www.computer.crime: E-Crime and What To Do About It.Any doubts in the business community that hacking and computer crime pose a serious threat were shattered by the attacks last month that temporarily shut down Internet mega-sites Yahoo, Amazon.com, eBay and E-Trade. While the threat is real, it can be minimized by taking sensible steps including implementing compliance programs to protect company networks and mechanisms to detect, report, and respond to computer attacks. For Fun, For Profit Most people imagine a "hacker" as an anonymous cyber-intruder writing endless lines of code The statements and instructions that a programmer writes when creating a program. One line of this "source code" may generate one machine instruction or several depending on the programming language. A line of code in assembly language is typically turned into one machine instruction. to penetrate a system from outside. But half of unauthorized system intrusions involve insiders who have, or had, legitimate access to the system -- and often a personal axe to grind Axe to grind Used in context of general equities. Involvement in a security, whether through a position, order, or inquiry. . In addition, hacking has entered the mainstream, spurred by downloadable "hacking tools" that can enable even computer novices to launch devastating dev·as·tate tr.v. dev·as·tat·ed, dev·as·tat·ing, dev·as·tates 1. To lay waste; destroy. 2. To overwhelm; confound; stun: was devastated by the rude remark. cyber-assaults. Raising the stakes for would-be targets is the substantial profit motive driving much of the current crop of intrusions. Some hackers seek to cash in on their computer cunning. And unscrupulous businesses find it cheaper to have a hacker steal competitors' secrets than to develop new products or customers themselves. As with "hacking," our popular conception of "computer crime" must be broadened. An attack on another computer to obtain stored data is just one illustration. Sometimes, cyber-criminals' goal isn't information but to damage the victim computer itself. In other instances, a computer serves as the indispensable tool to commit an otherwise impossible crime. For example, a group of hackers employed a computer in a scheme to rig the telephone call-in contests on Los Angeles Los Angeles (lôs ăn`jələs, lŏs, ăn`jəlēz'), city (1990 pop. 3,485,398), seat of Los Angeles co., S Calif.; inc. 1850. area radio stations. Their take: two Porsches, trips to Hawaii, and a bundle of cash. The impact could have been far worse. The hackers had figured out how to seize control electronically of virtually any telephone line in California, and though they chose not to, had the capability to disrupt phone service to entire regions of the United States United States, officially United States of America, republic (2005 est. pop. 295,734,000), 3,539,227 sq mi (9,166,598 sq km), North America. The United States is the world's third largest country in population and the fourth largest country in area. . The Underreporting Problem Businesses want the bottom line: How serious is the threat? In truth, no one knows. But data from governmental, academic and industry observers agree computer crime has mushroomed since the early 1990's -- not surprising given the boom in computer usage and e-commerce. What's more, most published statistics actually understate un·der·state v. un·der·stat·ed, un·der·stat·ing, un·der·states v.tr. 1. To state with less completeness or truth than seems warranted by the facts. 2. the threat, due to poor detection and low reporting. These two problems are highlighted by a Department of Defense study in which DoD attacked 38,000 of its own machines, successfully penetrating 65 percent. Systems administrators detected just four percent of the successful intrusions. And of these, one fourth were actually reported -- meaning only one percent of successful attacks were both detected and reported. Similar detection and reporting rates occur within private industry. Social Engineering A hacker must find a vulnerability, human or technical, he then exploits to circumvent security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising" security . "Social engineering" -- tricking company staff into providing information that can help establish access -- often entails posing as a member of the computer or MIS department to obtain passwords from unsuspecting employees. Hackers frequently go "dumpster diving dumpster diving - /dump'-ster di:'-ving/ 1. The practice of sifting refuse from an office or technical installation to extract confidential data, especially security-compromising information ("dumpster" is an Americanism for what is elsewhere called a "skip"). " in trash bins at or near a target company, finding outdated personnel rosters tailor-made for making pretext calls using real employees' names. Businesses routinely discard outdated computer manuals or internal documents that contain a gold mine of information for a hacker. Technical Vulnerabilities Hackers also employ "sniffers" and other software to gain access to victim systems. One trick is to replace a victim company's log-in program with a modified program that gives the hacker the user names and passwords of authorized users as they log into the system. Few companies routinely check for modified log-in programs. Technical weaknesses should, of course, be remedied. But human vulnerabilities remain more difficult for companies to address. While training may heighten shredder usage and wariness toward unknown callers, most private industry employees still do not treat the threat as real. Recognizing the Need for Compliance Programs Nobody can predict which companies will be attacked. But a system isn't immune just because the information inside has little value. A hacker may want to hijack one system to attack others, thereby concealing his tracks. An attack