By Geoff Choo
Script kiddies? Worms? Disgruntled former employees? The security risks to your network or your projects may be closer than you think.
Consider some of these statistics.
- Ineffective or nonexistent security policies cost Fortune 1000 companies $45 billion (U.S.) in losses due to theft of proprietary information in 1999, according to the American Society for Industrial Security (ASIS) and PricewaterhoouseCoopers.
- A March 2001 survey by the Computer Security Institute (CSI) and the FBI found that 85 percent of U.S. corporations, government agencies, and financial institutions experienced computer security attacks in the previous 12 months.
- The CSI survey also found that 35 percent of organizations reported combined losses of more than $377 million as a result of these attacks.
While most people can’t recite the statistics from these reports and surveys, just about everyone can tell you about several recent, highly publicized virus attacks. Security breaches have received so much attention, it seems as though an IT manager or project manager would never have to make an argument for improving security in the enterprise.
But in challenging economic times, every project receives scrutiny and analysis. As an IT manager or project manager, you may find yourself in the position of having to make a case for a new security initiative. Some managers need budget approval for outsourcing one aspect of network security while others simply need end users to accept tougher in-house policies. If senior management or end users need proof of the urgency of your project, here’s some ammunition. In this article, I’ll outline some of the most common security threats.
Denial of service attacks
In DoS attacks, hackers flood Web servers and networks with sudden and overwhelming bursts of network data, slowing down server performance and eventually crashing the Web site. Unlike a virus or worm, which can cause severe damage to databases, a denial of service attack only interrupts network service for a limited period.
Even an hour of service outage can mean serious losses and angry customers. In February 2000, DoS attacks took down five of the 10 most popular Web sites in the world, including Amazon, Yahoo, and eBay. Yankee Group has estimated that these attacks caused at least $1.2 billion in lost revenues and subsequent drops in market capitalization.
Hackers gain unauthorized access to computer resources to steal data or sabotage systems. According to current research, in early 2001, as many as 210 hacker groups made attacks on about 1,280 Web sites across the world.
While we commonly associate hackers with the image of a professional cyberterrorist, we now know that there are a variety of different kinds of hackers with different motives. Marc Rogers, a Canadian forensic psychology expert at the University of Manitoba, describes one type of hacker: the so-called “script kiddies,” who have little hacking skill. They use other hackers' programs and like to cause malicious damage such as defacing Web sites. Security experts attribute the rise of this threat in part to the proliferation of simple, point-and-click programs that make it easy to exploit known holes in server software. The temporary shutdowns of Amazon, eBay, and Yahoo in 2000 were blamed on script kiddies armed with software they downloaded from the Internet.
Malicious hackers are not the only threats to companies: Disgruntled company insiders like current employees and former workers often represent the most dangerous security threats. They understand the business and how the computer systems work and, more importantly, they have authorized access to network resources and critical company information.
In-house security breaches account for 70 to 90 percent of all security breaches, according to The Hurwitz Group of Framingham, MA. The percentage is probably even higher than that because most insider attacks go undetected. Dennis Szerszen, director of security strategies at Hurwitz, said for every in-house attack reported, as many as 50 go unreported or undetected.
"The majority of high-value breaches—those costing $250,000 or more—are perpetrated from the inside," said Frank Prince, senior analyst at Forrester Research, "because insiders often know how and where to access the most valuable data."
Viruses and worms
Virus and worm attacks cost businesses up $17.1 billion in 2000, according to Computer Economics, an independent research firm based in Carlsbad, CA. The costs incurred include cleaning viruses from computer systems and networks, restoring lost or damaged files, and lost productivity of workers caused by system outages and downtime.
- Computer Economics estimates that the Code Red worm and its variants have infected 760,000 servers worldwide to the tune of $2.05 billion in system repairs and lost productivity.
- The Love Bug attacks, including the 50-plus variants of the virus that rampaged through systems worldwide in May 2000, have cost businesses up to $8.7 billion in lost productivity and system repairs.
More on gantthead
Related gantthead downloads: "Security Procedures" "Security Requirements Form" "Application Security Presentation" Related gantthead content: Business Intelligence Department "Playing It Safe" by James Odell "Lock Up Your Corporate Assets!" by Vijay Sankaran "Dealing with Privacy and Security in BI Implementations" by Vijay Sankaran NOTE: Items in bold are available only to gantthead premium members.
Physical threats and break-ins
All your firewalls, virus scanners, and encryption measures are useless if a malicious individual gains unauthorized, physical access to your premises and destroys or steals computing equipment, including all the valuable project data contained within.
Sometimes, data thieves don't even have to break into the office. Portable computing and information devices like laptops and PDAs make it easy for your remote team members to touch base with your project and exchange files, plans, and information. But this portability also makes it an easy target for data thieves, especially in conferences and airport lounges where a moment's inattention can give thieves the chance to walk away with your equipment and gain easy access to all the confidential information stored on the portable machines.
The situation gets a little more critical if your machines are set up to access corporate networks via a remote dial-up or virtual private network (VPN) connection: The data thief is potentially only one click away from all your project secrets, since any password mechanisms you have can be easily defeated by the plethora of password-cracking tools available on the Internet.
Information is power
Contrary to what many people may think, Internet security isn't the sole responsibility of the IT staff. You can't simply throw inexpensive firewalls and antivirus software at the problem and hope that everything will turn out for the better. Effective security requires a comprehensive, holistic policy. By presenting a strong case for improved security, you’ll increase the chances that your security initiative will win the needed approval.
Geoff Choo is an independent Internet consultant and freelance technology writer. He is the editor of a newsletter on network security for E*MAZE Networks, a provider of advanced network security solutions. He also edits another newsletter on the Internet economy.
This article was originally published on Sept. 24, 2001.
What works for you?
Have you had trouble winning approval for a security project? Do compelling statistics help to convince people for the need to initiate security policies? Share your thoughts at the bottom of this article or send us a letter.