Better safe than sorry: how to protect company data.In June, Visa and MasterCard discovered what happens when data security breaks down. Hackers stole the credit card details of 200,000 customers from CardSystems Solutions CardSystems Solutions is a credit card processing company. In June 2005, the fact that 40 million credit cards had been stolen from CardSystems was discovered. This led to the discoveries that CardSystems had been keeping data that it was contractually obligated to delete, and that , an Arizona-based company that ferries information from merchants to banks and credit companies. The computer hack briefly accessed US$4 million worth of transactions forcing credit card companies to re-issue several thousand cards. [ILLUSTRATION OMITTED] Whether we are aware of it or not, all of us rely on secure data. Whether it is payroll information or credit cards in the supermarket, we trust information will be transmitted safely from hand to hand. When the system is working well, we are unaware it even exists. When it breaks down, we all suffer. A major security breach generates a lot of publicity, but it is not the main risk to data. Employees and former employees are the most likely to steal, break into or damage computer systems and their contents. In a survey conducted by the U.S.'s Federal Bureau of Investigations Federal Bureau of Investigation (FBI), division of the U.S. Dept. of Justice charged with investigating all violations of federal laws except those assigned to some other federal agency. (FBI), 80 percent of California companies reported insider abuse of their networks. By contrast, only 36 percent reported hacking. "The primary risk to your data is internal," said Erik Laykin, director of the Pacific Rim Pacific Rim, term used to describe the nations bordering the Pacific Ocean and the island countries situated in it. In the post–World War II era, the Pacific Rim has become an increasingly important and interconnected economic region. branch of the Infraguard Programme, the FBI's computer security project. Cunning outsiders would have needed a tremendous amount of luck to stumble upon the right computer at the right time in the Arizona Credit-Systems case. "The bad guys did not hack the main system. They hacked into the marketing database where CardSystems did not have adequate control," said Laykin. CardSystems executives transferred the data into another database temporarily for research purposes. It is plausible only an insider could have known that the information was briefly vulnerable. "It very well may be an insider working with a hacker A person who writes programs in assembly language or in system-level languages, such as C. The term often refers to any programmer, but its true meaning is someone with a strong technical background who is "hacking away" at the bits and bytes. ," said Laykin. But he said that at present, the company's preferred theory is that an outsider is responsible. "Internal attacks range from destroying assets to ... disrupting operations and embezzlement embezzlement, wrongful use, for one's own selfish ends, of the property of another when that property has been legally entrusted to one. Such an act was not larceny at common law because larceny was committed only when property was acquired by a "felonious taking," i. taking advantage of money transfers," said Cassio Dreyfuss, director of research for Latin America Latin America, the Spanish-speaking, Portuguese-speaking, and French-speaking countries (except Canada) of North America, South America, Central America, and the West Indies. at Gartner. "The most common destruction is erasing accounts receivable accounts receivable n. the amounts of money due or owed to a business or professional by customers or clients. Generally, accounts receivable refers to the total amount due and is considered in calculating the value of a business or the business' problems in paying and critical applications." Employees, even disgruntled dis·grun·tle tr.v. dis·grun·tled, dis·grun·tling, dis·grun·tles To make discontented. [dis- + gruntle, to grumble (from Middle English gruntelen; see ones, are more likely to take financial advantage than randomly break things, however. "In more cases than not it is theft rather than destruction. For example, one of the simplest scams is to set up dummy accounts in payroll. The computer system then writes checks to dummy accounts, which the bad guy can then cash," said Laykin. But the companies surveyed by the FBI said information theft cost far more than any other type of computer-related woes. They said they lost more than US$70 million in this way in 2003, the latest year for which data is available. During that same period viruses cost the same companies around US$27 million. Data theft cost more than 7 times more than financial fraud, at around US$10 million, and 23 times more than hacking, at less than US$3 million. "In one example which is in court at the moment, the marketing department planned to go to the competition. Three employees took all the plans for the next five years and sold them, and their services, to the competitor. Then one day they all got up and left. Computer experts reviewed files and were able to determine a conspiracy," said Laykin. [ILLUSTRATION OMITTED] Website hacking is the most common and most visible type of electronic break-in, but it is most likely to be the least serious, said Laykin. If your website is defaced de·face tr.v. de·faced, de·fac·ing, de·fac·es 1. To mar or spoil the appearance or surface of; disfigure. 