Este informe no está disponible en español.
Securing Information In An Insecure World
Protecting company information systems from insiders is just as important as protecting them from outsiders.
By ROSSIE CORTES
December 16, 2004
Are Companies Doing Enough To Keep Their Information Systems Safe?
For many, the Internet is a blessing that has enhanced global communications. For others, it is a curse that has increased the exposure of businesses and governments to security risks.
Information is the lifeline of an economy, and maintaining it secure is critical for businesses and governments worldwide. Gone are the days when security was something that executives thought about only when someone physically threatened their company or their employees and that could be managed by hiring guards. In todays world, companies cant separate their facilities and employees physical security from the security of their information systems.
Businesses and governments must realize it is no longer sufficient to react to threats. Security measures must be taken proactively.
Securing information systems has become just as much a human problem as it is a technological challenge. People are the ones using the keyboards through which security is breached, intentionally or unintentionally. With wireless systems becoming the norm in voice and data communications, the security risks are even greater since wireless is more susceptible to security breaches.
Security breaches of information systems are costing companies millions of dollars each day, and the costs of managing and responding to these threats are rising. Companies not only must determine the vulnerability of their information systems; they must also assess where threats are most likely to come from, modify their networks, invest in new technology, and find and acquire the necessary expertise to secure their systems.
The number of challenges to computer-network security has risen, thanks to a boom in malicious attacks by hackers and viruses. This, in addition to an array of new communication technologies such as wireless, instant messaging, and Voice over Internet Protocol, presents new security risks. Depending on new technology wont necessarily make the problem go away, since new technology leads to new vulnerabilities.
While information technology (IT) security managers may not like to talk about it, one of the biggest security threats to business networks and computer systems isnt from hackers or competitors; it is from trusted employees, partners, and other insiders with access to the companys information systems.
It isnt always a question of insiders intending to hurt the company. Security breaches can transpire when, for example, an accounting employee innocently erases a spreadsheet or makes information available where it shouldnt be. Whether the breach occurs because of negligence or harmful intent, the end result is the same: Valuable information and data are damaged, lost, or accessed and exploited by others.
Because the Internet is borderless, dynamic, anonymous, and easily accessible, intentional attackers are well aware of the potential impact of using cyberspace to damage critical business, government, and infrastructure targets. Attacks on networks also have a cascading effect, where attacking one area can hurt others. The trend toward outsourcing presents an additional concern, as the security measures of those contracted may be inadequate.
Security threats include business disruptions; interruption of emergency systems such as 911 and hospital networks; and disruption of power grids, which can cause major economic losses to businesses without electrical power.
"The costs related to a security breach may include expenses associated with the repair of any damage caused to the network, the loss of customers trust, and lost confidential data that may compromise the customers and the companys financial future," said Kelvin Berberena, Caribbean territory manager at 3Com.
Even though completely protecting networks from every attack or security breach may seem impossible, companies such as Microsoft, Oracle, Cisco, 3Com, Avaya, and Nortel Networks have taken a firm stand against these threats. Each company has taken a proactive approach to prevent attacks and reduce the costs associated with security threats.
But the potential risks to information systems can change just as rapidly as new technology is created to prevent them, and security management doesnt come cheap, nor is it easy. IT managers need to chart a clear plan to assess and strengthen their security. Investment in security software and support services on the U.S. mainland is projected to climb from $551 million in 2003 to $808 million in 2008, according to a study by technology-research firm IDC.
"This new security approach has created more demand not only for security software and technology but also for professionals who know how to protect a companys assets and information," said Berberena.
According to the IDC study, securing information systems against potential threats has created a worldwide demand for security specialists. The number of information-security professionals in the U.S. is projected to increase from an estimated 1.5 million in 2003 to more than 2.1 million in 2008. The demand is greater for IT security professionals with expertise in security-software development, telecommunications and network security, business continuity and disaster recovery, and wireless security.
What are considered security risks?
The security industry is in the midst of an important transition. Spurred by the chaos following 9/11, widespread identity theft, and hackers for hire, companies are making significant investments to protect their information systems.
The 2004 E-Crime Watch survey of security and law-enforcement executives, conducted in cooperation with the U.S. Secret Service and the Carnegie Mellon University Software Engineering Institutes CERT Coordination Center, shows a significant number of electronic crimes (e-crimes) and network, system, or data intrusions. Forty-three percent of the survey respondents reported an increase in e-crimes and intrusions in 2003, and 70% reported at least one e-crime or intrusion had been committed against their organization. Respondents also said e-crimes had cost their organizations over $660 million in 2003.
