Yule be sorry

IT security threats are a year-round headache, but the season of goodwill seems to bring them out in sackloads. You should take...

IT security threats are a year-round headache, but the season of goodwill seems to bring them out in sackloads.  You should take precautions, writes Lindsay Nicolle.

Christmas is coming and the goose is getting fat, but amid so much seasonal joy, there is a darker side. Hackers, virus writers and organised criminals are anticipating rich pickings over the Yuletide holiday in the knowledge that commercial battlements will be staffed by a skeleton crew, and attention will be more focused on the office party and new year celebrations than on the mundane job of protecting businesses from IT security threats.

The sad truth is that businesses are ripe for plucking at this festive time. Money flows into companies, especially in retailing, and the number of banking transactions rockets. Christmas is a great time to get noticed if you want to disrupt commerce, simply enjoy the havoc caused, or snatch some cash.

The list is long: denial of service attacks, industrial espionage, capitalising on inherent product vulnerabilities - even natural disasters seem to occur more often at Christmas, challenging companies with power surges, blackouts and floods.

Of course, IT security threats can occur throughout the year, but Christmas seems to concentrate the minds of the greedy, and those with a playful or malicious intent.

"The IT threats that businesses face are the same all year round, but Christmas is a time to be extra vigilant. Because of the amount of trade conducted online there is the potential for more victims," says detective chief superintendent Len Hynds, head of the UK's National Hi-Tech Crime Unit. "In particular, wherever the money goes organised crime will follow, and we should be alive to that issue at this time of year."

Hynds' 55-strong team is already busy investigating the use of technology to aid extortion, fraud, child abuse and class A drug trafficking, as well as pursuing of virus writers and hackers.

So are businesses as security conscious as they need to be? Research suggests that although money is being made available to plug gaps in IT security, it is not always being spent wisely.

Company spend on IT security is increasing every year and is poised to reach the landmark figure of 5% of total IT spend, according to research firm Gartner. But research conducted on behalf of IT services firm Unisys reveals that more than 50% of European companies employing 500 or more staff do not have a formal disaster recovery plan to cover all their IT infrastructure.

Of those that have disaster recovery plans, 30% either do not test them, or are unaware they are ever tested, even where they affect technologies vital to the running of the business. Moreover, nearly 20% have no disaster recovery plan at all.

So just how great is the IT security threat to businesses? According to the latest quarterly internet risk report compiled by the X-Force research arm of Internet Security Systems, security incidents increased by 15% in the third quarter of 2003.

The report lists 725 new product vulnerabilities, citing gaps exposed in the Microsoft operating system - which were exploited by the MS Blast virus and Nachi/Welchia worms. The attacks occurred quickly after the disclosure of the product's vulnerabilities, soon enough to compromise many unpatched systems. X-Force also documents 823 new viruses and worms - an increase of 26% over the preceding quarter.

Network breaches are common over Christmas. One in three network managers expects to be called at home over the holidays to deal with a security breach, according to an informal poll by internet security firm WatchGuard Technologies. Small and medium-sized companies are particularly vulnerable to seasonal spam, non-work-related web surfing by staff and temporary staff who may not understand or comply with security policies and procedures, says WatchGuard.

For large enterprises, perhaps the greatest IT security fear is being the victim of a denial of service attack.

This year East European gangs have been using hacking techniques to launch waves of denial of service attacks on company networks, costing victims millions of pounds in lost business and exposing them to blackmail.

The National Hi-Tech Crime Unit is investigating how one betting site was targeted, but there are also reports that web retailers and payment providers have also been attacked. Blackmailers typically demand up to £30,000 for one year's "protection" from attack.

Other horror stories include damage to online payments services, such as that suffered by Worldpay in early November, although it is reported in that case that blackmail was not involved. Microsoft's website was hit twice in August, and the root servers of the internet were attacked last year.

Digital fraud is another recognised enemy of business. In the summer, online banking customers of Smile and Barclays were subjected to a scam which attempted to capture account details to aid fraudulent withdrawals. A bogus e-mail asking customers to go to a web page and provide their log-on security information as part of a technical update formed the basis of the scam. These so-called "phishing" attacks involve the mass distribution of spoof e-mail messages with return addresses, links, and branding which appear to come from banks, insurance agencies, retailers or credit card companies.

Supplier Tumbleweed estimates that these e-mails are so convincing that up to 20% of recipients may respond to them, resulting in financial losses and identity theft.

