VideoLarge organizations should prepare themselves for more-clever and more-targeted attacks against their security infrastructures this year. That's the one thing law-enforcement officials, security experts, and industry executives agree on. Everything else — from the proper way to assess damages after a security breach to whether or not companies should report these breaches to the Federal Bureau of Investigation — seems to be up for debate.
"We are currently seeing attacks like we have never seen before," says Bruce Helman, unit chief overseeing technology issues for the FBI's Counterintelligence division. "Many are coming from Eastern Europe and are more sophisticated and more difficult to detect." Increasingly, Helman says, these attacks are perpetrated for money rather than hacker thrills and boasting rights as was the case in years past. Hacker groups have added financial savvy to their technical skills and have become masters of blackmail, and of negotiating with companies to extort the maximum amount of cash from them.
Until recently, Helman says, many of these groups didn't know how to calculate their demands and asked for absurdly small amounts of money for either returning sensitive data or stopping automated attacks. Now, he says, they routinely demand $10,000 to $50,000, and many companies are more than willing to pay up in order to hush up the security breach. As in all forms of blackmail, a one-time payment is no guarantee against future demands, nor does it ensure that hackers won't sell the data anyway. In addition, reluctance to bring authorities into the picture leaves those same hackers free to try their schemes over and over again. The FBI has run an information-sharing program called Infragard since 1996, and while 68 of the country's 100 largest companies have participated, insiders acknowledge that there is plenty of hesitation about admitting to weakness or breaches.
Analysts say companies have understandable motives for keeping things quiet. First, given new regulatory requirements to protect data, admitting to a breach could lead to fines, lawsuits, and government investigation. Second, companies that deal in sensitive customer data know public knowledge of such security leaks could damage their business. The San Diego–based consumer-rights group Privacy Rights Clearinghouse says that more than 51 million Americans have had their personal data, including financial account numbers, Social Security numbers, and driver's license information, breached in more than 95 separate incidents since February 2005. These incidents have involved large organizations such as ChoicePoint, Wachovia, Bank of America, CardSystems, Northwestern University, and even the Department of Justice and the Federal Deposit Insurance Corp.
But the "keep it under your hat" approach to security breaches may soon be impossible. Many companies, particularly in the health-care and financial-services arenas, now operate under strict regulations that require them to report such attacks without delay. California's data security notification law, one of the toughest in the nation, has inspired more than a dozen bills in Congress in an effort to take such regulations nationwide. If companies find the current climate onerous, they aren't saying so. "We are obligated to report any [security breaches] under Sarbanes-Oxley," says David Valcik, vice president of technology services at Fort Smith, Arkansas- based Beverly Enterprises Inc., a nationwide provider of long-term care and assisted living to the elderly and disabled. "But we also want to assist in tracking down these types of threats" to keep them from happening again, he says.
With good reason. While computer viruses, which are broad-based and largely senseless attacks, are still common, many hacker groups now zero in on particular companies or types of data. "They are going after companies or even specific individuals within those companies," says Toby Weiss, general manager and senior vice president of security management at Islandia, New York–based CA. "It's kind of like going from phishing to what you might call 'spear-phishing.'"
"They are going after a particular company for a specific purpose, and they are being paid to do it," agrees Gartner Inc. analyst Peter Firstbrook. "The motivation is now profit, and we are seeing a merging of commercial interests and the underworld of hacking." Sometimes hackers are hired by shady firms that resell the data, essentially laundering it until a company may buy it without understanding that it has been stolen. As one example of the increasing sophistication of attacks, in November the Securities and Exchange Commission brought charges against a company in Estonia for joining Business Wire, a service that disseminates press releases and regulatory filings, and then hacking the company's computers to gain early access to data that influenced its buying and selling of stocks. The SEC said it believed the firm had made at least $7.8 million in profits as a result.
Putting a Price Tag on Security
For companies that have been the victims of attacks, assessing the damage is not easy. "I don't think anyone has a good way of finding the cost of an event," says Firstbrook. "Most companies don't really do the proper postmortem, or, if they do, they have no idea what to include in the analysis." One company, he says, may include everything from the soft cost of diverting its IT department from a strategic project to an estimate of the effect on lost sales and the company's reputation. Another may lowball it, looking only at, say, the costs directly tied to the response.
Reader Comments» Post a comment