According to industry experts, threats to information systems can be divided into two groups. In one group are viruses, worms, and spam, widely considered to be the largest security threats to businesses in Puerto Rico. In the other group are hackers (internal and external) and unsecured new technology.
"Network security must protect a business from threats, both known and unknown, such as access breaches, attacks of worms and viruses, and internal threats, which tend to cause the most damage," said Ricardo Cabrera, Microsofts security manager in the Caribbean and Latin America.
On the U.S. mainland, the theft of proprietary information costs an average $2.7 million per company, per year, according to the 494 computer-security practitioners who participated in the 2004 Computer Crime & Security Survey by the Federal Bureau of Investigation (FBI) and the Computer Security Institute. The survey also shows that 80% of network abuses come from insiders, with virus incidents representing 82% of the forms of attack or abuse.
Computer viruses, in much the same way a biological virus passes from person to person, are transmitted from computer to computer. A properly engineered virus can have an amazingand disastrouseffect. Viruses are spread mostly over the Internet or through infected documents within the network. They must attach themselves to other programs or documents in order to get executed. Once a virus is running, it is able to infect other programs or documents.
Worms are computer programs that have the ability to copy themselves from machine to machine. They normally move around and infect other machines through computer networks, where they can expand from a single copy very quickly.
Spam is unsolicited (junk) e-mail sent to large numbers of people to promote products or services. There are a number of ways you can find yourself on a spammers e-mail list, including signing up for newsletters from entities that sell lists of their subscribers e-mail addresses, listing your e-mail address on a Web page or newsgroup, and even choosing an e-mail address that spammers may be able to guess.
Spam can merely be an annoyance, filling e-mail boxes, or it can cause major damage by deploying spyware or executable programs onto computers. In time, these culprits will provoke information systems to slow, freeze, crash, or fail. Corporate websites are also a great source of intelligence and can provide hackers with access to information systems.
Hackers and network risks
Hackers are usually computer users who understand the ins and outs of computers, networks, and the Internet in general. Although some people are legitimately hired by technology companies to pinpoint vulnerabilities in their networks, there are others who use this knowledge for criminal purposes. They are the ones who cause million-dollar losses for organizations worldwide.
Computer buffs are learning how to become hackers simply by going online. On the Internet, they can obtain explicit instructions on how to gain illegal entry to computer networks. By using the same resources, IT professionals can learn to prevent and prepare for a hackers attack.
To launch their attacks, criminal hackers may use viruses, worms, Trojan horses (malicious programs disguised as legitimate software), vulnerability scanners (used to quickly check computers on a network for known weaknesses), sniffers (applications that capture passwords and other data while in transit), exploits (of a programs weaknesses), and more.
Although businesses and consumers are attacked alike, retailers with a presence on the Internet are prime targets for extortion, according to FBI officials. This attack comes when someone claims to know of major security problems with the retailers website and requests a handsome sum to prevent him or her from going public with the information, which can include the names, personal information, and credit-card and bank-account numbers of the retailers customers.
Although this cyber-extortion has become a serious problem, many companies fail to report it. In fact, the 2004 Computer Crime & Security Survey found that more than two out of three organizations victimized by serious cyber-attacks didnt report them to law-enforcement entities.
According to FBI officials, some of these retailers didnt report attacks and extortions because they didnt want the negative publicity or feared competitors might use the situation to their advantage. More than half said they didnt even know such incidents could be reported. Many organizations and companies didnt know how or where to report cyber-intrusions.
Other companies fall victim to hackers who take advantage of information carried over Wireless Fidelity (Wi-Fi) networks between unsecured computers. "Businesses are putting tighter security around Wi-Fi-enabled PCs and are putting firewalls on laptops to ensure that wherever someone logs in, he or she will be protected from hackers," said Microsofts Cabrera. "Some of these firewalls cut a laptop from the Net unless its connected to the home office via a virtual private network that encrypts data."
Jim OLeary, director of education for the nonprofit Computer Security Institute, which holds classes and conventions on cybersecurity, said eliminating vulnerabilities now means conducting a more thorough check. "Firewalls, antivirus software, and other security systems dont allow a network-security operator to easily understand all the information they provide.... These systems mainly provide a false sense of security," he said.
