Stepping Up the Effort to Beat Cyber-Crime

Opinion: It's not enough to rely entirely on self-defense. Legislation and law enforcement must serve as weapons in the battle.

Deep inside, we all realize that the battle for secure computing will never be over. Still, the price that must be paid to keep our data safe and our e-businesses operating can seem daunting. Once weve succeeded in protecting ourselves from one threat, another emerges, requiring diligence, creativity and expense to combat.

In the latest escalation in the game of cyber cops and robbers, it is now clear that security breaches are no longer the exclusive domain of teenagers with time on their hands. Instead, sophisticated bot attacks are being carried out by organizations with ruthless, mafialike methods.

/zimages/1/28571.gifThe hunt intensifies for the botnet command-and-control infrastructure that powers millions of zombie drone machines, or bots, hijacked by malicious hackers. Click here to read more.

As has been reported by Ryan Naraine in eWeek, the use of sophisticated programming techniques to create botnets, the use of organized-crime-style money-transfer methods and the threat of violence are a significant departure from security breaches of the past. This new wave of cyber-criminals will be much harder to track, arrest and prosecute than were the lone misfit hackers of old.

Whats to be done? First, its your duty to implement the strongest appropriate security measures. Start with a system lockdown approach, restricting users rights and permissions.

Because the use of botnets suggests defense measures that focus on e-mail and instant messaging vulnerabilities, a secure e-mail gateway that can defend against viruses, spam and phishing attacks should be high on your list. You also may want to deploy token-based identity management.

But its not enough to rely entirely on self-defense. Legislation and law enforcement must serve as weapons in the battle. Congress is considering several measures, among them the Personal Data Privacy and Security Act of 2005.

This bill contains many measures that will help, including increasing criminal penalties for computer fraud involving personal data, invoking RICO (Racketeer Influenced and Corrupt Organizations) Act provisions in cases of unauthorized access to personal information, and making it a crime to intentionally conceal a security breach involving personal data.

The bill also will let individuals access and correct personal information held by data brokers; will require the holders of personal data to vet third parties hired to process the data; and will limit the buying, selling or displaying of a Social Security number without the individuals consent.

No one wants to live in a cyber-police state. We believe these provisions strike an appropriate balance between taking a tougher stance and allowing us to enjoy essential freedoms.

Above all, you must realize that security work never will be finished and spread that knowledge throughout your organization. As an IT professional, the ongoing nature of the security battle may be clear to you, but have you made it clear to your company?

Educating users on basic security measures is a never-ending task. Advocacy for funding to ensure the security job can be done and done right is a basic part of your job.

As the sophistication of attacks increases, one thing is clear: Ease up for one minute and your company and its customers stand to be the next victims.

eWeeks Editorial Board consists of Jason Brooks, Larry Dignan, Stan Gibson, David Morgenstern, Scot Petersen and Matthew Rothenberg.

/zimages/1/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.