest threat from insiders comes from those who are most trusted and have the greatest technical expertise: systems administrators and other technical professionals.

“Organisations spend a lot of money on technical defences, but rarely check out the people they employ. I can see that a political pressure group such as an animal rights organisation might plant someone in a company such as a pharmaceuticals giant to work in IT to gain access to systems at a high-level,” he says.

The notion of pressure groups using IT to target their opponents in business or government is not, as it might sound, the plot of a thriller but an increasingly likely situation in the real world. The archetypal hacker – the teenager in his bedroom with a pile of IT kit – still exists and the internet has increased the number of targets he can attack.

But Ryan points out that, while this kind of hacker can be a nuisance, they are rarely persistent and usually aren’t motivated to damage any particular organisation.

Pressure groups and hackers

However, the same knowledge and technologies are now being used by people with stronger, often single-minded motivations. These may include pressure groups who in the past have been willing to risk arrest for serious crimes in the physical world, who now see the internet as another way to attack the people they want to humiliate or influence.

Intelligence services will also use hacking to access or corrupt data in other countries’ systems – as with the denial-of-service attacks launched at the Nato website during the conflict in Kosovo.

Hacking via the internet will undoubtedly become a key weapon in industrial espionage. Ryan believes the recent large-scale denial-of-service attacks on companies such as Yahoo and eBay may have involved attempted extortion. “I think we will see more and more ‘professional’ attacks by people with resources who know what they are doing,” Ryan says.

The latest wave of denial-of-service attacks have involved “zombies” - many copies of the same code planted on multiple systems belonging to others which can be triggered simultaneously to flood all the available bandwidth to the site under attack.

Ryan points out that it’s very hard to counter such attacks. “If you’ve been a target, it isn’t really practical to go round asking everyone else in the world to increase their security to prevent zombies being planted,” he says.

Even if you’ve not been the subject of a denial-of-service attack, you could still face embarrassment if your systems have been used as a stepping stone in an attack.

You are also now more likely to face legal prosecution by the courts if your security isn’t up to scratch. The new Data Protection Act has tightened the demands on organisations to secure data, especially customer data, and prevent unauthorised processing. Walters points out that this means that getting hacked may result not only in damage to your business and public embarrassment but also prosecution under the Act.

Equally, you may find yourself in trouble under the Computer Misuse Act and Obscene Publications Act if your staff pass on viruses or commit sexual or racial harassment using email. The seriousness of cyber-liability has been recognised by insurance companies who are now offering policies which indemnify businesses against the risks of introducing email.

Finally, the move to e-commerce means that many more organisations now need to run 24/7 operations – and that means a 24/7 capacity to monitor what’s going on.

“If all your security skills go home at 5pm, there is a window for attacks when no-one will be noticing,” Lack points out.

Kilpatrick adds that, just a few years ago, someone dialling in out of hours – even a member of your staff – would be highly visible. Now, many organisations expect people to be dialling in around the clock, so it’s harder to detect unauthorised access, whether by external hackers or your own employees.

“The complexity of log files and the lack of reporting structures and management processes mean organisations don’t even realise they’re under attack,” says Kilpatrick.

IT security – where are the threats?

Proportion of organisations reporting (% of all attacks reported)
Unauthorised use of computer systems 62
The internet connection as a frequent point of attack 57
Unauthorised access of web site 32
Penetration by outsiders 32
Theft of proprietary information 26
Financial fraud 14
Financial loss as a result of misuse 51

Types of attack – all systems (% of all attacks reported)
Sabotage of data 19
Telecomms eavesdropping 13
Denial of service 32
Insider abuse of Net access 97
Insider abuse of information 55

Types of attack – websites (% of all attacks reported)
Vandalism 98
Denial of service 93
Financial fraud 27
Theft of transaction information 25

Source: Computer Security Institute computer crime and security survey, USA, 1999.

Risks and myths

Computer Weekly asked the security experts to list key security risks and debunk some common myths.

Mike Collins, Tivoli

Risks: Internal threats from your own staff inadvertently or intentionally gaining access and causing damage, the human element in the security solution eg poor choice of password by users, viruses.

Greatest myth: Major threats originate only outside your organisation.

Chris Heslop, Content Technologies

Risks: Theft or accident dissemination of confidential data, misuse of computer facilities (uncontrolled surfing/transmission of offensive material) and the impact of exposure on corporate image, corruption of data through viruses or other malicious code.

Greatest myth: Installing a firewall means you’ve sorted out your security.

Ian Kilpatrick, Wick Hill Group

Risks: Fraud, theft of company secrets, theft of data.

Greatest myth: Hackers and viruses are the nightmare scenario that you need to panic about and that there’s very little you can do to stop them.

Kevin Lack, Insight Consulting

Risks: Denial-of-service attacks, viruses, hacking by organised criminals to blackmail targets or manipulate financial markets.

Greatest myth: Big Brother: the extent to which information gathered in computers is being matched and used to monitor individuals has been overstated.

Phil Ryan, Peapod

Risks: Email, poor control of remote access to systems, poor application design or use of protocols which makes it hard to secure them when running over networks.

Greatest myth: That it’s a good idea to employ ex-hackers who have been cautioned or convicted of criminal behaviour as penetration testers or security experts.

Richard Walters, Integralis

Risks: Website vandalism, denial-of-service and distributed denial-of-service attacks, financial fraud.

Greatest myth: That a firewall provides adequate protection. Malicious attacks can be launched through email or port 80 on a web server.

Read more on Hackers and cybercrime prevention