The Enemy Within

When it comes to combating worms, Trojan horses, and viruses, technology alone is not enough.
Russ BanhamOctober 6, 2004

Back in the 1950s, when Pitney Bowes was in the uncomplicated business of supplying postage meters to U.S. corporations, the company’s big security concern was relatively pedestrian: now and then, somebody’s relative would walk off with a meter machine.

Over the past 50 years, risk management at Pitney Bowes has undergone a slight bit of scope creep. Now a $4.6 billion (in revenues) mail-and-document-management specialist, the Stamford, Connecticut-based company provides, among other things, electronic billing, invoicing, and statement presentation for thousands of corporate customers. Last year alone, Pitney Bowes processed more than $14.5 billion in electronic postal payments.

While the move to E-document management has opened up whole new revenue streams for Pitney Bowes, it has also opened up a Pandora’s box of operational risks. And those risks strike at the very heart of the company’s 21st-century business model. “Unless we can give customers confidence about the security of our network,” says CFO Bruce Nolop, “we don’t have the ability to execute our business strategy. We might as well call it a day.”

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

Shareholders tend to take a dim view of calling it a day. Hence, Pitney Bowes deploys state-of-the-art firewalls, software, and encryption algorithms to fend off network invaders. But despite sizable investments in network security, managers at the company have come to a rather startling conclusion. Says Nolop: “We’ve learned that an employee culture about security is just as important as security software — if not more so.”

Surprising stuff, but spot on. The truth is, the recent string of damaging denial-of- service worms, Trojan-horse scripts, and E-mail viruses have amply demonstrated the limitations of network security systems. The numbers tell the tale. Investment in IT security was up 16 percent last year, says UBS security-software analyst Dan Cummins in a recent report, yet Herndon, Virginia-based consultancy TruSecure Corp. says companies spent 23 percent more fixing infected machines. TruSecure reckons that a record 108 of every 1,000 corporate computers were hit by a virus in 2003. This year, fast-spreading digital pathogens MyDoom, SoBig, and Klez have inflicted an estimated $75 billion in damage.

The trail of destruction left by malicious code has driven home a simple point: human error can undo almost any firewall or safeguard. Chris Byrnes, a research director at tech consultancy The Meta Group, believes using technology to combat technology is only 20 percent of the solution. “If you look at the most common [computer] security failure in Corporate America today,” says Byrnes, “it’s the employee who clicks on an attachment in an E-mail that infects his machine that then infects the entire corporate network.”

Patching that vulnerability has become a top priority of late for many companies. In some cases, the fixes are remarkably simple. For example, a few senior managers, spooked by “malware” that targets vulnerabilities in Microsoft’s Internet Explorer, now advise employees to use browsers that are less attractive to virus writers. Still others have formulated companywide policies for computer-security procedures, fining workers who fail to follow the rules. More effective yet, a few corporations have begun to enroll employees in security-awareness training programs — and then test those workers to see if the lessons have been absorbed. Says Richard Mogull, research director at technology research firm Gartner: “You want to turn your employees into security assets, not security liabilities.”

True Artisans

This emphasis on the users of computers — rather than the computers themselves — can lead companies down some peculiar paths. For example, Chicago-based Rewards Network, a loyalty and rewards program, hired Intense School, a Fort Lauderdale, Florida-based company that offers security-awareness training. The twist? The classes are taught, in many cases, by former so-called black hats — onetime hackers who now use their powers for good.

Rewards Network CIO Mario Cruz says the training appears to be paying off. In June, Cruz hired Intense School’s consulting arm, Knowledge Shield, to see if the lessons had made an impression on employees. The IT consultancy performed ethical social-engineering testing — that is, the manipulation of workers (aka lying to them) to gain unauthorized access to IT systems or electronic information.

The ploy: a man called the company’s help desk claiming he was a remote worker and saying he had lost his password. The caller even offered personal details, including particulars about his children and his Social Security number. Remarkably, all but one employee referred the caller to security.

