Can a hack happen to anyone at anytime? According to Laura DiDio it can.
The Giga Information Group analyst and operating systems security expert has said too many pay scant attention to the security of networks, software, PCs and laptops until after a security breach takes place.
Before joining Giga, DiDio spent 12 years covering the networking industry as an editor and reporter at publications including Computerworld, LAN Times, Network World and Internet Week.
SearchSecurity.com recently spoke with DiDio about security issues affecting businesses today, and whether or not anything can be done to make businesses safer.
SearchSecurity: Do you find people you speak with are generally more afraid or less afraid of being hacked than they should be?
DiDio: I would say actually less, because security is one of those soft components. It's akin to the telephone or the utility infrastructure. As long as it's there and working, you don't think about it. And this leads to a sense of false security. Now, it is getting higher visibility. With Microsoft getting hacked, people start to get more afraid. On the other hand, there are a small minority of corporations that are extremely proactive and do all of their due diligence.
SearchSecurity: Can you give examples of companies practicing proactive diligence?
DiDio: One is The Hartford insurance company. These types of companies have their own security ISS managers separate from the other [ISS managers]. They practice good security hygiene. They make sure the security part of their routine is mandatory, the same way they would pay attention and backup their tapes and upgrade their PCs.
Also, the proactive ones get their own end-users involved in taking the responsibility for their own PCs, starting with not walking away at lunchtime [without securing it], not putting sticky notes on the monitor with their passwords and IDs and making sure people are not bringing in software from home and loading it onto their machines.
SearchSecurity: You've said a hack can happen to anyone at any time. Why do you think that is?
DiDio: It's a fact of life in the 21st century. The fact of the matter is at the most basic level, computer networks were constructed and designed for the expressed purpose of sharing information. Once you put the data out there, you have to realize you may be sharing it with persons and things known and unknown. Generally speaking, 1percent of the U.S. population engages in criminal activity of all kinds, but we are going to see computer crime mirroring that factoid. If we get to the point where 1percent of our computer user population is engaging in criminal activity, that's scary. We haven't gotten to that point yet, because it's been a new technology, but lets face it; it starts out with a lot of people who are just nosy.
SearchSecurity: What are the common mistakes companies make when they fall victim to hackers?
DiDio: The commonality is that they haven't practiced good computer security hygiene, or they haven't put the necessary devices in place, so they're caught unaware. You can't catch them if you can't track them. Because they haven't enforced their security policies they've made mistakes. They haven't physically secured their servers so anybody can get their data, or they've given administrator access to an untrustworthy or low-level employee who can turn around and burn them. If you don't have a plan in place, like a fire drill, to deal with an intrusion or a hack before it happens, it will maximize the damage.
SearchSecurity: A recent searchSecurity poll found that companies seem to fear internal hacks more than external ones. How great of a threat is an internal hack today and can anything be done before it happens?
DiDio: At this point, the threat of being hacked externally and internally are equal. The reason they fear the internal hacks are these people presumably know the system and therefore may be able to perpetrate more damage. It might be easier, people think, to catch an external hacker. That's not necessarily true. An external hacker might be doing it for a lark or for corporate espionage. In that case, they would launch a very targeted attack. With an internal hacker, normally you might think they want revenge, at which case they could be more vicious and corrupt data at will and randomly.
SearchSecurity: Why does it seem that many types of people not traditionally thought of as potential hackers are committing cyber crimes?
DiDio: Part of it is the quest for knowledge. It might start out innocent enough, and as they start attaining the knowledge, they start finding things out. Then they've got temptation. The snake comes into the garden. Then if they have a motive, if someone's really done them wrong, you can understand in a moment of anger...It comes down to that old devil: ego.
SearchSecurity: Where do you see Windows2000 and IT security going in the future?
DiDio: As the technology advances and we're starting to do e-commerce and you've got corporate extranets to allow your business partners, customers and end-users to be more productive, the risks are getting that much greater. There isn't going to be any one silver bullet that is going to totally secure your networks or special devices on the network, therefore you will never eliminate risks. The real issue is you have to find, identify and eliminate as many of the vulnerabilities or portals, if you will, into and out of your network as is humanly possible. When you do that, you minimize the risk to an acceptable level.
The only totally secure device as I see it is a typewriter. That's it. If you've got a computer, PC, laptop, handheld... and you have access to the Internet, you can do a lot of damage.
FOR MORE INFORMATION:
Join SearchSecurity and SearchWin2000 Thursday, November 16, 2000 at 3pm EST for a Live Expert Q&A with Laura DiDio, analyst, operating systems for Giga Information Group on How to Repel a Hack Attack (or, if Microsoft can get hacked, so can you!).
Dig Deeper on Security Awareness Training and Internal Threats-Information