Beware 2006: Exploits Increase, Impact Gets More Serious

The most recent Computer Security Institute/Federal Bureau of Investigation survey reports that the financial damage from computer crime is down 8% from what it was last year. Respondents to the survey reported losses of $130 million, down from $141 million in 2004. Internet-wide mass attacks by computer viruses and worms replicating themselves and clogging corporate networks are succeeding less often as network managers defend themselves more effectively.

But thieves who can’t get in one door will try another.

Security experts such as Gartner analysts John Pescatore and Neil MacDonald increasingly worry about targeted attacks, perpetrated by organized groups of cybercriminals, replacing publicity-seeking intrusions by vandals and small-time crooks. Last month, a half-dozen defendants who had been charged with being part of an organized credit-card and identify-theft ring—known as the Shadowcrew—pleaded guilty in federal court in Newark, N.J., to conspiracy to commit credit-card, bank-card and ID-document fraud.

Also coming to light in recent months are new forms of attacks. Instead of writing spyware to capture credit-card numbers from random consumers, some authors of malicious software have turned to writing Trojan horse programs to steal secrets from specific companies, as in a case that cropped up this past year in Israel. Like the legendary Greek gift to Troy of a wooden horse with soldiers hidden inside, Trojan software contains a hidden payload that attacks the recipient.

There are a variety of ways for malicious software to slip past firewalls and other perimeter defenses. It can be carried on a laptop or stored on a keychain backup drive and delivered when those devices are attached to a network. Business users also increasingly expect to be able to access corporate applications from anywhere via a Web application or a virtual private network connection, effectively extending the network to include home computers and public kiosks that may be insecure.

Still, some of the greatest embarrassments companies suffered in the past year over inadequate data security were more the result of carelessness than targeted hacks. The Nigerian identity thieves who breached ChoicePoint didn’t have to break into the company’s systems because they were able to represent themselves as legitimate corporate customers and sign up for an account with the data services vendor, which maintains records on millions of citizens. As a result of a California law that requires companies to disclose incidents that compromise consumer privacy, ChoicePoint was forced to admit letting 145,000 records slip through its hands this way. The same law forced Bank of America and Citigroup to disclose that magnetic backup tapes containing consumer data had been lost during shipping.

“Years ago, if you lost a skid of tapes, you weren’t required to tell anyone,” notes Carl Branco, a first vice president in charge of internal auditing at TD Waterhouse who has also overseen information security at several banking and financial services institutions.

Not anymore.

And to some extent, all public companies are feeling greater regulatory pressure to improve information security because of the Sarbanes-Oxley Act, which includes control over data security as one of the audit criteria for proper corporate governance.

“It puts a new twist on the whole I.T. security thing,” says Howard Israel, an information security consultant. Rather than being treated as a technical issue, it’s becoming a basic issue of corporate management, often approached from the perspective of risk management, according to Israel. That means looking for ways to mitigate or compensate for risks that cannot be eliminated, he says.

While information security professionals may to some extent welcome the attention brought by laws like Sarbanes-Oxley, Gartner’s Pescatore says they also worry about “regulatory distraction.” Overzealous auditors seeking to justify their fees have sometimes offered misguided security recommendations such as making users change their passwords on a quarterly schedule, he says, “which we know actually decreases security.” Users faced with overly strict rules often subvert them—for example, by writing down passwords because they can’t remember them.

Some of those excesses are starting to subside, Pescatore says, but it’s important to focus information security efforts on real improvements, not symbolic gestures.

So, as we head into the new year, what should be the starting point for chief information officers, chief security officers and other executives charged with safeguarding vital information resources? Based on interviews with information security experts and corporate security officers, Baseline has compiled a list of the top five security concerns for 2006, followed by some basic steps every company should take to safeguard their systems.

Story Guide:
Beware 2006

  • Targeted Attacks
  • Shielding the Net
  • Fallback Plain Failures

    Next page: Selected Victims