2. To impair the usefulness, value, or influence of. 3. it is embarrassing, but it is unlikely to harm your business unless you work in computer security. Few companies keep their key data on the same server as their website. Xpander, a former hacker based in Mexico City Mexico City Spanish Ciudad de México City (pop., 2000: city, 8,605,239; 2003 metro. area est., 18,660,000), capital of Mexico. Located at an elevation of 7,350 ft (2,240 m), it is officially coterminous with the Federal District, which occupies 571 sq mi , agrees. "They are not true hackers (person) true hacker - (By analogy with "trufan" from SF fandom) One who exemplifies the primary values of hacker culture, especially competence and helpfulness to other hackers. A high compliment. . We call them defacers," said Xpander. "The web system does not usually have important data on it." A true hacker is interested in digging deep to see what really makes computer systems tick, they are mostly not malicious, he added. "Hacking is trying to have knowledge about systems," said Xpander. "Hackers want freedom. Their intention is to satisfy their curiosity. They don't feel: 'I am better than you. I will corrupt your system.'" What can be done? So how does a company keep its data safe? Computer experts are unanimous: proper staff training will improve security further and faster than expensive technology. "Security is a process. The problem in Mexico is that companies do not have the training. They spend millions on security without really keeping their data safe," said Jorge Diaz Denis Denis, king of Portugal: see Diniz. , manager at Mexis, a company that runs remote security centers in Mexico City, Queretaro, Guadalajara, Puebla and Monterrey. "Around 70 percent of companies only realize that something is wrong once it is already obvious," said Diaz. By then it may be too late. He estimated that 60 percent of Mexican data destruction is the fault of staff; but mainly through ignorance rather than malice malice, in law, an intentional violation of the law of crimes or torts that injures another person. Malice need not involve a malignant spirit or the definite intent to do harm. . "Thousands of times it is through ignorance; users just don't know Don't know (DK, DKed) "Don't know the trade." A Street expression used whenever one party lacks knowledge of a trade or receives conflicting instructions from the other party. they have viruses, for example," he said. Companies need to stop sitting their employees in front of a computer and telling them to get on with it, said Sanjay Bavisi, vice-president of anti-hacking coalition, the EC Council, which organized the Hacker Halted conference in Mexico City in June. Something as simple as opening an Internet-based birthday card could let in a virus, but few people know it, Bavisi said. Former hacker Xpander said that viruses mostly get in because users install them. "You download a program, you install it and you run it and nothing seems to happen, so you delete it and forget it. You have just given yourself a virus," he said. This happens hundreds or thousands of times a day all over the world. Virus writers load viruses onto sites under fake names, disguised as helpful programs. Most victims will not immediately think of disinfecting themselves after downloading a virus. Instead they will go and find a program that works and, having completed their task, they will forget about the little program that did not. "I also teach people to stay away from malicious websites," Xpander said. Sites that spit thousands of pop-up windows pop-up window n (Comput) → Popup-Fenster nt onto your computer screen can also spit far more dangerous things into your computer's memory. There is an obvious clue that computer administrators can use to keep users away from these, he adds: "most of them say they are offering free porn." Climate watch Culture can only be part of how companies attack viruses, however, said Mexis's Diaz. Virus fighters have to keep one eye on the international climate, because viruses spread worldwide in seconds, he said. "Problems with viruses and Trojans occur at a global level," said Diaz. "Private companies which focus on their business lack the reaction time to deal with them." Trojans, or Trojan horses It may never be fully completed or, depending on its its nature, it may be that it can never be completed. However, new and revised entries in the list are always welcome.