Then again, one lapse is all an intruder needs, which may explain why hackers are increasingly turning to social engineering to gain access to network systems. “I watch these public lists of social-engineering attacks day in and day out,” reports Art Manion, an Internet security analyst at the Computer Emergency Readiness Team Coordination Center, a Pittsburgh-based organization that publishes information on security incidents. “In the past six months, there has been a noticeable spike in their number.”

Given the payoff, hackers will go to almost any length to get inside a business. Indeed, the tales of social engineering boggle the mind. Ralph Echemendia, product-line manager and lead instructor at Intense School, says he and some former black hatters were once retained by a client to perform “penetration testing.” The plan of action? Echemendia and friends posed as graduate students making a film about corporate ethics. “We dressed the part and had rented some boom mikes and professional cameras, and told the security and PR people at this company that we were doing a documentary,” he recalls. “They allowed us to tour the corporate campus and ‘interview’ executives.” In the meantime, Echemendia’s crew were carrying hidden cameras that recorded personal and business information on workers’ desks, including PIN numbers and passwords that employees had hidden under their keyboards.

Gartner’s Mogull goes one further. He remembers one interloper, posing as an engineering consultant, who showed up at a business the day after the company’s CEO went on vacation and was out of pocket. The man insisted he had been hired to optimize an engineering plan, and that he had flown in specifically to do the job. The company employees bought the story, and gave the stranger new-product plans and other proprietary information. Recounts Mogull: “When the CEO returned and was told the engineering consultant had been there, he asked, ‘Who?’ “

The Phisher Kings

While social engineering is effective, it also entails a fair amount of personal risk (Mr. Nose, meet Mr. Fist). Hence, some hackers have begun resorting to a virtual version known as “phishing.” Phishing scams are named for the way they reel in victims with clever bait. Warnings of identity theft or pending account cancellations prompt victims to “confirm” financial information in an E-mail response or on a fake Website. Initially designed to wriggle credit-card numbers out of consumers by taking them to phony Websites, recent phishing scams have targeted business users.

The con typically starts when employees log on to their company’s intranet or Website. At that point, an employee is greeted by a pop-up window indicating that the employer is required to verify some personal information. The employee is then asked to reenter a password and user ID number. As with similar cons aimed at consumers, the bogus pop-up looks legitimate, which usually leads deceived workers to eventually fork over the information. Armed with that data, hackers often attempt to pry their way into consumer databases.

Although experts say blacklists and other filtering agents can limit the number of fake E-mails that wind up in employee in-boxes, plenty of phony messages still get through. That prospect should worry risk managers, particularly since a recent survey conducted by security company MailFrontier found that 28 percent of adults could not differentiate between phishing E-mails and legitimate ones.

Given the risks, some companies now advise employees against clicking on supplied links in E-mail messages. It’s a simple fix, but effective. In a similar vein, a small but growing number of businesses and organizations are urging workers to switch to browsers other than Internet Explorer. While not great news for Microsoft, the browser swap makes sense. The harsh reality is that virus writers have had a field day exploiting security vulnerabilities in IE. And they’ve gotten better at their craft. “Two years ago, it took hackers months to exploit vulnerabilities in IE,” notes Mogull. “Now we’re seeing attacks in weeks.”

This past June, for example, a fast-spreading worm called Download.Ject exploited holes in the Microsoft browser and started hijacking users’ computers to send out spam. A month after the pernicious worm started taking over machines, the U.S. government sent out an advisory recommending that users switch to another browser.

The warning, along with the damage caused by the Download.Ject scare, triggered a small but noticeable drop in IE usage. Reportedly, Mozilla’s open-source browser Firefox picked up the bulk of the defections. But even champions of alternative browsers concede that a switch comes with a price. Says Mogull: “You may lose the vulnerabilities, but you also lose some features and compatibility.”

Blithe Spirits

Besides, experts say workers often ignore security tips, blithely unaware of the serious damage malware can do to corporate networks. One cure: administer a little consciousness-raising. At Pitney Bowes, CFO Nolop says the company’s chairman recently sent out a voice mail to all employees reminding them of the importance of protecting consumers’ personal information.

