Playing fast and loose on the digital frontier

(2009 total words in this text)
(1008 Reads)  

The risks are real and the stakes are high. Unconvinced? In 2002, the theft of proprietary information totaled $170 million. Financial fraud totalled $115 million. Have we got your attention now?

Information has always possessed an inherent value. As a result, information security is not a new phenomenon. Evidence suggests that information protection is nearly as old as civilized society. Ancient Egyptians, Greeks and Romans demonstrated varying degrees of encryption and decryption expertise in an effort to keep sensitive information secret. Although the practice of protecting information from unauthorized access, modification or compromise has changed little over time, the methodology has changed dramatically.

Many traditional barriers to information exchange do not exist in today's business environment. Access to sensitive data no longer requires physical proximity; data exists in smaller spaces and can be stored on increasingly compact, easily transportable media and can be transferred by wireless means. The benefits of speed and portability are balanced by the knowledge that information is more accessible and less protected than ever before. The rush to continually extend the boundaries of the digital frontier, to meet increasingly aggressive operational objectives in shorter periods of time, has left many business organizations in the precarious position of having more information assets open to compromise than ever before as they try to retrofit their existing digital security apparatus and countermeasures to meet today's security needs.

Threats and Vulnerabilities

Once an organization has identified its place at the digital frontier and executive management has defined its responsibilities and priorities with regard to defending that place, there is a group of unknowns to consider. The unknowns in this case are a loose collection of issues called threats and vulnerabilities. Threats to and vulnerabilities of an organization's digital security program are two sides of the same coin. Both are capable of inflicting extreme damage, and both may be effectively deflected with prescriptive vigilance and reactive diligence.

A threat to an information system is any act upon or against the system that is performed with the intention to cause harm. Threats can be internal or external to the organization; they can include human threats, such as disgruntled employees, or they may be derived from vulnerabilities, such as a remote server no one is aware of.

Vulnerabilities are generally inherent weaknesses in an information system, although some vulnerabilities may result from deliberate acts or omissions. Despite peer review, little commercial software reaches the market free from vulnerabilities, and even systems developed in-house frequently achieve full-scale implementation prior to the detection of potential vulnerabilities. Potential avenues of attack are discovered almost daily, and such information is freely disseminated among the IT community and other interested parties, including potential intruders or hackers.

According to the 2002 CSI/FBI Computer Crime and Security Survey, "the threat from computer crime and other information security breaches continues unabated and the financial toll is mounting." Ninety percent of the survey's respondents had detected computer security breaches within the 12 months preceding the survey, and 80 percent acknowledged financial losses due to those breaches. The 44 percent of respondents that were willing or able to quantify their losses reported an aggregate $455 million worth of damage.

The most serious areas of loss were the theft of proprietary information, which totaled $170 million, and financial fraud, which totaled $115 million. The highest individual loss due to theft of proprietary information was $50 million; the average loss was $6.57 million. The highest individual loss due to financial fraud was also $50 million; the average loss was $4.6 million. Insider abuse of Internet access (for example, employees' use of company computers or access to download pornography or pirated software) or the inappropriate use of the organization's e-mail system cost respondents $50 million. Despite a high proportion of antivirus software implementation, viruses and their aftermath were detected by 85 percent of respondents and carried a price tag of $49.9 million.

As this information shows, the risks are real and the stakes are high. The executive management team must understand what they are facing as they stand at the edge of the digital frontier. It's a dangerous place with a landscape that changes, and with each incremental change, everything changes. Although any group or system within the organization can be the component leading the organization into the frontier, that component may be the vulnerable area or it may cause a vulnerability to be overlooked. All it takes is one person who doesn't "get it" to cause a security breach that can take vast amounts of time, money and manpower to fix and that can have grave repercussions in the marketplace.

There are obstacles beyond threats and vulnerabilities that present challenges for organizations at the edge of the digital frontier. Many of these obstacles are the product of misperceptions that can influence organizations in many ways, permeate the decision cycle from the executive to the user level, and undermine security efforts. Examples of these misperceptions include:

Information security efforts are an IT domain, or the purview of a specialized security group.

Security threats and vulnerabilities are unique to high-profile industries or companies.

Outsiders compromise information most frequently, and such compromise is often detected and prosecuted.

Security policies are sufficient to guide operations in a secure manner.

Security technology will solve security needs.

Security impairs organizational objectives and serves as a barrier to progress.

An Attack Scenario

Many threats exist on the digital frontier. Unfortunately, many companies have digital security programs that may be, in themselves, a serious vulnerability with regard to their ability to identify threats and address vulnerabilities in a way that mitigates the impact of digital security incidents, and their ability to respond appropriately when an attack occurs.

onsider the following real-world scenario and some of the questions it raises from the perspective of an executive who thought the organization was secure.

