In the UK, the passing into law of the Civil Evidence Act has made the security of computer systems a major issue, and one that is ignored at every company's peril. How, though, does this affect the lot of the practising security manager?
The answer lies in the changes within IT. From the once-glass panelled computer room, with its data processing manager and myriad of staff, IT systems have now evolved to deliver networked computing and communications power on every desk. And all, conversely, thanks to a vastly reduced IT 'establishment'.
Indeed, with perhaps four or five staff serving a 1,000-strong terminal system, logical security has become largely a software function. However, the emergence of ISO 17799 – the new international standard for IT security – recognises that IT security is inseparable from information and general security. In other words, the security manager MUST be involved in IT security as never before.
Corporate responsibility devolved
Skilled and experienced IT professionals are always much sought after. There's a worldwide shortage and, as a result, firms fall over themselves to employ the person(s) they perceive as being "right" for them. Often, references are not taken up and, on the basis of a couple of interviews, the IT expert is employed. Usually, very little is known of his or her financial stability, social views, religious motivations or political idealism.
The responsibility for corporate software and databases, then, is passed on to a person whom the employer may know less well than his or her window cleaner. If the employer then decides that person is unsuitable for the tasks at hand, they could well find themselves the owner of an unworkable database and corrupted back-up file store.
Since most companies cannot function without a database this is the sort of situation that could become critical to business survival.
These days, the aforementioned five IT staff could well be outsourced. When director general of the Institute of Directors, Sir John Hoskyns – himself a former 'IT man' – described IT people as "nomadic mercenaries". For the most part, this happens to be true. They move from job-to-job where the pay is better. Without basic loyalty, then, security for them is little more than a petty irritant.
Even if there is no question of outsourcing, what is known of an IT employee's morals? Are they honest? Are they fulfilled in their work? Are they resentful (of something or someone), and perhaps dishonest?
The latest American Bar Association study of 1,000 corporations showed that 48% of companies surveyed had experienced computer fraud in the past five years, and that the losses fell between $2 million and $10 million per respondent. It's a well-known fact that most fraud is committed by employees.
Perpetrators of IT crimes
The CERT Co-ordination Centre at Carnegie Mellon University – the US Government-funded 'clearing house' for cyber crime, vulnerabilities, alerts and patches – recently reported that incidents have grown by 2,368% from 1997 through to 2001 (an average annual compound rate of 474%). An expansion that's truly as mind-boggling as it is costly.
Legislation has now moved on to protect companies from high-tech criminals, but at a time when fewer than one-in-six large corporations employ anyone to take ultimate responsibility for IT and information security. Sadly, legal sanctions are not a deter
Not surprisingly, attrition.org – a web site monitoring network security – found that 6% of all crimes were committed by outsiders, 13% by former employees and 81% by existing employees. With a 'take' in the millions and high-tech crime rates in free fall, it's not at all surprising to discover that conviction rates are something like 30,000 events to every one caught red-handed. However, with rudimentary security not only could such criminal events be prevented, but a security manager with basic investigative skills may dramatically increase the number of convictions.
Collusion involving employees
Collusion between employees and criminal gangs is a common way in which systems may be attacked. The employee provides system information or brings into the workplace disks that the gang has prepared and proceeds to run them. The gang sets up its fraud, extortion or espionage heist, and subsequently pays its collaborator quite handsomely for their bespoke insider knowledge.
Even if the crime is ultimately discovered, it might be very difficult to establish how it happened or indeed who was involved. This is borne out by the fact that most computer-based frauds carry on for an average of three years and then stop for reasons known only to the perpetrators themselves.
Given the litigious climate that has evolved over the past few years, and the rapid advances made in e-business, there's much that companies need to know when it comes to the potential legal proceedings they may face. From e-mail and authentication issues to confidentiality concerns, the potential for lawsuits in today's Internet-connected world is considerable. The need for security is paramount since a company will (generally speaking) not be held liable – or may at least avoid punitive sanctions – if it took reasonable precautions to prevent attacks.
However, 'reasonable' is a subjective quality based on knowledge of a threat and the action taken to prevent the threat occurring.
Legal sanctions are no deterrent
Legislation has now moved on to protect companies from high-tech criminals, but at a time when fewer than one-in-six large corporations employ anyone to take ultimate responsibility for IT and information security. Sadly, legal sanctions are not a deterrent. The only true way to prevent 'telephone number' losses is to have strong security and procedures. Today, those procedures must come from the security manager.