Michael Schrage believes in the stern approach. The co-director of the E-markets initiative at Massachusetts Institute of Technology’s Media Lab, in Cambridge, Massachusetts, Schrage advises companies to send employees to classes that take them through scenario-based training. “Ask employees what they would do if someone they knew sent an attachment that looked suspicious,” he says. “Then, send them the attachment and see what they actually do.” Such war gaming, however, while effective, seems guaranteed to tick off workers. “Sure it will upset people,” concedes Schrage. “But it upsets me more when they open viral attachments that bring the network down for a day and a half.”

Rather than risk network outages, an increasing number of companies are codifying security guidelines into hard-and-fast rules. According to the UBS study, more than 60 percent of the CIOs interviewed planned to narrow or already had narrowed the scope of acceptable Internet and E-mail use by employees. Pitney Bowes recently established a Privacy and Security Task Force made up of security professionals and members of finance and IT. Says Nolop: “The task force is examining all processes to determine what kinds of policies and procedures we must have from a governance standpoint to reduce our exposure to loss [from a security breach].”

Generally speaking, senior executives who take the time to put together an overarching corporate computing policy tend to take the policy seriously. In one survey, conducted by security consultancy Computer Economics, nearly half of the corporate respondents said they had terminated workers for misuse of company computers.

Some executives, however, believe positive reinforcement can be just as effective as punishment. Says Kathleen Coe, regional director of education services at Symantec Corp., a Cupertino, California-based information-security company: “What really changes employee behavior,” she argues, “is when they do things right and are rewarded for it.” Coe tells of one company where each night Hershey’s Kisses were put on the keyboards of employees who logged off. The next morning, the employees who received a “kiss” wondered who gave it to them. “Those who didn’t [get one] felt the sting of embarrassment,” she adds.

Ralph Hromisin, CFO of Benco Dental Co., a Wilkes-Barre, Pennsylvania-based distributor of dental supplies and equipment, believes in the value of gentle reminders. “This may seem like a minor thing,” he says, “but whenever our system users sign on, they get a little pop-up that says, ‘Please remember that the information contained in this Website is confidential and proprietary and intended only for designated Benco users.’ “

Until, of course, the documentary film crew arrives.

Russ Banham, a contributing editor at CFO, is the author of The Ford Century.

Band of Outsiders

Managers at document specialist Pitney Bowes, for one, have hired TruSecure Corp. to provide an ongoing assessment of the company’s security procedures. For an annual subscription fee, Herndon, Virginia-based TruSecure audits Pitney Bowes’s enterprisewide security practices and controls. Says William Harrod, TruSecure director of research and intelligence operations: “We examine and document a client’s electronic controls, policies, and procedures, as well as their physical security.”

For instance, TruSecure checks to see whether a company requires employees to invoke password-protected screen savers when they leave their desks. The consultancy works with company management throughout the year to identify resources and classify them as information security risks. Adds Harrod: “We then help develop the security controls to protect them.”

Some companies go one step further, hiring outsiders to actually host their applications or application servers. Managers at mobile-computing-case maker Targus Group International Inc., for instance, outsource the company’s network server to security consultancy OneNeck IT Services, in Scottsdale, Arizona. Mostly, Targus management was worried that an intruder might be able to generate a customer order, ship a product, manage accounts receivables, or otherwise infiltrate the company’s cash-approval process. John H. McAlpine, CFO and executive vice president of the Anaheim, California-based manufacturer, says Targus does have strict process controls in place. But, he adds, management felt more secure having someone else looking after the company’s server. “[The OneNeck service] is not bullet-proof,” concedes McAlpine. “But it decreases the risk.” —R.B.

Virus Got by Us
The vast majority of computer pathogens are transmitted via attachments to electronic mail.
Virus Source 1996 2000 2003
E-mail attachment 9% 87% 88%
Internet downloads 10% 1% 16%
Web browsing 0% 0% 4%
Don’t know 15% 2% 3%
Other vector 0% 1% 0%
Software distribution 0% 1% 0%
Diskette 71% 7% 0%
Source: ICSA Lab, 2003