Stage One: Onset and Initial Response

An employee who has been with a major healthcare services firm for 15 years leaves the company under less than pleasant circumstances. Shortly afterwards, her former coworkers and others complain that their passwords on certain corporate systems such as e-mail are no longer working. It is known that the ex-employee had knowledge of those systems, including default or known passwords, and there are indications that she has used that knowledge to access components of those systems.

In an effort to resolve the situation, IT management issues an urgent request for employees to change their system passwords. Some respond appropriately and change their passwords; others ignore the request. At this stage in the scenario, several issues have been raised: The organization's policy regarding removing employees from the system when they leave is not being followed, nor is the organization's policy regarding requiring employees to change passwords on a routine schedule.

The organization's policy regarding the use of corporate applications that rely on default or hard-coded passwords at the system level—in other words, critical application functionality will break if the passwords are changed—has been shown to be a vulnerability, and there is apparently no policy restricting systems from using hard-coded passwords or requiring implementation teams to change default passwords prior to going live with systems.

The decision to shut down compromised systems or disconnect them from the Internet must be considered. Does current policy indicate the party responsible for making that decision, and does it address the impact of that decision on business?

Stage Two: Information-Gathering and Option Analysis

Because the ex-employee has gained illicit access to the e-mail system, the potential exists that other Internet applications also may have been compromised, such as the firm's online subscriber information database. Some of these applications may have default passwords that are crucial to their operations. The ex-employee may know these default passwords, or she also may know other employees' passwords to these applications.

As a response to this potential issue, programmers and vendors for the potentially compromised applications are contacted. They report that changing certain passwords on some systems is possible; however, it will take a month or more to make necessary programming changes and conduct remedial testing. The one-month time frame will affect the availability of the applications—perhaps even requiring that they be taken offline, which would necessitate a public explanation. This time frame will require adjusting the priorities of the current IT staff, thereby affecting the timeline of other projects currently underway.

Meanwhile, system and security administrators have put extra resources into determining how she is accessing Internet systems, but have little to show for their efforts. Some of the organization's information systems are configured to log activity; others are not. However, even those systems that log information are only logging certain events, for example, failed logins. They offer nothing in this situation because the ex-employee is not failing to log in; she knows passwords and she knows the system's "back doors." She knows where the system's holes are, which means she could change security configurations on the systems and no one would know.

This raises the following additional issues: There are no implemented policies for logging security events on all systems or for accountability with regard to monitoring those systems.

Without knowing which systems have been compromised, the organization cannot learn whether data has been modified, stolen or deleted, or whether sensitive or critical information, such as customer data or information regarding business partners, has been compromised.

Stage Three: Escalation

Five days have elapsed since the first security breach was discovered. The ex-employee is still accessing corporate systems and changing employee passwords. She has hijacked the e-mail account of a current employee and uses it to send an internal e-mail to management. This e-mail, appearing to come from a current employee, complains that the ex-employee was "let go" unfairly and "did nothing wrong."

The issues under discussion have become broader in tone, and more urgent: Activating the business continuity or disaster recovery plans is considered.

The decision to contact law enforcement is considered, as well as the public relations ramifications of taking that step.

Stage Four: Malicious Escalation

The ex-employee sends another e-mail to selected company managers, this one containing an agenda. It reveals that for some time she was frustrated by the firm's lack of security and that "no one listened" to her attempts to address it. Now, she has their attention. The e-mail further reveals that she is in possession of patient healthcare histories and intends to disclose the information to the public, just to show how insecure the company's environment is.

At this juncture, the scenario could move in several directions. However, the point has been made that the well-being of the organization has been placed in grave jeopardy by the actions of one person who may have limited but critical knowledge of the system and perhaps only ordinary computer skills. This scenario or one eerily close to it could be played out in any large company in any industry at any given time.

Executive-level managers and corporate officers must ask themselves how it would be handled if it happened at their firm: Would the digital security program currently in place have the resources to find the necessary answers, and do so in a timely and organized fashion?

Would prior decisions made by executive management about digital security empower or hinder those responsible for digital security as they sought to find solutions?

What would it cost to address this scenario?

What would shutting down a busy website for 24 hours cost in terms of lost revenue, not to mention the damage to the organization's public image?

What are the legal ramifications of having sensitive private information publicly released?

What would it cost to have system administrators spend hundreds of hours investigating the incident and rebuilding compromised systems?

What would it cost to have administrators and senior management spend dozens or hundreds hours in meetings during and after the incident?

What would it cost to have the public, government and media relations departments spend hundreds of hours working on damage control plans and collateral materials intended to restore decreased customer and shareholder confidence?

How much will the stock price drop, and how long will it take to rebound?

Worst of all, what if such an attack happens again before the organization has a new program in place?