Security in a changing world

Beating the hackers, bots and phishing attacks requires the recognition that threats come from within as well as without. Ron Condon helps clean up your computers.

by Ron Condon
Last Updated: 31 Aug 2010

Every two years, the DTI surveys a thousand companies - representing a cross-section of British industry - to see how they are managing information security. The good news, according to the latest report published in April, is that things have improved. The bad news is that they are still pretty awful.

Viruses and other unwanted code are still finding their way onto company networks and the threat of overseas hackers is constantly on the rise.

But the biggest danger still comes from within - as staff spend their time accessing dodgy websites, sending abusive e-mails and stealing private company information.

Some companies just ask for trouble, of course. One in three still have no written policy on what kind of computer usage is acceptable or not.

So if employees choose to spend their time looking at eBay, finding the love of their life on dating sites or accessing hardcore porn, their employers have little sanction against them.

Loss of productivity is just a part of the problem. Poorly managed systems allow valuable or private information to be leaked or stolen.

According to one of the report's authors, Chris Potter of PricewaterhouseCoopers, 9% of large companies had suffered a breach of confidential information - 'and some of those caused multi-million pound losses'.

So how do you take control of the situation? Clearly, having an acceptable usage policy is a vital first step, followed by training to ensure staff understand why security is important and what will happen if they ignore the policy.

Then you can add technology to enforce the policy, not just the anti-virus and anti-spam software that come as standard on most PCs, but systems that control e-mailing habits and also software to block access to certain websites (porn, gambling, eBay, home shopping).

The DTI report shows that 38% of companies control the websites their staff can access (the figure doubles to 74% for large companies), but only one in six monitor the content of outgoing e-mails. Similarly, only one in four companies provide users with the ability to encrypt their e-mails. Encryption technology is widely available and easy to implement - and some of it is even free. It should be increasingly important as companies need to exchange confidential information with their business partners.

'The potential reputational damage is huge,' says Potter. 'Given how important reputation is to businesses, it's surprising that five-sixths do not scan outgoing e-mail for inappropriate content,' he says. 'Companies that scan their outgoing e-mails are much more likely to detect any misuse, but the worry is that the others may be letting inappropriate content slip through, to the potential detriment of their reputation.'

He adds that in one serious breach, a staff member had e-mailed out a complete company database to a rival firm.

The biggest impact of security breaches, the report says, is disruption of business, with some incidents causing problems for more than a month.

An attack on a website was seen as the most disruptive. 'Roughly two-fifths of the worst systems failures also led to major business disruption, with systems out for more than a day in about half of these.'

So if you want to keep up with the latest developments in IT security and minimise the impact of any lapses on your business, here's MT's essential guide to keeping your computers squeaky-clean.

De-perimeterisation and the Jericho Forum

Traditionally, information security has worked on the fortress principle - build a big wall to keep out intruders and treat everyone inside the wall as a trusted friend. It was never a complete answer, as many security leaks come from inside the organisation. But new business practices and technology have blown a hole in the old model, which relied on firewalls and intrusion-detection systems to provide the defences.

E-mail and access to the internet were the first chinks in the fortress wall and created the potential for unwanted information to flow into and out of the company.

Companies also need to communicate electronically with suppliers, outsourcing companies, partners and customers. So vital information and systems may now sit outside the traditional boundaries of the organisation. Add to that the increased mobility of staff, who need laptop computers, mobile phones and other communications devices to stay in touch, and the corporate perimeter begins to look like a Swiss cheese.

Recognising this changing landscape, a group of large companies got together two years ago to devise a new way of doing things. Called the Jericho Forum ('walls come tumblin' down' - geddit?), the group attracted big-name corporates such as BP, ICI, Boeing, Qantas, Royal Mail and Rolls-Royce.

The Jericho Forum coined the term 'de-perimeterisation' to encapsulate this shattering of the fortress wall.

It has been busy since creating general guidelines that are intended to help the vendor community - the sellers of firewalls, network gear and software - to create products that will work in the new business environment.

Progress has been slower than some had hoped, but the job of worldwide evangelising has kept the hard core of founding members busy, with their representatives speaking at conferences in the US and Asia to win broader support - which they have done.

Continuing the biblical theme, the group recently issued its first tangible deliverable, a list of Eleven Commandments (echoes of Spinal Tap's Nigel Tufnel, whose amplifier went to 11 - 'that's one louder') for security in a de-perimeterised world. These are broad principles, but the Jericho Forum is now sketching in more details with a series of short papers that aim to be comprehensible to non-technical board-level members.

The jury is still out on how effective the Forum will be in shaping future products, but no-one argues with the notion that security has to change to meet a changing business world.

More details at www.jerichoforum.org

SPAM, PHISHING AND BOTNETS

Everyone with an e-mail account will have received a message from a bank they've never heard of asking them to confirm their details by revealing valuable personal and financial information; or, in one of the infamous Nigerian e-mail scams, have been asked for help in moving a large sum of money out of Africa and requiring only their bank account details in return for a cut. These so-called phishing attacks may have fooled plenty of people when they first appeared a few years ago, but most users are more wary these days.

