BOSTON—Gathered in the subterranean confines of a decommissioned vault in the basement of the Boston Stock Exchange, a panel of IT security experts told the assembled crowd that short of locking all their proprietary information in such a contraption, there may be little hope for securing their data.
Brought together on May 12 for imaging giant Xeroxs 2006 Security Summit, the group of technology, intellectual property and law enforcement specialists painted a dreary picture of the current state of information security in enterprise companies, and even U.S. government agencies.
Their warnings and anecdotes left little doubt among attendees that much work remains to be done in fighting the growing threat of so-called cyber-crimes.
Among the perils that stalk enterprises and seek to spirit away their trade secrets, customer information and money, are a new breed of organized criminals, a lack of proper tools for detecting the most advanced forms of computer attacks and legions of unsuspecting workers who leave their employers most valuable information assets available for the taking.
One of the fastest growing areas of IT-related felonies is trade secret theft, carried out by everyone from legitimate business to electronic crime syndicates and even foreign governments, said Craig Morford, the first assistant U.S. Attorney for the Northern District of Ohio.
“Five or ten years ago companies recruited one of your employees to steal data, and its much scarier to think that today someone doesnt even need to break into your building to get the same information,” he said.
“Theres a twenty-something-year-old guy in the Ukraine in a run-down apartment who is entering your company where the information is kept so he can sell it, and this sort of thing is happening on a regular basis.”
Morford, who has won national acclaim for his work fighting both traditional organized criminals and emerging cyber-criminals, said that people who formerly sold stolen credit card accounts have advanced their operations into “eBay-like” businesses where they instead market malware such as polymorphic virus code to others, who in turn use the code to carry out their own schemes.
The attorney said that it may be even harder to trace the reach of such criminals since, unlike the Mafia of old, those individuals specializing in IT attacks are able to hide themselves behind layers of technological barriers and often work together with large numbers of people they have never even met, who may be spread anywhere around the world.
“Were seeing the growth of a large number of criminal entities targeting U.S. organizations for cyber-crimes, and its sort of like the atmosphere around organized crime here in the U.S. in the 1950s as it seems that were only just scratching the surface of this type of activity,” he said.
Among the recent examples of such attacks that Morford and other experts highlighted was a failed attempt by one hacker to extort $200,000 from financial news giant Bloomberg.
The 22 year-old individual, who hailed from Kazakhstan, was reportedly able to break into the companys network and steal the account information of some of the firms largest customers, as well as the detailed personal information of founder and New York City Mayor Michael Bloomberg, including his address and social security number.
While the plot was foiled when the FBI arrested the hacker in London trying to accept his ransom, said Morford, it stands as evidence of the type of sophisticated attack that can be launched by one individual alone.
In an even scarier scenario, Dan Verton, executive editor of the monthly newsmagazine Homeland Defense Journal, described how security workers at an unnamed government agency caught an employee communicating with outsiders via the organizations IT network.
The worker was reportedly communicating with other people regarding plans to support the Middle East-based terrorist group Al Qaeda, which is believed to be responsible for the attacks of September 11, 2001.
Adult Content and Spyware
One of the greatest information security threats to U.S. enterprises remains workers illicit viewing of adult content on their work-issued PCs and laptops at home, and then unknowingly carrying the spyware programs they contract on such sites back into their companys operations.
“Companies are suffering under the weight of adult content as employees are opening enterprises to boatloads of spyware thats capable of stealing information,” said Verton, who has also authored several books on IT security.
“The truth is that most businesses really have no confidence regarding where exactly their proprietary data is secure at any time, and its getting harder to differentiate between internal and external threats.”
The issue of the internal threat is one of the most biggest challenges facing IT departments because it is becoming easier for people to download information onto mobile devices, send out data via obscure network ports and transfer physical documents into electronic files and images, said the experts.
As a result of the insider threat, companies are struggling perhaps more than ever before, said Mark Halligan, principal attorney at the Chicago-based law firm Welsh & Katz, which specializes in intellectual property law.
To demonstrate the ease with which people can plug devices into corporate networks that allow them to walk away with gigabits of stolen information, the attorney showed off his wristwatch which featured a USB connector and onboard memory.
“This whole concept we have of the security perimeter has disappeared; its more about where your critical data is being protected at any given time,” Halligan said.
“Companies lack the technical capabilities to ensure that employees, good and bad, can be effectively monitored. IT is the vehicle for distributing these assets and you wont know that youve been fleeced until you get to a trade show and your next big product is already there.”
While the experts contend that the pressure on enterprises network defenses shows no sign of abating, and in fact may likely increase, they agreed that most companies must begin aggressively distributing and enforcing IT security policies, and holding workers caught breaking the rules more accountable.
When someone is caught circumventing internal procedures, firms should strongly consider terminating those employees to protect themselves and send a message to other workers, they said.
On the flip side of the coin, enterprises may consider rewarding workers who openly promote adherence to company guidelines to foster an atmosphere where the rules are respected, rather than resented, said the industry watchers.
While workers may not like that their actions are being tracked in the workplace, and that they must hand over some level of privacy on the job to allow for better data protections, the benefits of more pervasive IT systems monitoring outweigh those concerns, the panelists said.
“You have to adopt a system where you can trust your workers, but where you frequently verify their identification and intentions,” said Verton.
“Dont be too concerned that youre going to make people uncomfortable; if you help them understand that their livelihood, and their paychecks, are directly tied to protecting your data, they will get it.”