Businesses Battle Growing Plague of Hackers
Something was very wrong with Corporate Health Systems’ computers. Processing had slowed to a crawl. Employees at the Hopkins, Minn., firm couldn’t print documents, change screens or even move their cursors without enduring long delays.
“We thought there was a bad network card,” said George Vander Weit, vice president of operations.
“So we called in a consulting company, and they ran some tests. But they couldn’t find anything. They’d never seen anything like it,” he said.
Then Vander Weit found the problem: A hacker had broken into CHS’ network and installed a software program that enabled him to hijack the system.
“Our computers were being used to do advanced mathematical calculations to help the hacker crack security codes,” Vander Weit said.
Stopping the attacks proved difficult. Each time CHS employees deleted the “malware,” the hacker broke into the network to reinstall it. Only after the firm installed a hardware security device, in this case a WatchGuard firewall, did the hacking finally cease.
Security threats to businesses’ computer systems are increasing. The number of hacking incidents reported by corporations hit 21,756 last year, according to Carnegie Mellon’s Cert Coordination Center. In 1999, 9,859 hacking attacks were reported.
Once inside a company’s computer network, hackers can do considerable harm.
They can destroy databases, steal trade secrets, wipe out hard drives and publicize a company’s confidential client information. They can halt e-commerce through “denial of service” attacks, deface Web sites, commit financial fraud and masquerade as merchants by redirecting unsuspecting customers to fake Web sites.
From remote locations, hackers also can convert a PC into a listening post and record executives’ conversations. They can use Trojan horse programs such as “Back Orifice” to manipulate company PCs via the Internet.
“You’re facing a lot of very bright people,” said Kevin Grumball, a former hacker who’s now chief executive of Actinic Software in London.
And you’re battling legions of not-so-bright ones, too.
A growing number of “script kiddies”--novice hackers--are using pre-written hacking programs and tools to do their mischief.
“It used to be that you had to be very knowledgeable to attack a system,” said Rob Clyde, chief technology officer of Symantec, an Internet security firm in Cupertino. “Now you don’t have to be a guru anymore.”
In one recent study, Symantec counted “more than 30,000 Web sites filled with hacking tools,” Clyde said.
Some company executives mistakenly believe that, because their firms are not well known or involved in online financial services, they are unlikely to be victims of cyber-attacks, said former FBI special agent Jim Williams, who is now director of security solutions for S3/Networks in Chicago.
But that’s not so.
“The people who do these things don’t search for a name, they search for a vulnerability,” Williams said. And they sometimes do so using programs that enable them to scan hundreds of machines for such security breaches.
Protecting your company’s computer network is not impossible, though. Most break-ins occur because of simple oversights, Clyde said.
Savvy Companies Do Their Homework
Savvy firms can minimize their risks by conducting vulnerability assessments, choosing experienced security personnel and establishing--then enforcing--security policies and procedures, said Brian Griffin, director of forensic technology at Investigative Group International in New York.
First, recruit responsible, experienced network administrators, consultants and in-house security officers, experts advise.
Should your firm not have recruiting personnel knowledgeable about technology and security concerns, consider hiring a security consulting company to screen applicants, suggested Aviel Rubin, principal researcher at ATT Labs in Florham Park, N.J.
“Administrators have access to everything,” Rubin said. “You really have to look at them carefully.”
Run background checks on any individuals who will be given privileged access to your company’s computer systems.
Think twice before hiring self-described “reformed hackers”--even as consultants, some experts suggest.
“You can’t trust those people,” Rubin said. “It’s like hiring a security guard who is a felon.”
If your firm lacks the resources to properly conduct around-the-clock security monitoring, consider farming the job out to a qualified managed security provider.
Security personnel should conduct regular penetration tests to search for vulnerabilities and keep abreast of software upgrades, updates and patch installations, especially for popular programs such as Microsoft Office, Microsoft Internet Explorer and Netscape. Remember, hackers read security bulletins and vendor releases about program flaws, too.
Firms with lax security are easy prey for what experts call “social engineering” crimes, the oldest form of hacker attacks. In these schemes, individuals assume false identities (as utility workers, telephone repairers, delivery persons, or computer technicians) to dupe employees into disclosing their passwords and other confidential information.
Some hackers even take temporary positions on night cleaning crews so they can browse files, rummage through trash or implant devices to gather information.
To combat such trespasses, instruct employees to report unfamiliar visitors and refrain from typing their passwords and other confidential data when others are nearby; “shoulder surfing” is a favorite ploy of on-site hackers. Company telephone and communications closets should remain locked at all times, too.
Employees also should be told to never divulge passwords (even when asked by a network administrator). They shouldn’t keep “password reminders” on monitors, under keyboards or in their drawers. Under no circumstances should employees select easy-to-guess passwords such as their name or the name of their child, spouse, pet or car.
Whenever possible, encourage employees to create seven-character passwords, consisting of uppercase and lowercase letters, numbers and punctuation. Such passwords prove daunting to hackers; they can take months to crack. Conversely, short four-letter passwords, composed entirely of lowercase letters, can be cracked in a few minutes. Hackers sometimes employ “dictionary attacks”--running programs that try every word in the dictionary--to crack passwords.
One solution to password management problems is what’s called “two-factor authentication.”
Employees are given security tokens that display periodically changing information that must be typed during log-in. The employees then type their own password to further authenticate their identity.
Firewalls Are Only a First Step
Unfortunately, many executives believe that, once they’ve installed security devices such as firewalls and anti-virus software, their network systems are safe. Far from it.
Firewalls--which limit access to a computer or network--are only a first line of defense for network security. They are not impenetrable. About 30% of major corporations that use firewalls are successfully hacked, according to the Computer Security Institute.
Companies should regularly test their firewalls with probing tools, and upgrade their defenses when necessary.
Anti-virus software, which searches hard disks for recognized viruses, isn’t fail-safe either. New viruses (which the software cannot yet detect) are unleashed daily.
And clever crackers can sneak infamous ones such as ILoveYou, Melissa, Anna Kournikova and Naked Wife past the programs by compressing the viruses’ file size, or by using tools called “binders” to attach the viruses to legitimate programs such as animations or e-greetings, said Dave Kroll, director of security for Finjan Software in San Jose.
One way network administrators can tackle these problems is by using what’s known as behavior-blocking, or “sandboxing,” software, which prevents viruses that elude other safeguards from performing unauthorized actions.
Administrators also can install intrusion detection systems to signal alarms when a break-in attempt is suspected, and block or expel intruders.
Firms that permit employees to access their networks from remote locations should consider tightening security by building a “virtual private network.” The VPN, coupled with firewalls, establishes a secure “tunnel” over the Internet that runs from the employee’s access point to the company network.
Even with the best security defenses in place, companies’ networks and intellectual property still may be vulnerable to insiders.
“Insider threats are the worst threats, but that’s also the area we know the least about,” Rubin said. “There is very little you can do to [protect against] a malicious insider who already has the keys to the castle.”
The ‘Rule of Least Privilege’
Companies should establish incremental security levels for employees, limiting their database access to what’s absolutely needed for the performance of their jobs. This is called the “rule of least privilege,” Rubin said.
When employees leave their jobs, network administrators should immediately disable their accounts.
Employees who have been informed that their positions are to be eliminated also should be given restricted data access, said Parag Pruthi, chief executive of Niksun Inc., a computer forensics and networking company in Monmouth Junction, N.J.
“That is the most likely time when they will do something,” Pruthi said. “There are some who may go to a competitor and say, ‘I can be a superstar if I go over with that [confidential] information.’ ”
Creating a secure network requires continuing education, monitoring and maintenance.
“We all know we don’t have a foolproof security system on the Internet,” Pruthi said.
“On the other hand, the world is pushing us to put everything online for access. So we’re going this way and the security technology has not caught up.”
And remember: Hackers are waiting for you to slip up.
“It’s a constant, never-ending battle, like the lion and the gazelle, or the cobra and the mongoose,” said Ted Claypoole, an information security attorney with Womble Carlyle Sandridge & Rice in North Carolina.
“Security is a process. Security is not a result.”