For most organisations, spam is the single greatest threat to the security of their e-mail systems, says Matt Cain, vice-president at analyst firm Meta Group. Even "innocent" spam is a major threat to business continuity, he says.

The increasing number of companies that are being sent multimedia Christmas cards by e-mail risk viruses and clogged up networks.

"Organisations should acquire integrated tools that handle multiple e-mail hygiene duties, including anti-spam. These types of tools promote efficiencies at the operational level and at the management level, as well as minimising supplier product conflicts," says Cain.

Corporate websites are popular targets for attack from disgruntled employees, hackers and criminals.

In 1999, biotechnology company Aastrom Biosciences watched its website in fascination as its share price seemingly soared on the Stock Exchange, until management realised the company was the victim of a hacker. Someone had modified information on a web page to increase the apparent value of the company's shares.

Some hackers are turning to industrial espionage to earn more money in the shadowy world of spyware. Spyware is software that covertly gathers and transmits data about the usage of a machine. Some of this software can record all keystrokes, passwords and other confidential information, then send data off to competitors.

One in three companies has detected spyware on a network, says Frank Coggrave, UK regional director at Websense. "In the US recently, an investment broker lost £23,000 after installing what he thought was a market analysis program, which turned out to be spyware which was transmitting his account log-on details to hackers," he says.

Companies often choose to downsize over the Christmas period, axing staff when they think others will not notice, or cutting bonuses. It is common to hear tales of unhappy employees who corrupt or delete corporate data, plant viruses timed to cause future devastation, or who spike corporate networks from afar.

In Australia, one disgruntled ex-employee hacked his previous employer's systems and succeeded in flooding the grounds of a hotel with raw sewage.

Things can quickly get out of hand, says Jim Burtles, director of business continuity specialist Total Continuity. "A disgruntled employee can cause devastation if allowed to continue to access corporate systems remotely - many companies are slow to cancel user authorisations and privileges when staff leave," he says.

"Even innocent incidents, such as poor staff planning, can be a company's undoing over Christmas, for example, not hiring enough IT support staff to cope with seasonal demand. Companies should have plans in place and resources available over the season to ensure their businesses remain unaffected, whatever happens."

Companies also need to ensure they have the necessary resources to carry out any upgrade projects planned over the Christmas period, when the pressure of everyday work may have eased. But even here, there are inherent IT security dangers.

"The risks of infrastructure disruption can increase if you try to do complex upgrades when staff and suppliers are not in the mood, or simply not available," says Colin Griffin, IT manager at Surrey County Council, who is a member of the Survive Information Security Special Interest Group.

What, then, is the answer to the perennial IT security problem at Christmas?

Tarek Meliti, technical director of server hosting company TDM Group, suggests outsourcing the responsibility for your IT systems to a third party. "Let them deal with the headaches, not you," he says.

It sounds appealing, providing the third party has adequate IT security of its own.

Meanwhile, Gartner predicts that by 2005, nearly 20% of enterprises will have experienced a "serious" - beyond a simple virus - internet security incident, and the clean-up costs will exceed the prevention costs by 50%.

While you are worrying about all these threats, remember, the security measures you put in place in the festive season will stand you in good stead throughout next year.

Twelve threats for Christmas

Copy-cat websites 


Industrial espionage

Infrastructure faults

Natural disasters

Network overloads

Organised criminals 

Product vulnerabilities




Virus writers

Security advice

Every security threat calls for some kind of counter-measure: intrusion and detection software; firewalls; a new corporate policy on staff vetting; or just more physical locks.

Whatever the threat, it would be foolhardy not to address the basics of IT security - namely, back up your data regularly, conduct a realistic risk assessment, and devise and regularly test a plan designed to mitigate a range of likely disasters.

Detective chief superintendent Len Hynds, head of the UK's National Hi-Tech Crime Unit, campaigns for businesses to adopt a holistic approach to IT security.

"Companies should look at how their technology is configured - have up-to-date firewalls, anti-virus software and intrusion detection systems in place - and they also need to build staff vetting procedures into their HR strategies," he says.

"They need to look at the processes by which they recruit and retain staff and consultants. They should also re-examine the physical security around the buildings they work in to ensure it protects all technologies. For example, they could examine the security processes they have in place for protecting valuable data on laptops using wireless Lans."

More information on internet threats www.iss.net

Read more on IT risk management