The majority of managers bury their heads and hope against hope that the worst will not happen. David Cresswell, the managing director of ARC Training, estimates that about 50% of security managers don't routinely become involved in IT security issues. That's in spite of the fact that it's the IT systems which carry the greater part of the corporate data.
Above all others it's these systems which, if attacked or compromised, could inflict the greatest financial loss to the enterprise. "In many instances," states Cresswell, "security managers simply aren't invited to the IT discussion table."
That said, some practitioners in the security management profession are moving into this area with enthusiasm. There are training courses available to equip security professionals with the basic skills necessary to logically deal with problems encountered with computer security, and to successfully lead critical incident response teams.
Specialist courses in IT security for security managers – and those concentrating on IT crime investigation techniques – are beginning to enhance the contribution managers can make in this arena.
Eight steps to safer corporate computing for end users
Europe and the USA have tried to frame laws that can be sensibly used against IT miscreants, writes Dr Ian Palmer. The UK Computer Misuse Act 1990 tried and failed to deal with this problem, but it did introduce a new concept – which said that a case could be tried in the UK provided there was a significant link. Thus a hacker based in Kuala Lumpur who used an innocent host in the UK to attack an American web site could be tried in the UK. Relief came for the innocent host by way of a requirement under the Act that the prosecution must prove the accused had knowledge, ability and the intention to attack a site. Additional relief came with the 1995 Civil Evidence Act. Under this Act, documents encoded by Public Key encryption and sealed with a Digital Signature could be accepted as evidence by the Courts. Regulatory liability is another area that’s gaining more ground, with the passage of Government legislation to protect the privacy of citizens in the financial sector, as well as others. In many of the cases seen around the world today, most Courts award the victims huge damages. Again, the liability rests with the owner of the system that’s breached. IT security is not only necessary to protect information and data... it’s also crucial for avoiding the damaging effects of litigation. All companies and organisations must meet the standard of due diligence in order to minimise potential liability from information security breaches. In effect, due diligence requires managers to implement standard business practices and take precautions that a reasonable business manager – in their business environment – could be expected to take. Alas, due diligence is a difficult standard to meet because there are many, often ambiguous sources for what constitutes standard or reasonable business practices. There are eight basic points which you can follow to ensure IT security:The Board of Directors must make a clear statement as to how they view security, and what they expect from their employees. Written procedures that are understood and followed by all staff MUST be in place.
All IT and other staff that have sufficient skills to attack the system must be screened before being offered employment. This screening should include their background, friends, work experience and academic qualifications. The civil service and military vet their staff for the best reasons of security... so should Boards of Directors with their IT staff. Nor should screening start and finish with employment. It should be carried out on a cyclical basis. The cost of hiring an external organisation to do this could be minimal compared with damages awarded by a Court of Law...
Without good risk management tools it’s not possible to determine which countermeasures are most effective and security can therefore turn out to be ad hoc or at best cosmetic (and therefore easy to compromise).
Since most messages on the Internet can be read, it’s essential that they be encrypted. Today, there are cheap manifestations of the unbreakable Public Key cryptology which offer a very high degree of protection. This, in combination with Digital Signatures and a cryptographic checksum, will ensure that the message is not only confidential but that it hasn’t been tampered with in any way during transmission.
Firewalls are thought to be the ultimate in protection, but they are only as effective as the software that’s available and used. Strong exclusion policies should be in place and control exercised over the types and form of e-mail being sent such that any reference to race, religion or gender is qualified. Software that determines who may do what, when and where is another step forward, as are intrusion detection systems that alarm as soon as an intruder appears or an employee acts uncharacteristically.
Robust password mechanisms must be in place to ensure that only those authorised to access systems can actually do so. Perhaps frequently changed passwords could be supported by some form of smart card. The card would be inserted into the machine at the time of access, and after the password has been given. An inability to respond or a delay in response would disable the terminal.
Except for centrally-located and secure terminals there should be no A or D drives on terminals. This will prevent staff from bringing into the area pre-programmed disks or CD-Roms that hold spurious code. Similarly, terminals that can write CD-Roms should be located in secure areas and not be made accessible to all staff.
It goes without saying that if your physical security provision is poor, then any other form of protection will be somewhat pointless. This form of security should reflect the value of the data which the countermeasures are protecting. These eight pointers are just the beginning. Recovery of databases, back-up procedures, personnel procedures, training, security manuals and contingency plans also play a significant part. However, by treating security seriously and implementing strong security measures, you will be able to mitigate due diligence claims as well as prevent fraud and other serious crimes.
Source
SMT
Postscript
Dr Ian Palmer is a specialist consultant in IT systems security and computer crime investigations at ARC Training
No comments yet