[ILLUSTRATION OMITTED] Diaz's company categorizes threat using a system of four "C's" in Spanish: control, quantity (calidad), complexity and criticality. "Three of these are not dependent on us," he said. A company can try to control access to its computers, but it cannot affect the volume, complexity and aggressiveness of the viruses and worms in the world. "We cannot reduce the number of attacks, but we can increase the speed of our reactions to a change of environment," he said. Most companies are busy enough dealing with their complex business environment and have little time to monitor the global forecast for worms. Mexis offers to maintain this vigilance on a company's behalf. Nasty as viruses are, theft is the information problem most likely to cost your company money. How do those infamous bad guys get the passwords they later use maliciously? The users tell them most of the time, security experts say. "The best way to a computer password is to ask for it," said the EC-Council's Bavisi. Three-quarters of office workers stopped in the street gave away their password immediately in a 2003 survey conducted by Infosecurity Europe. Another 15 percent gave their passwords away when asked more indirect questions. The survey, conducted by stopping random commuters in London's Waterloo station London Waterloo is a major railway station and transport interchange complex in London, England. It is located in the London Borough of Lambeth, near to the South Bank. The complex comprises four linked railway stations and a bus station. , asked users their passwords and how they were chosen. The most common password was the user's first name. The next most common was "password." A hacker who knew a user's first name, favorite football team and birth date had a 50-50 chance of getting into their account. A hacker prepared to stand in a public place with a clipboard A reserved section of memory that is used as a temporary holding area for data that is copied or moved from one application to another using the copy and paste and cut and paste (move) menu options. Each time you transfer something into the clipboard, the previous contents are deleted. had a 90 percent chance. One interviewee refused to give out his password saying that he was the boss of the company and doing so might compromise security. But he did tell the interviewer that it was his daughter's name. After asking some other questions the interviewer returned to the topic. "So what is your daughter's name?" "Tamsin," the CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. replied. A matter of trust If so many people will give their passwords to a stranger, how about the risks that might arise from trusted colleagues? A boss may give his passwords to a secretary when he is out of town and colleagues routinely share passwords in emergencies. Once the emergency is over, workers give a sigh of relief and get on with the rest of their lives. They do not think about what might happen to their password. The same London survey also found that 80 percent of workers would take confidential information Noun 1. confidential information - an indication of potential opportunity; "he got a tip on the stock market"; "a good lead for a job" steer, tip, wind, hint, lead with them if they changed jobs. "Here is a question for your readers: when was the last time you changed your password?" Bavisi asked pointedly. He is helping to prepare a court case in Hong Kong Hong Kong (hŏng kŏng), Mandarin Xianggang, special administrative region of China, formerly a British crown colony (2005 est. pop. 6,899,000), land area 422 sq mi (1,092 sq km), adjacent to Guangdong prov. where employees hired by a competing company continued to access data and emails from their former employers, at the encouragement of their new bosses. Yes, the second company has clearly acted maliciously. But much of the trouble would have been prevented if employees at the first company had taken the trouble to change their passwords at regular intervals, he said. That is something that many employees see as a pointless chore. Companies can also defend themselves with exit procedures that ensure that employees lose their computer access privileges when they walk out of the door. [ILLUSTRATION OMITTED] Systems administrators may well be good at telling staff to do the dull house-keeping that should keep everyone safe, but when it comes to their own data they are frequently just as bad as the rest of us, Bavisi said. "A large number of hacks happen because administrators install defaults," said Bavisi. "Hackers can go to underground sites giving the default user names and default passwords for major software. People say to me 'I will never be hacked ... I have a $2 million firewall'. But if your user name is 'administrator' and your password is 'administrator' no technical solution can help you." He recently walked into an Asian central bank and found computer administrators' passwords pasted to the screens on Post-It notes Post´-it note n. 1. A small sheet of paper having the back part partly covered with a non-permanent gum which allows the note to be attached temporarily to another object, and easily removed without leaving any trace of glue on the object to ; extremely convenient for someone who might want to steal a password to abuse later. In fact, it was social research, more than computer knowledge, that made Kevin Mitnick Kevin David Mitnick (born October 6, 1963) is a controversial computer cracker and convicted criminal in the United States. Mitnick was convicted in the late 1990s of illegally gaining access to computer networks and stealing intellectual property. one of the most successful criminal hackers A criminal who uses hacker techniques to break the law. Originally, the term "hacker" referred only to a highly technical programmer. Today, the term is often used synonymously with criminal. "Criminal hacker" and "cracker" are the most accurate references to this individual. ever; earning the dubious distinction of being the first hacker to appear on an FBI Most Wanted Most Wanted may refer to:
