Systems Under Siege

Corporate security is under attack from hackers, buggers, spammers, fraudsters, extortionists and staff with a grudge. But keeping the cyber criminals at bay is a job for all managers, says Ron Condon.

by
Last Updated: 31 Aug 2010

In March this year, customers of a Massachusetts-based retailer began to notice fraudulent transactions on their credit card statements. They used a variety of banks and credit-card companies, but were all registered customers at one of 150 warehouse stores operated by BJ's Warehouse Club.

Investigations showed that BJ's had become the victim of a massive and concerted attack on its computer systems, and that the details of up to 8 million customers had been stolen and used to create fake credit cards.

The cards were then used to clock up million of dollars' worth of fraudulent purchases.

On this side of the Atlantic, there was the attempted theft of £220 million in April from Sumitomo Mitsui Bank in London. Had the heist succeeded, it would have been the biggest bank job of all time, making the £26 million Brinks-Mat bullion theft and the £26.5 million Northern Bank raid look like small potatoes. And all without recourse to stocking masks, sawn-off shotguns or even a getaway car.

The attack was thwarted by the National Hi-Tech Crime Unit (NHTCU). Small bugging devices, called key-loggers, had been installed on some of the systems at Sumitomo's offices, probably by office cleaners working for an organised gang. These easy-to-conceal devices connected to the keyboard cable of the computer, and were able to record password and access information as the legitimate users of the systems went about their daily tasks.

Sources close to the NHTCU say the intended crime was discovered only by chance, when an operator noticed unusual traffic on the Sumitomo network.

The bank called in the crime unit under strict terms of engagement, and the bait was laid. A hacker in Israel was arrested just as he was about to siphon off the funds. The foiled crime was made public as part of the NHTCU's deal with Sumitomo, but the publicity was tightly managed, allowing the bank to appear as triumphant foiler of crime rather than victim.

In America, the US Federal Trade Commission (FTC) took a dim view of the events at BJ's and decided to make an example of the firm. It was publicly castigated for its poor security and, as part of the settlement, it was required by the FTC to 'implement a comprehensive information security program and obtain audits by an independent third party security professional every other year for 20 years'.

The FTC outlined the specific areas in which BJ's had been particularly deficient. It had 'failed to encrypt information when it was transmitted or stored on computers in BJ's stores'. The company also created further risk by storing the information for up to 30 days, in violation of bank security rules, even when it no longer needed the information. The FTC pinpointed specific technical areas where BJ's had failed to operate basic good security practices to prevent unauthorised access.

BJ's public castigation was intended as a warning to all retailers and anyone else holding such data that IT security needs to be taken seriously. But it was just one of several cases that have come to light in the US this year (see box), ranging from the highly technical, where skilled hackers wormed their way into company systems, to the farcical, with tapes containing unencrypted personal details of millions of customers being lost by a messenger.

At first glance, it looks as if the Americans have suddenly lost their marbles (as well as their tapes) and become sloppy in the way they manage their computer systems - such a spate of security breaches is unprecedented.

But such lapses have always happened; the only difference is that they were previously kept hidden.

The key change in the US occurred with a piece of Californian legislation called SB1386, which came into force in 2003. It was designed to protect the interests of Californian consumers by ensuring that if any company (anywhere in the world) holding their details suffered a security breach, it had an obligation to inform the consumer. At the time, it was viewed as a quixotic piece of Californian nonsense, but has since proved to be so effective in uncovering technical slip-ups that other states have followed California's example, and a federal law on the same lines is widely expected.

In the UK, things are different. Companies have no legal duty to disclose breaches in their security, and most of them will go to any lengths to avoid the unwelcome publicity. This usually means that even if they find the culprit, they will rarely prosecute. Offending employees are allowed to leave quietly - and are able to re-offend elsewhere with little risk of punishment. Exceptions are rare; in fact, the Sumitomo job-that-never-was is just about the only one in the public domain.

Security of information systems is no tighter in Britain than in the US, and the growing concern is borne out by a recent survey of 600 managers carried out jointly by MT and the Management Consultancies Association. It found that IT security is now the second-biggest risk to businesses after operational risk, and ahead of strategic, economic and people risks. The same survey also found that security is the biggest IT-related concern.

The anxiety is well founded. Figures recently published by Symantec, a major producer of security software, show the sheer extent of the growing threat. The company's latest internet security threat report covers the first six months of 2005, and reveals a changing landscape where viruses are getting nastier and harder to manage and attacks are increasingly the work of organised crime.

'Whereas traditional attack activity has been motivated by curiosity and a desire to show off technical virtuosity,' the report's authors say, 'many current threats are motivated by profit. They often attempt to perpetrate criminal acts, such as identity theft, extortion and fraud.'