Responding to threats
A few years ago, an industry of tactical solutions emerged to help companies combat security problems, which led to antivirus programs, firewalls, etc. In 2005, such solutions will consist of security integration, developing open and standardized interfaces to share, distribute, and correlate security-relevant events and information. Security vendors without these capabilities may disappear from the market, no matter their level of dominance today.
"To be able to protect themselves, companies mustnt let their guard down," said Andres Ramirez, Avayas product-marketing specialist for Venezuela, Ecuador, the Caribbean, and Central America. "Managers and IT professionals must be aware of possible threats and of what they can do to protect themselves. Many systems have methods to protect networks, but many managers arent aware of the procedures and how to put them to work."
"IT maturity, security awareness, and security-adoption rates vary considerably across businesses and industries," added Cabrera. "How aware a business is of possible threats and of how it can protect itself will determine how much damage it will endure from any attack. In some cases, security implementation takes a backseat to other IT issues."
"Organizations are nevertheless beginning to take a more proactive approach to IT security," said David Gonzalez, marketing manager at Cisco. "In addition, software companies and vendors are getting more actively involved in educating clients, especially because they want to inform users of the benefits of adopting proactive solutions."
"Everyone is moving from a reactive stance to building security and reliability into their information systems from the ground up," said Cabrera.
Federal laws now make it necessary to incorporate better auditing into network security. The Sarbanes-Oxley Act and the Health Insurance Portability & Accountability Act, for example, have provisions that penalize the failure to track what happens on networks, making the price of lax information management and security far steeper. In addition, new laws have recently been approved on the U.S. mainland to make companies responsible for failing to disclose data breaches, thus opening the door to civil lawsuits.
Responding to the growing number of instances in which criminals have targeted major components of information and economic infrastructure systems, the FBI has established Regional Computer Intrusion Squads in select offices throughout the U.S. The squads mission is to investigate violations of the Computer Fraud & Abuse Act (Title 8, Section 1030), including intrusions of public-switched networks, major computer-network intrusions, privacy violations, industrial espionage, and pirating of computer software. Additionally, the FBI sponsors Infra-Gard, an initiative with the private sector to share and analyze information. InfraGard is meant to help protect the U.S. information infrastructure.
Several insurance companies on the mainland are considering forcing companies to invest in network-risk insurance, which costs about $5,000 to $30,000 a year for $1 million in coverage, as a result of the overwhelming number of claims related to network-security breaches over the past two years. These losses were compensated under general-liability policies.
Network security must be seen not as a cost but as an investment, saving companies money through productivity gains, improved resiliency, and greater operational stability. Safeguarding information systems requires a well-crafted strategy that begins with an inventory of existing security-related systems and policies. Next are analyses of any security gaps and of the companys ability to respond to breaches and contain losses. Subsequently, a security plan must be developed and the necessary changes implemented. Finally, the information system must be monitored continually and optimized as often as necessary.
While all of this may sound expensive, it is actually cost-effective considering the downtimeand ensuing financial lossesthat may result from a security breach. This is an issue that isnt widely discussed in Puerto Rico, by either the private or the public sectors. Addressing the potential threats to the islands information systems requires consideration just as much from the political, economic, and social standpoints as from the technology angle.
Spyware: A menace that spells explosive business opportunities for those out to fight it
From a minor annoyance for home personal computer (PC) users to a major plight for enterprise environments around the world, spyware (also known as adware, malware, scumware, and a host of other sordid names) is infecting millions of computers. By spying on computers, it can steal personal information, make possible identity theft, track users online activity, and sell the information back to anyone willing to pay.
According to new research from Internet research firm IDC, the need to identify and eradicate these parasitic programs will drive antispyware software revenue from $12 million in 2003 to $305 million in 2008. Part of IDCs job is to define the spyware security threat and its repercussions and forecast the potential of antispyware markets.
While not all spyware is intended for damaging computers or stealing information (known as malicious spyware), it nonetheless causes significant damage to legitimate software, network performance, and employee productivity. Employees deluge their companies help desks with complaints about pop-up advertisements, applications failures, and poor PC performance, but all of these are security matters, not the system-management problems help desks are responsible for handling.