But the phishers have not given up - they have just changed their tactics.

'Phishers are running out of targets. They can only fool people once or twice,' says Mikko Hypponen, chief research officer at Finnish security company F-Secure. 'They have to find fresh suckers - which is why we're seeing smaller targets and in different languages, including Greek, Finnish and Czech.'

According to David Sancho, an engineer with Trend Micro, German phishers recently came up with a new wheeze. They sent out messages purporting to come from a utility that provides an electronic invoice as a pdf file.

Recipients were invited to click on the link to download the document, which, instead of having the suffix '.pdf', had '.pdf.exe' - in other words, an executable program that secretly lodged itself on their hard drive.

The program was a trojan, a piece of secret code that allowed the sender to take control of the infected machine and, for example, record the users' keystrokes.

'Once active, the trojan can monitor every internet connection, every access to web pages and access to the bank - and will report the password back to the creator of the trojan,' says Sancho. 'It's another turn of the wheel. We call this spy-phishing and we have already seen quite a lot of these attacks.'

The other big problem with trojans is their huge number. The aim of those sending them out is to capture and infect as many machines as possible. In the parlance, a hijacked machine is termed a robot or 'bot', and a network of bots controlled by a single source is a 'botnet'. The widespread use of broadband, which provides a permanent connection between PCs and the internet, has provided the so-called 'bot-herders' with a fertile ground for their attacks. Botnets can consist of hundreds of thousands of machines, with the combined power to send out spam messages by the million, or to mount denial-of-service attacks against commercial websites.

Most analysts feel the only way to stem the growth of botnets is for the internet service providers (ISPs) to be more proactive in shutting down infected machines. But as Sancho says: 'It's tough for the ISPs - if they tighten policies they may lose business.' If they do nothing, the problem will get worse.

You've been hit - what next?

The first instinct of any company hit by a security breach or fraud is to fix the problem and get the business operating again. It is an understandable reaction, but not the right one if you want to find the cause and, more especially, the culprit.

'I've seen lawyers powering up infected machines to take a look at them and destroying the evidence in the process,' says Alan Brill, managing director of Kroll Technology Services.

If the incident is serious enough to warrant a prosecution, the first priority is to apply forensic principles, just as with any other scene of crime. If a computer system is touched after an event, software settings may change and it may be impossible to prove who did what. Brill advises getting trained investigators on the job immediately; they will know how to take an image of the infected machine in a way that will stand up as evidence in court.

The second instinct for some companies might be to call in the police, but the general advice is not to bother. The recent absorption of the National Hi-Tech Crime Unit (NHTCU) into the new Serious and Organised Crime Agency (Soca) is a signal that the main focus by law enforcement will be on the most serious internet-based crimes, such as child pornography, money laundering and organised fraud scams.

In addition, much internet crime is international and co-operation between national police forces is limited and often depends on personal contacts rather than any formalised international structure.

John Lyons, a former member of the NHTCU, confirms that law enforcement is able to investigate only the most serious crimes. 'The police are not adequately resourced to carry out investigations into everything that happens,' he says. 'There has to be a partnership with industry.'

He recommends contacting the police for advice on how to proceed, but warns that the job of gathering evidence will be down to the company.

In any case, criminal prosecutions are rare in this area. Many companies, the banks especially, have chosen in the past to shun publicity, preferring to rid themselves quietly of the culprits rather than go though an embarrassing court case. For most of them, the aim is to find the culprit and, if necessary, use the civil courts for justice, where the burden of proof is less onerous.

Where the crime is international, then a private investigation firm will usually be employed to gather evidence, deal with local police and trace the proceeds of the crime. It is then down to the victim to decide how to proceed.

Smaller companies can also now find protection with a new membership organisation called the Computer Forensic Alliance (CFA), which offers members a low-cost investigative service. Says co-founder Simon Janes, a former Scotland Yard detective: 'SMEs are suffering from computer fraud and can be badly hit by staff misusing systems to steal money or leak information.'

CFA annual membership costs between £175 and £480, depending on the level of service. More details at www.cfallies.com.

THE THREAT FROM WITHIN STAFF ABUSE OF INTERNET AND E-MAIL

17% of UK businesses suffered staff misuse of web access 11% had misuse of e-mail

Larger companies are more likely to have incidents involving staff misuse - 52% had experienced web misuse and 43% e-mail misuse

41% of the worst misuse incidents involved staff accessing inappropriate websites

36% of the worst incidents related to excessive web surfing. The most serious of these involved access to illegal material; several companies reported incidents of staff accessing child pornography

The average cost of individual incidents was relatively low compared with other types of security breach - less than 10% caused business disruption or direct cash costs

Technology, telecommunications and utility companies were most likely to report incidents; retail and travel were the least likely

Protecting confidential information sent by e-mail is still rare - in only a quarter of UK businesses can staff send encrypted e-mail to the company's business partners, even though encryption technology is widely available

The full DTI Information Security Breaches Survey 2006 is downloadable from the PricewaterhouseCoopers website (www.pwc.com).

Find this article useful?

Get more great articles like this in your inbox every lunchtime