Once, thieves only burgled your safe. Today they break into your computers, say Phil Sealey & Yag Kanani.
Inside information on new products or takeovers can be very valuable to the right people. During takeover or merger talks, the right piece of information in the wrong hands can make or break a deal. Data about your clients is always useful to a competitor. Clinical trial data is almost priceless, especially where a pharmaceutica company has spent years perfecting a drug and millions o pounds on testing it, and there are disreputable rivals who might be tempted to acquire the chemical composition and production method of the new wonder drug and pass it off as their own. Even where data theft is unlikely, opportunities exist for unscrupulous competitors to damage your reputation and trade by attacking your electronic links to the outside world.
Before the explosive growth of the internet, companies could secure their IT systems within the confines of their buildings. Any connection to the outside world was strongly protected. But in the internet age, high speed connections using open protocols usually provide the external connection. This link enables hackers to gather sensitive material for sale to interested parties. There are stories of hackers who gather information from target companies for a price - a kind of high tech illegal research business.
Companies routinely place their internet site on the same network as their internal systems, relying on firewalls to keep out the bad guys. Unfortunately, the bad guys generally know ways around these firewalls. Using weakness in the controls or systems behind the firewall, hackers can enter company systems and copy sensitive data or manipulate information.
Distributed attacks
There are software tools readily available on the internet that can bring a company's web site to its knees. They work by sending messages to a server which will try to send back a response - usually to a system that doesn't exist - and wait for a confirmation. The tools then send another message, and the same thing happens. They repeat this several thousand times a second. Gradually, more and more of the server's time is taken up in dealing with the messages and waiting for confirmation. Eventually, the server is doing nothing other than dealing with this purposeless traffic.
As well as tying up the server, all these messages use up the network bandwidth. This stops any valid messages getting through. The attack tools can be set up to come from several hundred computers in such a way that your server is receiving these bamboozling messages from 20 or 30 different directions.
These Distributed Denial of Service Attacks (DDoS) can be used to prevent a company displaying its wares on the internet and to stop it carrying out vital business. It is an easy form of blackmail. The criminal puts all the systems in place and then makes a threat, probably carrying out a deonstration attack, just to prove he means business. If the company doesn't pay up, a full blown attack is triggered, causing it to lose credibility and the ability to function.
This can be doubly damaging during critical periods of a company's business. If the company is a reseller over the internet, such attacks effectively shut it down until they cease or are traced and stopped. The result is a substantial loss of revenue.
Data theft
Then there are the hackers who electronically penetrate companies and glean vital information from their systems. They do this either by attacking from a remote location or by getting a job and working on the inside. The advantage of this is that the defences are more easily breached. People leave passwords lying under their keyboards, use obvious passwords, or can be watched while they type them in. It also means that the hacker is operating inside the firewalls, by-passing a major level of security.
One example of how information can be stolen from a company is the case of the cleaner who found himself with large gambling debts. The gambling consortium to which he owed money gave him the option of paying it off by agreeing to hack into his employer's system. The consortium trained him in hacking techniques. The cleaner would clean the offices at night, at which time he had unlimited access to the company's computers. He applied the knowledge he had been given, hacked into the system, and made fund transfers to an offshore company set up by the gambling consortium. The theft was only detected by a random check on payments being made. However strong your firewall defences are, internal security and procedures have to be equally secure.
What can you do?
There are a wide range of risk indicators in company systems. Give priority to looking at these. First, you should
check to see if an attack has already happened. All firewalls and network servers have the facility to log the activity on them. You should review these logs periodically for unusual patterns. This can be a major overhead, but you can save time by using automated data mining tools.
The key to performing this analysis on an automated basis is synchronised system clocks. Unless all the systems in the environment tell the same time (to within 10-20 milli seconds), it will not be possible to accurately correlate the data. You should review the amount and type of logging on a regular basis to see how much is still appropriate and what may be missing.
Next, you should review the company firewall. When was it last checked? Has the software been updated at all and, if so, what effect has it had? Are you using some form of trusted operating system? Have you had it tested by independent means, ethical hackers or penetration testing? Internal IT departments can be too close to their own systems to carry out a really thorough testing of the resilience of the security set-up.
You also need to consider your employees. What form of due diligence have you carried out on them? Are you certain that they are who they claim to be? If you are putting any staff in positions with access to sensitive data, you need to go through their CVs thoroughly, and corroborate what's there.
It is not unknown for companies to employ people in sensitive areas with access to networks controlling fund flow, without any form of background check. For example, one company employed an IT consultant, knowing nothing about him but his name. Even this was spelt incorrectly. When they found that he was breaking passwords on the main finance system, they lost time just trying to find out who he actually was and where he lived.
Network security should be next on the agenda. Look at the access rights of all users. Are they appropriate to the individuals and their functions? Who is able to gain access to sensitive material? How many modems do you have attached on your internal company network? They provide an instant back door that by-passes the firewall security.
Finally, a response plan can prove invaluable should the worst happen. When a company gets hit by an incident, it can lose time getting hold of the right people and deciding what to do next. This wastes valuable hours in the early stages of an investigation - hours that would be better spent protecting the evidence and searching for the perpetrator. Your response plan should include a list of people who could aid the investigation process, as well as the steps needed to protect the data and the company. You should test and revise the plan regularly to ensure it keeps up with staff changes and new threats.--
Phil Sealey is senior manager for Deloitte & Touche's forensic consulting practice, e-mail: phillip.sealey@deloitte.co.uk , and Yag Kanani is partner in charge of Deloitte & Touche's secure e-business practice, e-mail: yag.kanani@deloitte.co.uk .