At worst, spywares ability to track keystrokes, scan hard drives, and change system and registry settings is a tremendous threat to individuals and businesses. These activities can lead to identity theft, data corruption, and even theft of company trade secrets. "Today, more malicious spyware can easily infiltrate corporate firewalls," said Brian Burke, research manager of security products at IDC. "These programs make their way into the corporate Intranet under the guise of less-threatening network traffic and, once in, they can wreak havoc."
A recent IDC survey of more than 600 organizations listed spyware as the fourth-greatest threat to a companys computer security. IDC estimates that 67% of all computers (mostly consumer) are infected by some form of spyware.
The rising threat spyware represents and increasing demand for protection have forced established security vendors to build, buy, or partner with stand-alone antispyware vendors.
Backdoor: In a computer system, this is a method of bypassing normal authentication (or user identification) or obtaining remote access to a computer. It is intended to remain hidden from casual inspection and may take the form of an installed program or could be a modification to a legitimate program.
Encryption: The process of obscuring information to make it unreadable to those without special knowledge. This is usually done for secrecy and typically for confidential communication. Encryption can also be used for authentication. Even when encrypted, messages may still be subject to traffic analysis, although this typically cant reveal the contents of the message.
Exploit: A prepared application that takes advantage of a known weakness of other applications or websites.
Firewall: Used to defend computers from intruders by limiting access to ports (or connections on computers where devices can be attached) and machines. It handles both inbound and outbound information. Its basic purpose is to prevent intrusion from a connected network device into other networked devices.
Sniffer: An application that captures passwords and other data while they are in transit either within the computer or over the network.
Trojan horse: Malicious programs disguised as legitimate software. They entice users to download and/or execute the program. A Trojan horse can be used to set up a back door in a computer system to allow the criminal to regain access later.
Virus: A self-replicating program that spreads by inserting copies of itself in attachments and documents, which users must double-click for the virus to infect the system.
Vulnerability scanner: Also known as port scanners. A tool used to quickly check computers in a network for known weaknesses. Also used by hackers to check which ports on specified computers are available for accessing the computer.
Worm: A self-replicating program that doesnt attach itself to other documents. Therefore, worms infect computers without users double-clicking on attachments.
Top Seven Management Errors that Lead to Computer Security Vulnerabilities
1. Assign untrained people to maintain security and provide neither the training nor the time to make it possible to do the job.
2. Fail to understand the relationship of information security to the business problem; they understand physical security but dont see the consequences of poor information security.
3. Fail to deal with the operational aspects of security; they make a few fixes but then dont allow the follow-through necessary to ensure the problems stay fixed.
4. Rely primarily on a firewall.
5. Fail to realize how much money their information and organizational reputations are worth.
6. Authorize reactive, short-term fixes so problems re-emerge rapidly.
7. Pretend the problem will go away if they ignore it.
Source: Determined by the 1,850 computer-security experts and managers at the SANS99 and Federal Computer Security Conferences held in Baltimore May 7-14, 1999.
Computer Attackers by Attacker Intent
July 1, 2002-Dec. 31, 2002
Source: Symantec Internet Security Threat Report. Vol. III Feb. 2003
Computer Attacks per Company by Size
July 1, 2002 - Dec. 31, 2002
Attacks: Number of Employees
5,000 +: 1,092
Source: Symantec Internet Security Threat Report. Vol. III Feb. 2003
Some Companies in Puerto Rico Offering Education or Consulting on Network Security (Listed in Alphabetical Order)
(787) 289-7813 / (787) 289-8779 (fax)
(787) 620-1888 / (787) 620-1889 (fax)
Hewlett-Packard Puerto Rico BV
(787) 474-8900 / (787) 474-8929 (fax)
(787) 766-7600 / (787) 766-8777 (fax)
JLMA Information Technology Group
(787) 272-0990 / (787) 272-0515 (fax)
(787) 775-2333 / (787) 775-2395 (fax)
Microsoft Caribbean Inc.
(787) 273-3600 / (787) 273-3636 (fax)
Netxar Technologies Inc.
(787) 765-0058 / (787) 756-5362 (fax)
(787) 999-3100 / (787) 641-0460 (fax)
SAP Andina y del Caribe C.A.
(787) 775-3100 / (787) 775-3110 (fax)
(787) 754-0400 / (787) 754-0463 (fax)
Where to report attacks
Federal Bureau of Investigation (787) 754-6000
Federal Trade Commission (877) 382-4357
This Caribbean Business article appears courtesy of Casiano Communications.