On just about every measure, the level of threats has continued to grow sharply. For instance, Symantec registered nearly 11,000 new viruses targeting Windows-based PCs in the period, a rise of 142% over the first half of 2004. Phishing attacks have almost doubled in six months. These are e-mail messages that purport to come from a legitimate source and ask the recipient to reveal vital financial details. In the last six months of 2004, the daily average number of phishing e-mails was already a staggering 3 million worldwide. By the end of June 2005, the figure had climbed to 5.7 million.

Another huge danger comes from the vast and growing number of broadband users around the world. The point about broadband is that it creates an always-on connection to the internet, and makes the individual computer a sitting target for the barrage of malicious code circulating on the internet.

Experts say that an unprotected computer has a 50% chance of being infected within 12 minutes of connecting via a broadband connection. And once infected, that computer can then be controlled remotely by the sender of the malicious code. The machine has become a robot - or 'bot' in the parlance. The attackers assemble vast armies of thousands of such compromised machines, which they can then use either to send out spam or to overwhelm a website, putting it out of action. These are called bot networks, and their owners will happily hire them out by the hour to anyone who wants to send a mass-mailing or attack a website.

The assaults on websites, known as denial-of-service attacks, are often used as part of an extortion campaign. Some of the first were directed at gambling websites, swamping the victim with internet traffic, thereby blocking out legitimate users. The attack was then followed by a demand for money in exchange for peace and quiet. 'It's just like an electronic protection racket,' says an NHTCU insider.

And to put the threat into perspective, Symantec found that on any one day during the first half of this year, 10,352 bot networks were in operation - up from fewer than 5,000 in December 2004.

So managers are right to see IT security as a major concern, but that concern needs to be turned into effective action if they are to avoid falling victim. Steve Wylie, head of security at Accenture, says the companies that manage security properly have a number of approaches in common. 'IT security has to be seen as a business function. There has to be a mechanism whereby it can justify itself in a measurable way,' he says, adding that few companies properly monitor their IT equipment to ensure it has adequate protection.

The best companies also understand the true risk of different security threats in the same way as they understand operational risks. And their IT security teams produce reports that are consistent with those they receive from other parts of the business. They also know which are their mission-critical applications in the system - those that would cause real trouble if they became corrupted. This is all basic stuff, but, according to Wylie, many companies do not have this information to hand.

In the absence of any comprehensive evidence, it's estimated that most attacks take place on the inside of the organisation, rather than from the internet. So it is essential to manage who has access to which parts of the system. As Wylie reports, the best firms have a grip on the management of passwords and access rights. If you want to put your IT director on the spot, ask how long it takes for the access rights of departing employees to be closed down. Some companies take months to complete the task.

Wylie's final point is that the best companies run effective security awareness training for all staff, and follow through to ensure awareness is maintained. Most companies hand out an e-mail usage policy when staff join, only for it to be dumped in a drawer and forgotten.

So there is still much to be done on the security front. British companies may still be able to avoid the kind of public embarrassment handed out to BJ's Warehouse, but many in Europe expect similar disclosure legislation to be enacted on this side of the Atlantic at some point.

Even so, companies should not wait for the legal big stick before acting.

The growing threat on the internet demands prompt action, and stricter corporate governance regulations have also forced far higher levels of care on companies in their management of data, especially personal and financial information.

IT security is no longer just a technical issue. It is far too important to be left to the IT department alone.

A copy of the MCA/MT executive report Making Sense of IT Security is available free in pdf format or at £50 as a hard copy. Contact Davina Page on davina.page@haynet.com

SECURITY SLIP-UPS

From full-blown theft to straightforward cock-up, there are plenty of ways for your IT security to let you down. Here are a few high-profile examples of what can go wrong...

SUMITOMO MITSUI BANK - UK Attempted theft of £220 million by an Israeli hacker using key-logging equipment, probably installed by office cleaners

CHOICEPOINT - US Social Security numbers and credit reports of up to 145,000 consumers stolen from the consumer data compiler by thieves posing as legitimate customers

BANK OF AMERICA - US Social security numbers of up to 1.2 million federal employees released after computer back-up tapes were lost

DSW SHOE WAREHOUSE - US Credit card and other personal details for 1.4 million customers stolen by hackers accessing a database covering 108 of the company's 175 stores

POLO RALPH LAUREN - US Data on up to 180,000 customers holding GM-branded Mastercards stolen

TIME WARNER - US A back-up tape holding the social security numbers of 600,000 current and former US employees is lost by an outside storage company

CITIGROUP - US UPS delivery driver loses back-up tapes containing financial details of 3.9 million customers of Citigroup division CitiFinancial.

Find this article useful?

Get more great articles like this in your inbox every lunchtime