cfo.com

Print this article | Return to Article | Return to CFO.com

Insecure About Security

The technology to combat computer hackers is improving, but the most potent weapon is still the individual company's adherence to best practices.
Esther Shein, CFO Asia
November 15, 2007

It's every CFO's nightmare. A fax comes in containing a thinly veiled threat: "You have a breach in your security system and you need to hire us to fix it.'' People typically ignore the fax until a second and then perhaps a third message comes — this time with a sample report of credit card numbers, says Gene Fay, a vice president at RSA Security Inc., the security division of storage giant EMC. The threat becomes stark: "You need to pay us or we'll post all these numbers to a website." If the company opts to pay, the hacking rarely gets reported. If they try to fight and find the perpetrators, they may step into a murky world of organized crime.

Reports about major companies' networks getting hacked are becoming frighteningly commonplace. The hacking has evolved from a kid defacing a Website five or six years ago to organized crime groups realizing there is big money to be made from stealing a company's sensitive customer information. Security experts say that in Russia, for example, loose law enforcement is motivating computer programmers to design malware that can be used by cybercriminals to steal credit card and social security numbers and sell the information on the black market.

Database hacking is not limited to any particular region. "It's a transborder data flow problem, which means the thefts and attack strategies quickly move from jurisdiction to jurisdiction, so the applicability of the laws is difficult to discern," says Andrew Walls, a research director with Gartner Group in Melbourne. But Asia is becoming a particular target, in part because of the philosophy of trust that companies in this region tend to nurture. "We're seeing a trend of information being scanned and looked at more on the Asian market, which we believe will result in more hacking into systems, because the people doing the penetration testing or identification of vulnerabilities are going to see them as easier opportunities,'' says Doug Howard, chief operating officer of BT Counterpane, a managed security company in the United States.

Companies in Asia that are only now starting to open their businesses to the outside world are especially vulnerable. When Techcombank decided to become the first bank in Vietnam to provide customer Internet banking services, officials knew standard passwords wouldn't be enough for database protection because of the hackers' aggressive techniques. The bank chose RSA's Two-Factor Authentication (2FA) key token system for user authentication. When customers first register for the Internet service, they are given the token key, a user ID and user guide. The password they create combined with the token key becomes their login password. Their account will be locked if one or both passwords are entered incorrectly.

Focus on Best Practice
The good news is that the tools to combat hackers have become more sophisticated, allowing companies to home in at a very granular level. The bad news is that hackers are rapidly working out what exactly those tools are. That is why companies must recognize that technology in and of itself will not prevent network attacks, security experts say. First and foremost, they must have the fundamentals in place.

"If you've got weak passwords and [there are worms or Trojans] in Web-based applications, hackers will gain access to back-end databases," says Johannes Ullrich, chief research officer at the SANS Institute, which provides information security training and certification. "Companies often fail to apply patches or use strong passwords or ensure that the code they write internally is secure, because it's too time-intensive."

But before a company can assess whether a specific data request going against a database is appropriate or not, it must have a benchmark against which to judge that activity. "You have to do the hard, boring work of defining your business processes and how those business processes should be segmented,'' emphasizes Walls from Gartner, adding that "99 percent of the time you can defeat a probable security attack by designing your business processes better."

BT Counterpane's Howard warns that simply deploying an event management or perimeter security tool will "either add no value because it's not configured properly — or it will disable all the things that were working properly in your business.'' When implemented correctly, event monitoring tools let companies decide whether to give access to different levels of users, and also give the option of shutting them out from say, midnight to 3 a.m., when the chances of getting hacked are greater.

Sasan Hamidi understands the importance of being methodical when it comes to making security systems work for the business. The chief information security officer of U.S.-based Interval International, a vacation exchange network, says that as the company began building a security infrastructure, officials established specific policies and procedures about who can access what systems. In addition to network-based intrusion detection systems (IDS), hostbased intrusion systems and firewalls, Hamidi deployed nFX SIM One, a security information management system from net- Forensics. His IT group set up certain thresholds so the system knows what types of behaviors to look for, ensuring that staff isn't inundated with alerts.


Hamidi declined to say whether Interval's databases have been hacked, but concedes that "our systems and applications get scanned about every hour by people looking for a backdoor vulnerability they can find to exploit."

Better Tools
Once they do their due diligence, companies will more effectively combat hackers because security tools vendors have also gotten better at letting an administrator see what's happening, both on the network and out at the edge — meaning everything from BlackBerries to instant messaging, says RSA's Fay. Tools in what Fay refers to as the security information and event management space (SIEM) provide a very efficient way to collect logged data.

When a user signs into his or her email account, a log is created starting with the time and the applications the person accessed. "If for some reason you try to access financial information on the Oracle database that's beyond your rights, the system creates a report and you can have your security team investigate it,'' he says. Previous tools may have only tracked a person logging on and off, but they weren't able to correlate what people were doing the whole time they were on the network, according to Fay.

"It's a cliché, but a combination of technology, business processes and people is the only way those things will work properly," says Howard. "Most attack strategies involve some level of process breakdown," adds Walls. The vast majority of the cyberfraud he sees is based on social, rather than technological issues. CFOs take note. You don't need to live the nightmare anymore.

Esther Shein is a U.S.-based business writer.


Losses Jump, Spending Doesn't

A snapshot of the latest Computer Security Institute survey findings on computer crime shows that the average loss per company suffering a breach is up substantially after several years of decline, but spending, while up slightly in dollar volume, is dipping as a percent of IT budgets.

Computer Security Institute survey on computer crime, security spending, and loss


CFO Publishing Corporation 2009. All rights reserved.