brings obvious costs: lost computer time, employee hours spent on investigation or repairs, lost revenues for e-commerce firms. Consider also that e-commerce companies, once attacked, could find business interruption insurance Noun 1. business interruption insurance - insurance that provides protection for the loss of profits and continuing fixed expenses resulting from a break in commercial activities due to the occurrence of a peril more difficult or expensive to obtain. In addition, intrusions leading to loss of third party information such as credit card and social security numbers can expose companies to costly lawsuits. And the loss of proprietary information can threaten a business's survival. A comprehensive compliance program designed to guard against computer intrusions, ensure detection, improve reporting, and minimize harm can therefore prove enormously cost-effective. Designing an Effective Compliance Program An effective compliance program addresses both human and technical vulnerabilities, and protects against both outside and inside attacks. Background and security checks should be performed on key computer network personnel, including outside contractors who build or service the network. Companies seldom conduct such checks, even where checks are routine for personnel who will have access to proprietary business information. All personnel, from the CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. to the stock clerk, must understand the risks of social engineering and learn what to do in the event of attack -- whom to notify, and how to preserve evidence that may prove useful to company counsel or law enforcement. In addressing the inside threat, appropriate banners on company networks ensure that employees have no expectation of privacy in their use of the network. Companies must be vigilant concerning incidents where employees exceed system privileges without adequate explanation. Careful human resources The fancy word for "people." The human resources department within an organization, years ago known as the "personnel department," manages the administrative aspects of the employees. policies can reduce the danger from disgruntled dis·grun·tle tr.v. dis·grun·tled, dis·grun·tling, dis·grun·tles To make discontented. [dis- + gruntle, to grumble (from Middle English gruntelen; see individuals. Assessments of a system's technical vulnerabilities should occur regularly. Installing firewalls and, for some firms, intrusion detection See IDS and IPS. software, makes sense. Effective compliance programs require long-term commitment. A company must designate a "compliance officer" - a senior executive or outside counsel with authority to take corrective action A corrective action is a change implemented to address a weakness identified in a management system. Normally corrective actions are instigated in response to a customer complaint, abnormal levels if internal nonconformity, nonconformities identified during an internal audit or - and should maintain a compliance hotline for employees to report security or ethical breaches. Existing Laws to Combat Computer Crime The federal government and many states have laws to combat hacking, criminal use of a computer, and other computer-related offenses. Some state measures track the federal computer crime statute. Codified cod·i·fy tr.v. cod·i·fied, cod·i·fy·ing, cod·i·fies 1. To reduce to a code: codify laws. 2. To arrange or systematize. at 18 USC An abbreviation for U.S. Code. [ss] 1030, this statute addresses a range of conduct by outsiders and insiders, including attacks directed at a computer, attacks to obtain information, and attacks to further schemes to defraud To make a Misrepresentation of an existing material fact, knowing it to be false or making it recklessly without regard to whether it is true or false, intending for someone to rely on the misrepresentation and under circumstances in which such person does rely on it to his or or done with intent to extort To compel or coerce, as in a confession or information, by any means serving to overcome the other's power of resistance, thus making the confession or admission involuntary. To gain by wrongful methods; to obtain in an unlawful manner, as in to compel payments by means of threats of . Besides providing criminal penalties, it permits private parties to bring civil suits for violations of the statute. Other federal laws, including the wire fraud statute, provide additional bases for prosecution. Companies cannot assume, however, that intrusions into their systems will be prosecuted. Businesses must take responsibility for their own protection. The recent explosion in e-commerce has expanded business opportunities considerably. Likewise, the rise in telecommuting telecommuting, an arrangement by which people work at home using a computer and telephone, transmitting work material to a business office by means of a modem and telephone lines; it is also known as telework. has increased worker productivity and job satisfaction. Less apparent, perhaps, is that these benefits come at a cost: remotely accessible computer networks are inherently more vulnerable to attack. There are those who say that future advances in technology will ensure that companies can do business in an open environment with no fear of being victimized. Until that day, however, companies that both recognize the threat of computer crime and take appropriate steps to guard against it will enjoy a competitive edge. David J David J. Haskins (b. April 24, 1957, in Northampton, England) is a British alternative rock musician. He was the bassist for the seminal gothic rock band Bauhaus. Life and work . Schindler is a Partner in the Los Angeles office of Latham & Watkins. Thomas H. Halpem, an associate in the Los Angeles office, assisted with this article. |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion