A review of biggest network threats and current IT security
Companies that have a website or use the internet are exposed to potential compromises to network security. We look at the biggest network threats and the current state of IT security
With cyber crime on the rise and the absence of an international enforcement agency with the ability to crack down effectively on cyber criminals, it is more important than ever that all companies make sure their networks are safe.
Any company that has a website or a network of computers is vulnerable to attacks ranging from a determined hacker to a worldwide computer virus or worm. These attacks have the ability to paralyse a company's systems or, even worse, pilfer back-end information.
The nature of threats to network security has evolved as the computer systems have become more intricate and advanced. This has forced security measures to evolve as well, to keep client data and information safe from prying eyes.History of hacks
ARPANET was the first computer network and the forerunner of the internet. It was created in 1969 and only had four 'nodes' or workstations connected to it. In October 1980, the system came to a crashing halt. The systemic meltdown was found to be caused by the accidental distribution of a virus. This is the first known occurrence of a computer virus, albeit accidental.
The first evidence of hackers infiltrating a computer system was discovered in 1986 by a network manager following up an accounting error at the University of California.
Two years later, the first internet worm program was unleashed. The worm replicated itself to more than 6,000 hosts and brought almost the whole network to a halt. As computer systems were getting more complex criminals started to find ways to make money from penetrating them.
Citibank customers were stung for US$10m in 1994 after a group headed by Russian hackers transferred the money out of customers' accounts. Eventually Citibank was able to recover almost all of the money but the event heralded the days of large-scale, financially motivated attacks on the world's banks.
Viruses evolved into worldwide epidemics in the late 1990s. Arguably the most significant of these is a virus called Melissa. Unleashed in 1999 by computer programmer David L. Smith, Melissa spread faster than authorities could follow and wreaked damage all over the world. Smith was eventually jailed for 20 months and fined US$5,000.
The past decade
As these attacks became bigger and more costly to businesses and government, organisations were forced to take notice and invest more resources in network security. This coincided with the prevalence of technology spreading from the workplace to the home.
As senior managers and administrators began to understand the nature of the technology they were dealing with, they became more willing to designate resources to creating efficient and effective systems.
J.P. Hill III, who has managed network security for the US Mint and International Monetary Fund (IMF), says that prior to the turn of the century, security was seen as an expensive after-thought that showed no real tangible value.
"The biggest change for network security in the past decade is that security is now being taken seriously," he says. "Now managers realise, if your company is not in the news for a breach then that is the real value."
This recognition has paralleled the rise in privacy concerns among the public. As the ripple that was identity fraud gained momentum until it became a tidal wave, consumers started demanding strict guidelines over the protection of their privacy while online.
This originated with banks, credit card companies and others dealing with personal financial details but has now spread to include any form of information including phone numbers, addresses and even e-mail addresses.
Consumers' migration from dealing solely with bricks and mortar operations to being comfortable doing all kinds of business online was preceded by managers making the decision to take network security seriously. Hill says that there are two main challenges to ensuring network security.
The first is having upper management support the policies and procedures of security that may not be popular with administrators or network users. The second is having those attributes followed throughout the organisation.
"Securing privacy information is most likely the biggest cyber threat to financial institutions," he says.
Hill quotes the Deloitte 2007 Global Security Survey, which identified measures taken by financial institutions to protect themselves against cyber threats.
"Some businesses have implemented privacy policies, some have created formal procedures for complaints about privacy information, and some have started procedures for the destruction of privacy information," he says.
Hill says these tasks deal with the 'ultimate defence' - awareness. He identifies small businesses as often the most vulnerable because the IT responsibilities often fall on one or two individuals. The day-to-day responsibilities of these IT workers sometimes mean that there is little time to concentrate on security.
"The budget for a smaller company may be their biggest threat," Hill says. "Security needs to be a business practice as much as human resources or accounting."
Top priority
ING DIRECT chief operating officer Anne Myers says that security is part of the complete process of development at the online bank. That makes it difficult to separate the cost of security but each one of the bank's 105 IT staff know that it is a top priority for the country's sixth largest financial institution.
"I think partly because we've been set up purely as an online bank we have a high awareness of IT security," she says. "It's our business. If our website is down, our business is down."
Myers says that the threats facing the online banking environment are the same whether dealing with mortgages or something like account management. One of the biggest risks is fraud and there are a number of areas where companies are vulnerable.
"There are hackers out there that are trying to get into your applications, so there's quite a lot of steps we take to protect ourselves," says Anthony Sestanovic, head of ING DIRECT's IT security.
The bank has more than $30bn on its loan books and is careful to make sure that its customers' data and its own systems are protected. It uses anti-spyware and anti-virus applications to ensure the integrity of its online systems and make sure it is protected from outside threats.
Sestanovic says that viruses are getting more and more complex and more and more intelligent. They have the ability to make surreptitious changes to online transaction sessions where, for example, the customer may think they are going to transfer $100 but it has been changed to $1,000.
These viruses are located on the customer's own computers so ING DIRECT makes customer education an important tool in maintaining information security. Whereas maintaining its own systems' integrity is a matter or procedure, the customers pose a much easier target for cyber criminals.
"It's the area that it's most difficult for us to control and customer education is really all we can do," Myers says. "We can't make people keep their virus protection up to date so we make sure they're aware of the risks."
ING DIRECT uses the opening page of its internet banking site to talk to customers about network security and what the customers can do to keep their computers safe.
The suggestions include keeping anti-virus software installed and updated, installing a personal firewall and avoiding using public computers for online banking transactions. The bank also has a keypad on which customers can click their identification number. The numbers change position with each log-in attempt to protect against spying software.
One of the more common methods of taking advantage of a customer is known as phishing. This has been around for quite some time and it involves a customer being contacted by e-mail from an outside source pretending to be the financial institution.
There is usually some kind of incentive offered to the customer, who simply has to validate their account details and type in their access code and account number. The information they divulge is then used against the customer for the profit of the cyber criminal. This technique tricks an alarming number of people each year. While the responsibility for secure internet usage and diligence ultimately must fall on the customer, it is the organisation's reputation that is hurt by such breaches, so customer education is an important way of combating such scams.
"We actually subscribe to a service through ING called Cyota, which has drop zones around the world and monitors for this type of thing," Sestanovic says. The security company has a response team that has the ability to take down the sites that are hosting these phishing attacks.
Trojan attacks
Even more devious are Trojans, which inject pages onto a customer's screen while they are online. A customer will log onto a legitimate site and the Trojan that has compromised their computer will inject fake pages into their internet session. These pages are designed to look just like the real thing and only the most discerning customer is able to notice the subtle differences.
"These are very hard to detect unless you look very, very carefully," Sestanovic says. "There could be font changes or underlines or shading differences and that is what shows there's been an injection."
ING DIRECT is quick to point out that it has never experienced these types of attacks but in the world of network security it pays to be prepared for every type of threat.
Myers recently incorporated the chief operating officer role into her position as chief information officer. She has been with ING DIRECT for three years and has overseen the IT operations during that tenure.
She says the bank is protected from cyber threats by the physical infrastructure around the perimeter and the systems in place to protect from external hacking.
"There's quite a complex set of firewalls so there are layers of security in the infrastructure as well as from an application point of view," she says.
How secure is your network?
While every business that has a connection to the internet is a potential target of a cyber attack, too many managers only start thinking about their security precautions when it is already too late. Spending the time now to look at what security measures are in place with your company's network can save a great deal of money and heartbreak down the line.
The first thing to do is look at your IT budget and work out how much you have devoted to making sure your systems are secure. If you cannot identify any security measures that are being taken other than the odd anti-virus software expense then it might be time to turn to a consultant.
ING DIRECT hires people to try and crack into its systems before they go online to make sure its customers are protected once they do go live. However, unless you are a multinational corporation it is not necessary to take those steps to ensure your customers' information is safe.
Even the most sophisticated of computer security systems can be cracked if the attacker is determined enough but keeping security in the forefront of your mind can make sure that your company is not an easy target.
As well as making sure information is secure while it is on your network, it is just as important to be careful of how personal customer information is handled once it is printed out. A discarded form, with a customer's personal information on it, that finds its way into the wrong hands can be just as damaging as a network security breach.
