It’s every CFO’s nightmare. A fax comes in
containing a thinly veiled threat: “You have a breach in
your security system and you need to hire us to fix it.”
People typically ignore the fax until a second and then
perhaps a third message comes — this time with a sample
report of credit card numbers, says Gene Fay, a vice
president at RSA Security Inc., the security division of
storage giant EMC. The threat becomes stark: “You
need to pay us or we’ll post all these numbers to a website.”
If the company opts to pay, the hacking rarely gets
reported. If they try to fight and find the perpetrators,
they may step into a murky world of organized crime.
Reports about major companies’ networks getting
hacked are becoming frighteningly commonplace. The
hacking has evolved from a kid defacing a Website five
or six years ago to organized crime groups realizing
there is big money to be made from stealing a company’s
sensitive customer information. Security experts say
that in Russia, for example, loose law enforcement is
motivating computer programmers to design malware
that can be used by cybercriminals to steal credit card
and social security numbers and sell the information on
the black market.
Database hacking is not limited to any particular
region. “It’s a transborder data flow problem, which
means the thefts and attack strategies quickly move
from jurisdiction to jurisdiction, so the applicability of the laws is difficult to discern,” says Andrew Walls, a
research director with Gartner Group in Melbourne.
But Asia is becoming a particular target, in part because
of the philosophy of trust that companies in this region
tend to nurture. “We’re seeing a trend of information
being scanned and looked at more on the Asian market,
which we believe will result in more hacking into
systems, because the people doing the penetration testing
or identification of vulnerabilities are going to see
them as easier opportunities,” says Doug Howard, chief
operating officer of BT Counterpane, a managed security
company in the United States.
Companies in Asia that are only now starting to
open their businesses to the outside world are
especially vulnerable. When Techcombank decided to become the first bank in Vietnam to provide
customer Internet banking services, officials
knew standard passwords wouldn’t be
enough for database protection because of
the hackers’ aggressive techniques. The
bank chose RSA’s Two-Factor Authentication
(2FA) key token system for user
authentication. When customers first register
for the Internet service, they are given
the token key, a user ID and user guide. The
password they create combined with the
token key becomes their login password.
Their account will be locked if one or both
passwords are entered incorrectly.
Focus on Best Practice
The good news is that the tools to combat
hackers have become more sophisticated,
allowing companies to home in at a very
granular level. The bad news is that hackers
are rapidly working out what exactly those
tools are. That is why companies must recognize
that technology in and of itself will
not prevent network attacks, security
experts say. First and foremost, they must
have the fundamentals in place.
“If you’ve got weak passwords and [there
are worms or Trojans] in Web-based applications,
hackers will gain access to back-end
databases,” says Johannes Ullrich, chief
research officer at the SANS Institute,
which provides information security training
and certification. “Companies often fail
to apply patches or use strong passwords or
ensure that the code they write internally is
secure, because it’s too time-intensive.”
But before a company can assess
whether a specific data request going
against a database is appropriate or not, it
must have a benchmark against which to
judge that activity. “You have to do the
hard, boring work of defining your business
processes and how those business
processes should be segmented,” emphasizes
Walls from Gartner, adding that “99
percent of the time you can defeat a probable
security attack by designing your
business processes better.”
BT Counterpane’s Howard warns that
simply deploying an event management or
perimeter security tool will “either add no
value because it’s not configured properly —
or it will disable all the things that were
working properly in your business.” When
implemented correctly, event monitoring
tools let companies decide whether to give
access to different levels of users, and also
give the option of shutting them out from
say, midnight to 3 a.m., when the chances of
getting hacked are greater.
Sasan Hamidi understands the importance
of being methodical when it comes to
making security systems work for the business.
The chief information security officer
of U.S.-based Interval International, a vacation
exchange network, says that as the
company began building a security infrastructure,
officials established specific policies
and procedures about who can access
what systems. In addition to network-based
intrusion detection systems (IDS), hostbased
intrusion systems and firewalls,
Hamidi deployed nFX SIM One, a security
information management system from net-
Forensics. His IT group set up certain
thresholds so the system knows what types
of behaviors to look for, ensuring that staff
isn’t inundated with alerts.
Hamidi declined to say whether Interval’s
databases have been hacked, but concedes
that “our systems and applications get
scanned about every hour by people looking
for a backdoor vulnerability they can
find to exploit.”
Better Tools
Once they do their due diligence, companies
will more effectively combat hackers
because security tools vendors have also
gotten better at letting an administrator see
what’s happening, both on the network
and out at the edge — meaning everything
from BlackBerries to instant messaging,
says RSA’s Fay. Tools in what Fay refers to
as the security information and event management
space (SIEM) provide a very efficient
way to collect logged data.
When a user signs into his or her email
account, a log is created starting with the
time and the applications the person
accessed. “If for some reason you try to
access financial information on the Oracle
database that’s beyond your rights, the system
creates a report and you can have your
security team investigate it,” he says. Previous
tools may have only tracked a person
logging on and off, but they weren’t able to
correlate what people were doing the
whole time they were on the network,
according to Fay.
“It’s a cliché, but a combination of technology,
business processes and people is
the only way those things will work properly,”
says Howard. “Most attack strategies
involve some level of process breakdown,”
adds Walls. The vast majority of the
cyberfraud he sees is based on social,
rather than technological issues. CFOs
take note. You don’t need to live the nightmare
anymore.
Esther Shein is a U.S.-based business writer.
Losses Jump, Spending Doesn’t
A snapshot of the latest
Computer Security Institute survey
findings on computer crime shows that
the average loss per company suffering
a breach is up substantially after
several years of decline, but spending,
while up slightly in dollar volume,
is dipping as a percent of IT budgets.