In one case, Mitnick rang a video rental shop A rental shop is a store where a consumer can hire reusable products for a certain period of time before returning them. Typically, a customer must sign up for an account with the shop and give billing information like a credit card number. at regular intervals pretending to be the manager of a sister store across town and befriended one of the clerks. One day, he rang up saying that a customer from the clerk's store wanted to rent a video but had forgotten his identity card. Mitnick asked for the customer's security details, just to make sure. The clerk merrily read out the customer's name, address, credit card number and recent rentals, data Mitnick could readily use for fraud. In many of his most successful hacks Mitnick did not touch a computer. Instead, he befriended company secretaries and computer administrators over the phone. Then, one day, he got them to download and install a program from the Internet that would send him information he craved crave v. craved, crav·ing, craves v.tr. 1. To have an intense desire for. See Synonyms at desire. 2. To need urgently; require. 3. To beg earnestly for; implore. . When he was arrested, U.S. authorities were so terrified ter·ri·fy tr.v. ter·ri·fied, ter·ri·fy·ing, ter·ri·fies 1. To fill with terror; make deeply afraid. See Synonyms at frighten. 2. To menace or threaten; intimidate. of Mitnick that they kept him in solitary confinement solitary confinement n. the placement of a prisoner in a Federal or state prison in a cell away from other prisoners, usually as a form of internal penal discipline, but occasionally to protect the convict from other prisoners or to prevent the prisoner from causing for eight months believing that, if allowed near a phone, he would use his skills to launch the U.S.'s nuclear weapons. One of the services offered by Mexis is a test of social hackability. Diaz's company will send some of its workers into a company or make phone calls trying to glean glean v. gleaned, glean·ing, gleans v.intr. To gather grain left behind by reapers. v.tr. 1. To gather (grain) left behind by reapers. 2. vital information. They will then report back to IT security personnel on how to tighten procedures against attack. The meeting factor Gartner's Dreyfuss recommends a less invasive procedure Invasive procedure may refer to:
The use of horizon analysis to project total returns under different reinvestment rates and future market yields. by business process," he said. "Get your IT people and the people involved, put them around a table and ask them one question: 'what if ...?'" Computer industry experts began using this technique when companies were terrified about the millennium bug millennium bug: see Year 2000 problem. See Y2K Problem. millennium bug - Year 2000 : the possible crash of computer systems at the turn of the year 2000 made likely because, at the time, most computer chips only recognized the last two digits of the year. "It is not a very fancy technique but it is enough to uncover failures and vulnerabilities," Dreyfuss said. As well as finding the weak spots in a system, it also changes behavior, he said. People come out of the meetings thinking about concrete security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising" security they can take. Many may be thinking of security for the first time ever. "Traditional human solutions are the best defense against fraud: physical controls like card readers and security guards," said the FBI's Laykin. "Tell your employees that if they try something they will be watched." Laykin also recommends good auditing and logging systems. That way, if an employee logs in and trashes critical applications or e-mails a vital file to a competing company, at least there will be a record that can be used in court. Having said this, many Mexican companies This is a List of Mexican companies:
"Most of these companies blend file room and junk room junk room n → trastero junk room n (US) → débarras m junk room junk n → Rumpelkammer f : broken computer chairs or tables are all in the same room," he said. Even though the reasons are different, the problems presented can be the same. Companies want to protect their trade secrets from competitors. They want their files to be available when officials come to call, but they do not want rivals or union officials to have access. "Companies are growing more fearful that someone could get into their information. They think our company has put in a lot of effort and here comes a union guy who copies and hands it to someone who we don't want to have that information," said Linares. In Mexico, unions are feared as much as rivals, he says. His company offers to take and organize company files and store them away from the main office in a warehouse that is secure from prying pry·ing adj. Insistently or impertinently curious or inquisitive: ignored the prying journalists' questions. pry eyes, as well as rats, fire and other physical hazards. Security is inadequate across much of Mexico, perhaps in large part because businesses are not really sure what they want to protect, said Gartner's Dreyfuss. "What happens if your payroll application is down?... you need it once a month. If the worst comes to the worst you will pay everyone according to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. their last pay packet; most likely it is 99 percent right. If your ordering application is down, it is an imminent problem," he said. But when he goes to see a company to ask them about security, he only receives one sort of response. "When I ask 'what is the level of security required?' they always say absolute security," Dreyfuss said. "But absolute security costs an infinite amount of money." Before deciding on how to tackle security, companies have to learn to make a business decision about how much to spend and which parts of their business are essential and urgent. Alexander Manda is a freelance journalist who lives and works in Mexico City. He can be reached at atmanda1@yahoo.com. |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion