ÐÇ¿Õ´«Ã½

During the past 12 months worms, Trojans and viruses have become much nastier, more sophisticated and ever-more frequent. The growing complexity of corporate networks, and the severe financial penalties of suffering a breach have also made the challenge of securing a given network much more of a headache for the security manager.

The Computer Emergency Response Team (otherwise known as CERT) – a federally-funded research and development centre in the US – has warned that the amount of malicious activity on the World Wide Web is climbing at an alarming rate. The total number of attacks in 2001 rose by almost 160% compared to the previous year, with 52,868 incidents reported.

A recent survey by consultant KPMG has also highlighted the ever-increasing cost that security breaches are bringing to companies. According to the survey, each security 'invasion' costs UK businesses an average of £77,000. Virus incidents were the most common cause, with 61% of companies falling victim and costing organisations an average of $162,000 (£113,700) – not to mention 68 'lost' working days into the bargain.

Incidences of hackers attacking servers directly rather than via web sites or networks – and by using new worm technology – will continue to rise. It's on these servers that valuable corporate data lies, with such attacks taking advantage of server and system vulnerabilities. Hackers can then steal or tamper with the vital data that makes up the essence of a company.

Later in 2002 and early next year, we're likely to see a raft of new hacking exploits as IT terrorists push the boundaries of their capabilities in creating new waves of attacks.

The Computer Emergency Response Team has warned that the amount of malicious activity on the World Wide Web is climbing at an alarming rate. The total number of attacks in 2001 rose by almost 160% compared to 2000, with 52,868 incidents reported

Is there a solution to hacking? To begin with, companies need to seriously consider the impact that a security breach will have on their systems. By educating themselves as to the apparent dangers involved, IT or security directors can then start to assess their own organisation's level of risk. Once the level of risk is ascertained, those same managers can begin to look at changing the company's attitude to security, and put systems in place to deal with the dangers.

The impact of a security breach normally falls into one of four categories: cultural, legal, commercial or financial. With this in mind, there are a number of points within each of these areas that companies should consider when assessing risk:

• Cultural: Do you need to change the way in which your organisation thinks about security? Are you prepared for internal security breaches? Can anyone access your systems, or is that access limited?;
  
• Legal: Are you aware of the legal liabilities that your company might face as the result of a security breach? Legislation that might apply includes the Data Protection Act, contractual and negligence issues, breaches of confidence, issues concerning corporate responsibility and the obscenity laws;
  
• Commercial: Will your customers still trust you? Will they come back to your site? Can you continue to trade?;
  
• Financial: Can you still operate if your system is down? Remember that downtime is lost time and revenue… What will be the impact on the bottom line? The Nimda virus, for example, was estimated to have caused $500 million worth of damage in its first four days of existence...

In light of all this, companies are going to have to recognise that the network perimeter – effectively – no longer exists. It's no longer good enough to rely on firewall and network protection to safeguard critical systems. Companies need to change their mindset: they need to start with the data and think about what the consequences might be if that data were to be compromised.

Hackers now know that the server is where the real damage can be done so, not surprisingly, that's where most of their time and effort is devoted at present. Reliance on incumbent systems, then, will leave companies vulnerable not just to new attack types but also to existing techniques. In all-too-many companies, ignorance – at the moment, anyway – is bliss.

As an IT issue, security is going to be in the public eye during the coming months for companies in all sectors. Relying on a firewall and network systems will no longer be enough in the face of increasingly more clever, malicious and frequent attacks from the outside world.