Summertime is prime hacking season, experts say, because so many would-be computer interlopers have extra time
on their hands due to school and work vacations. To survive it, a multi-pronged strategy of people, policies and technology can act as a type of corporate sunscreen.
Not to say that summer is the only active hacking time. In May, NewsFactor.com reported that some 13,000 consumers were notified by Ford Motor Credit that their personal information -- including Social Security number, address, account number and payment history -- had been accessed by hackers who broke into a database belonging to the Experian credit reporting agency.
And in mid-January, InfoWorld reported that a computer hacker who had attempted to extort $10,000 from a U.S. bank was arrested. Nine months earlier, the hacker broke into a server owned by financial ASP Online Resources (ORCC) and got hold of customer names, addresses and account numbers for one of ORCC's client banks. The hacker then started sending e-mails to the client bank, threatening to post the information on the Internet if he weren't paid $10,000.
These are not isolated incidents. The Computer Security Institute in San Francisco has reported results from its annual survey for seven years -- and for the last three, financial losses due to computer crime have grown. Some 90% of the 503 respondents in the most recent survey reported computer security breaches within the past year, with the most serious losses occurring via the theft of proprietary information and financial fraud. Approximately 40% of the respondents reported system penetration from the outside.
Common types of hacker attacks include buffer overflow attacks, attacks against data, and the Port 80 problem. In a buffer overflow attack, hackers inject a system with so much data that the system goes "tilt" and bounces the hacker out into a command line like the old C:/ prompt in a DOS-based system. From there, the hacker can do much damage by issuing system-level commands that can erase huge chunks of data, or retrieve passwords and other important information.
Attacks against data occur when hackers issue legitimate SQL commands in hopes that a database will act on them and retrieve the data they want -- bank account information, for instance.
The Port 80 problem is well known in many security circles. In most enterprises, Port 80 is used for Internet traffic and therefore is not protected by firewalls. Internet Security Systems reported that 70% of all Web attacks from December 2001 through March 2002 exploited Port 80.
Other hackers use automated tools to search for system vulnerabilities specific to certain applications or configurations. And "script kiddies" are intruders who lack the serious technical chops to do their own system-level hacking, and instead exploit the problems that have already been authenticated by other, more experienced criminals.
Within certain circles, there are different shades of "hack-dom" -- crackers are evil, hackers are not and so on. However, outside of the community that engages in these pursuits, many experts don't draw lines. Analysts like Pete Lindstrom at the Framingham, Mass.-based Hurwitz Group say that anyone who enters your computer uninvited is up to no good. "If they're trying to break into my enterprise, I'd just as soon call them criminals," said Lindstrom. "On a system, we have no way of determining motive; all we know is what we see. The activity looks exactly alike whether you think you're a good guy or we know you're not -- and the resources expended to apprehend and stop it, in either case, are the same."
Research and advisory firm The Gartner Group has estimated that, through 2005, some 20% of enterprises will experience a serious Internet security problem that is not a virus. Clean-up costs will be higher than the costs of prevention by around 50%, the Stamford, Conn.-based consultancy said.
There are things that can be done to help prevent these kinds of problems, experts say. Most boil down to three things: policies, people and technology. All are needed; one factor used in isolation won't work.
"The most important thing is to have a consistent security policy and make sure everyone reads it and knows it," said Laura Koetzle, an analyst at Forrester Research. Other key steps, she says, include keeping systems up to date with the most recent software versions; configuring firewalls properly; having an incident response plan that everyone knows and can quickly access in an emergency; and disabling whatever technology is not absolutely needed. "There's no reason the assistant to the vice president of marketing needs a Web server configured on her laptop if all she's doing are memos and PowerPoint presentations. That becomes another potential source of vulnerability."
Regarding the incident response plan, Koetzle says, it should be a bulleted list so people know what to do in case of a security incident. The list might include: pull the machine off the network; inform both the IT and business owners of the problem; clean the machine up and fix whatever's damaged; restore the data; call the director of public relations and the head of customer service to inform them and so on.
Having a full-time person -- or an even larger group -- dedicated to formulating and implementing computer security is a luxury that few companies under $1 billion in revenue can truly afford. But it is important that it become a specified part of someone's job -- a network administrator, for instance.
On the technology side, Hurwitz's Lindstrom advocates a four-tiered approach: a network-level firewall; application-level firewalls for critical software that the company deems it couldn't live without; vulnerability-assessment software to show where the major potential holes are; and intrusion-detection systems that determine actual hacker activity.
Application-level firewalls, such as those available from Sanctum, Stratum8 Networks and KaVaDo, sit in front of Web-based software and watch how it behaves -- how much data is usually transmitted, how often, and so on. If someone then tries to pass the application with a full-fledged program instead of the few characters that is the norm, the application firewall blocks the request. It can send the request to an administrator for follow-up, or follow any other number of rules that are programmed in.
The down side of this kind of technology is that it can have "a fair number of false positives," Koetzle said. In other words, it may block someone it thinks is trying to do something wrong but who really isn't engaging in foul play. "The danger is that you'll block too much or too little -- it's a question of calibration," she said. The more different kinds of tasks that an application performs, the harder it will be to establish a baseline, she adds. This kind of protection is most effectively used for an application with a fairly narrow and well-established range of tasks.
However you approach hacker protection, "a layered defense is the only one that works," Koetzle said. "It's like the human immune defenses -- skin, white blood cells, bacteria in our stomachs and those disgusting little hairs in our noses. You need them all, for different reasons."
SPONSORED BY: EMC
Why fight complexity when you can outsmart it?
For anyone confronted with the daunting task of storage management, EMC's Automated Information Storage is the name of the game. AutoIS is a strategy that delivers a suite of software products and technologies for greater simplicity, automation, and openness in your storage environment.
Get the inside story on AutoIS from EMC engineering and key IT leaders - and get answers about your storage environment - in the on-demand web program.