Worm attacks cost enterprises time and money and make for big headlines. But when it comes to bringing a company to its knees, they can't compete with the employee who misbehaves at the keyboard or the executive who tries to sweep incidents under the carpet.
Marne Gordon, director of regulatory affairs for Herndon, Va.-based TruSecure Corp., gave examples of enterprises that suffered for failing to properly respond to such incidents during last week's HealthSec conference in Boston, sponsored by the MIS Training Institute.
"We tend to focus on the big attacks like Mydoom and Blaster," Gordon said. "But there are lessons to learn from the local, potentially more disastrous cases where someone opened an e-greeting infected with a malicious program or agenda-driven malicious activity targeted a specific institution." She offered three examples -- one in which reaction was swift and the damage contained; two in which companies responded clumsily with disastrous results.
The Yorkhill Hospital incident
When the Nachi worm struck the computer network of Yorkhill Hospital in Glasgow, Scotland, 1,000 devices were infected and electronic medical records became unusable, forcing employees to fall back on paper records. The results could have been disastrous during an emergency, but Gordon said IT staff acted swiftly, working around the clock to purge the malware from their systems. The electronic records were up and running within 24 to 36 hours.
"Here is a case where they handled it well," Gordon said. "But it's not what you want. You don't want to be in a position where patient records are affected."
And, she added, Nachi probably wouldn't have caused much trouble had the hospital had better controls in place, like extensive deployment of antivirus software at the workstation level, regular antivirus updates and end-user training on how to use the security software. The hospital also would have been better off with a strong user policy restricting Web surfing, personal e-mail, removable media programs and other risky behavior, she said. While the institution never commented on the extent of its antivirus measures, evidence suggests they weren't being adequately proactive.
The CanadaDrugs.com incident
Far more damaging was what happened to CanadaDrugs.com, Gordon said. An insider stole the company's customer database in 2003, and in June 2004, pharmacies in Manitoba got a letter from a consultant offering them a database containing information on 32,600 U.S. citizens that bought prescription drugs through CanadaDrugs.com. The consultant told the pharmacies they could make millions by marketing to the list.
"This is a really bad situation, a case where a trusted insider cleans out the kingdom," Gordon said. "It also presents tough cross-border legal problems because the victims are U.S. citizens and a Canadian company."
In this case, Gordon said CanadaDrugs.com stumbled from the start. "They knew the database had been stolen by an employee and didn't report it," she said. "It's an issue of ethics."
The company would have been better off with tougher controls. "A lot of us get general access to everything and that's a big mistake," Gordon said. "If I don't have a specific reason to be in here, cut me off." The company also would have fared better had it reported the breach the moment it was discovered.
UCSF's October surprise
In October 2003, UCSF Medical Center was contacted by an independent contractor demanding payment for transcription services and threatening to expose patient information unless she got paid immediately. She ultimately backed down, but Gordon said the contractor probably still has the patient information on her hard drive. "This may not be someone who has a firewall and antivirus protection, and the data is sitting there, vulnerable to a potential attack," Gordon said.
What should enterprises learn from these tales?
"The real bad guys are those who hold people's patient and financial records hostage," Gordon said. "The people who launch disruptive attacks make a big splash, but they don't cause the kind of damage we see in these cases."