How individuals and businesses need to be on their guard against criminal attacks on their IT systems
In the modern business environment, information technology (IT) has become an essential for success, perhaps even survival, in the free market. The realisation of the global electronic marketplace which reaches millions of homes and businesses, instant worldwide communication such as email, and the immense labour saving advantages of IT, are all taken for granted in 2005.
But, as our level of dependence on IT has increased in the last two and a half decades, so have the risks inherent in using it. Consider this. The first “virus” in the computer sense was released into the wild in 1986, and propagated by floppy disk. Today, hundreds of computer viruses and “Trojans” (electronic attacks which hide a malicious payload behind apparently legitimate programs) are released every year, spreading rapidly across the globe via the internet.
Some viruses are released for mischievous purposes, like the one last year which caused infected computers to speak threatening messages to the user via Microsoft’s Speech Engine. More disturbingly, some are released by organised crime groups in an attempt to extort money from those online businesses whose websites they will bring down using electronic attacks carried out by vast armies of infected computers.
So how safe is your computer? And how safely are you using it? Knowledge is power, as they say, and it pays to become educated on the basics of IT security in the workplace so that you can lessen the ever increasing risks to yourself, your business, and your clients.
There are two main aspects to using a computer system safely and securely. The first is the physical state of the system itself, and will be dealt with typically in the business environment by dedicated or trained IT personnel, either on-site or on a contractual basis. Issues they will deal with include the physical security of the components of the company network, keeping operating systems and software up to date, and correctly deploying firewalls, anti-virus and spyware software and employing encryption where necessary. The typical approach is to decide which data on a company network need to be secured and how best this may be achieved. The vast majority of business users need not overly concern themselves with these issues due to the presence of the aforementioned dedicated staff.
The second aspect concerns the end user. By taking simple practical steps, the risks associated with IT use can be significantly reduced. For example, do you have one password for all of your systems? Should you perhaps use more than one? And do you change them regularly? Can they be easily guessed by someone who knows a little bit about you?
The main threats to the computer user from the criminal element are those of identity theft (known in the online world as “phishing” for personal or company details), misappropriation of data (such as personal or company documents), and compromise of a computer system so that it may be used without the owner’s knowledge to facilitate further crimes such as electronic extortion or sending vast amounts of spam emails.
Phishing attacks continue to increase in number month on month, with even the smallest financial institutions facing attack. The traditional modus operandi for these crimes is the sending of a spam email to thousands of email addresses which purports to be a genuine email from such an institution, and requesting that for some reason or another customers of the organisation subject to the attack follow some web link to enter their secure details so that their account may be protected/kept alive/upgraded etc. The email will look genuine to the untrained (and increasingly to the trained) eye, and any website employed for the collection of details will similarly be constructed so as to appear to be genuine.
The weakest link
These attacks are now becoming more sophisticated and bring with them the question of who is ultimately responsible when you or your customers respond to such a request and enter details which lead to their identity theft or the loss of monies from a bank account. Customers are the weakest link here, and a balance needs to be struck between making your services attractive to the end user, whilst continually educating them on the dangers of responding to unsolicited emails and the like. Nevertheless, if your organisation has a website which, through poor security, allows itself to be replicated easily, does the responsibility shift toward the organisation?
Do you use email to transmit critical business information? If you do, consider employing some form of encryption, or better still, alternative methods of transmitting these documents. The fax remains a popular fixture within the modern office, and there are several courier companies vying for your business. Email is the rock on which the modern internet explosion has been built, but it is not inherently secure. Whilst it is considered perfectly adequate for standard business and personal communications, if security is a concern the sending of business-critical or personally sensitive information should not be carried out as a matter of course using a standard email system.
Each of the threats to IT security mentioned above also impacts on the use of the email system by default, through the replication of passwords across the board by users, the unwitting compromise of their machines by a virus or Trojan program or through sophisticated, albeit rare, data capture techniques.
Invasion of the bots
Viruses, and their malicious sisters Trojans, were highlighted at the beginning of this article and these remain a huge threat to business continuity in the new millennium. Their payload can often be destructive and costly to remove and their ultimate goal may be sinister indeed. The typical goal of a malicious Trojan is to compromise a computer system, and make its data or its computing facilities available to an attacker, usually without the knowledge of the user. The rise of “botnets”, vast armies of computers infected with Trojans, has led to a worrying culture developing in the underground world of e-crime. Many bot herders (“bot” is the term commonly used to refer to an infected computer used by an attacker to facilitate computer-enabled crime) will now trade their botnets at the drop of a hat without any thought for the moral issues surrounding their use.
The presence of a network of hundreds or thousands of compromised computers available on demand to do the bidding of a criminal element is a worrying, and increasingly common feature of the modern internet. Such botnets can be used to send vast amounts of spam email or to carry out a “Distributed Denial of Service (DDoS)” attack by flooding a website with simultaneous requests for data, causing the computer hosting the website to crash under the resultant load.
It may not take much for a bot herder to rent out his botnet, with cold hard cash a pretty big incentive for those involved in virus writing or deploying Trojans. Organised crime groups across Europe and the wider world are making use of these virtual weapons of mass destruction and are targeting lucrative online businesses for DDoS attacks. These attacks are followed by a demand for money in return for the cessation of the attack. Such businesses face the prospect of losing their revenue stream for hours, which they must weigh up against paying any such ransom. Those who pay are inevitably attacked again in the future. Such crime groups are actively recruiting IT specialists at an early age and providing them with luxurious lifestyles in return for them turning their skills to criminal purposes.
The scene constantly changes
IT security is the responsibility of everyone in the workplace who has access to computers, whether on or off site. Professional and experienced IT staff are all very well, but as mentioned non-IT staff are themselves a risk, one which increases tenfold if they are blind to common vulnerabilities or attacks. An effective way to manage this risk is to make sure staff are well informed regarding practical IT security.
An effective, transparent, and regularly reviewed IT security policy can reduce identified threats to an acceptable level; but the policy is only effectual if everyone concerned is aware of their roles and responsibilities.
The IT security landscape changes rapidly, meaning that any policy should be subject to regular review and staff updated accordingly, through effective training where necessary.
Perhaps above all, an important consideration is that IT security should be a blend of effectiveness and subtlety, so that business function is not impeded. After all, it would be very secure to have office terminals automatically logging out users after five minutes of inactivity, but imagine those users’ frustrations and the working hours wasted over the course of a year caused by the need to log in continually.
This is an article about the threats to the modern computer user from electronic crime and by necessity has to spell out the dangers which are out there and which affect us all. However, despite all this apparent doom and gloom, the advantages and necessity of the effective use of IT remain. Effective risk identification and management policies, and user education and awareness, will go a long way to mitigating the threats from e-crime faced by modern business. Only by identifying real-world risks and formulating across-the-board plans to tackle and manage them can the pitfalls associated with a lack of IT security awareness be avoided.
Doing so will ensure the all-important business continuity which is essential for survival, and make using IT a safer, more productive and perhaps even an enjoyable experience for everyone.
DC Scott Barnett is the Intelligence Officer at the National Hi-Tech Crime Unit (Scotland), part of the Scottish Drug Enforcement Agency. He is heavily involved in promoting the Unit’s ongoing commitment to the Scottish business community and regularly speaks on issues surrounding hi-tech crime and IT security from a law enforcement viewpoint. He can be contacted by email at scott.barnett@ sdea.pnn.police.uk .