How Safe Is Your Vital Data?

Anyone using a computer within the last few years has heard of a succession of disabling viruses and defaced web sites. "I Love You", "Melissa", "Red Worm" and the defacing of such well-known web sites as the CIA, Road Runner, Microsoft and NASA have raised the awareness of the need for vigilance in the protection of our computer assets. These are the disabling attacks where the victim loses a hard disk or customers, or gets calls from mad friends who were gratuitously infected by a virus-infected email. As bad as these symptoms are, the greater danger could be an infection with no symptoms. The reality is: - Even protected computer systems are subject to attack. - Under a determined attack most computer systems can be compromised. - There is a heightened exposure to attack from insiders, especially to those with system responsibilities. - The most damaging attacks can be those where the existence of the attack is hidden. - There is potential legal liability for having a vulnerable system. Almost all computer infections are due to either computer vulnerabilities or "Trojan horses" or a combination of the two. Over the years computers and common programs have been found to have "vulnerabilities", or features that potentially could be used by other parties to the detriment of the computer. Not all systems are equally susceptible, but in congressional testimony one research center said they expect to generate well over 2,000 vulnerability reports by the end of 2001 . We can see there is a wealth of possibilities for a "hacker". Many of these vulnerabilities can be exploited without the computer user's knowledge or cooperation, allowing a computer with a network interface to be controlled through outside commands over the network. A "Trojan horse" is an innocent-looking program containing some hidden code that exerts some unwanted control of the computer. This requires the cooperation of the computer user to run the program. Often this program exerts the control by utilizing some vulnerability in the computer as when the mere opening of an innocent-looking Word document activated the Melissa Virus, opening of any Excel or PowerPoint document malformed in a particular way allows computer corruption without any notification , or the reading of an email installs the BubbleBoy worm. The Trojan horse programs look like any other game, utility or message, and can only be known as dangerous by reputation or by some feature caught by a virus-scanning program. Automated computer programs have been written, called "scanners" or "probes", to search for the vulnerabilities or configurations that are corruptible. As a research project, one group put a set of eight ordinary-looking but highly monitored systems on the Internet and did not advertise their presence . Over a one-month period they averaged seventeen scans each day. With an ordinary Windows98 system like that used in many homes and companies, the system suffered five successful attacks in four days. The automated programs for scanning, compromising, and extracting information from a computer are easy to use and freely traded within some computer communities. Congressional testimony showed that while the degree of sophistication of the computer attacks has been increasing each year, the computer knowledge required by the intruders has actually been decreasing each year due to the wide availability of automated hacking tools. Reports of young computer operators who entered supposedly sophisticated systems are legion, such as the case of a 14-year-old who had been hacking since the age of eight and who used his home computer to enter an Air Force satellite-positioning system and crack at least 200 companies . This means that those capable of attacking you are a larger percentage of a growing Internet population. Within companies, employees who wish to look deeper within their own networks start with the advantage of physical access to the computers, knowledge of the system and possibly incentive. Thanks to the automated hacking tools, a larger percentage of your employees is now capable of attacking your system. Inside attacks are also a problem if a company has any computer connected to a modem, has disgruntled former employees who may have corrupted a computer before leaving, or has employees who bring in floppy disks or laptops that have been connected to other systems. The situation is worse when the intruder has intimate knowledge of or responsibility for the system administration. About twenty percent of the federal prosecutions for computer intrusions involved system programmer employees, IT administrators, or employees with administrative level access to the computer , even though these should be the intruders hardest to discover. One would think that the larger companies would be on top of this situation. According to the 2001 annual "CSI/FBI Computer Crime and security Survey" , with responses from 538 computer security practitioners in mostly large U.S. corporations and government agencies, only one quarter of the respondents thought that within the last year they had no unauthorized use of their computer systems. As Figure 1 shows, this is in spite of the widespread use of protection measures within their systems. It is important to note that in this survey about two-thirds of respondents who had experienced computer intrusions did not report their damage to law enforcement, mostly fearing negative publicity. Another interesting figure from the CSI/FBI survey was the estimated loss from those who could quantify the figure. For theft of proprietary information, financial fraud and telecom fraud, the average losses were estimated to be $4.4 million, $4.4 million and $0.5 million, respectively. Unlike the more publicized virus attacks that are purely destructive, these were the attacks for the financial gain of the attacker and represented about two-thirds of the annual losses. While the disruptive attacks get more press, the stealthy intrusion into company files is much more damaging. Without disconnecting and locking up a computer, the security of a computer and its data cannot be guaranteed. On October 27, 2000, Microsoft reported that its system had been hacked and some of their source code exposed. It has been reported that the intruder was undiscovered inside their system for at least two weeks using a "Trojan Horse" imported through an employee's home system . The source of the attack was in Russia, so prosecution or tracking of the perpetrator is unlikely. In August two former Cisco employees pled guilty charges that they "exceeded their authorized access to computer systems at Cisco" to fraudulently transfer approximately $7,868,637 in stock to their accounts . Areas of legal liability that could attach to computer intrusions include privacy violations from the disclosure of confidential information you have collected, damages to outside parties resulting from the unauthorized use of your computer, and the contractual damages from the disclosure of other company's proprietary information in your custody. The U.S. Federal Trade Commission state that companies should take reasonable precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction. The E.U. has raised this to a legal requirement for those American companies with a European presence. Negligence liability for privacy invasions requires a foreseeable threat and the lack of a "reasonable" response to the threat. As has been shown, the threat of unauthorized intrusions into data is certainly foreseeable, so the issue is the reasonableness of your protection against the intrusion. It is questionable if the failure to protect unencrypted data against a known vulnerability with a known cure is "reasonable". Often the theft of private information, such as customer credit card numbers, has been followed by a demand for extortion money for not publishing the information. A similar negligence issue is present when lack of computer security allows an attacker to hijack a computer and use it, for instance, as a participant in a denial of services attack on a third computer. In addition a company's duty to protect information under most nondisclosure agreements to protect information is at least a "reasonable degree of care". If the company is negligent in its security this is a higher standard than that used to protect its own data. Another uncertain question is a company's liability for negligent disclosure of information required by the SEC to be kept confidential. The computer owners can claim they were victims of a malicious attacker, but that argument may fail when a sympathetic jury chooses between an unknown computer in Bosnia and a "deep pockets" corporation. An interesting new wrinkle is the EU Convention on Cybercrime , signed on November 8, 2001, which prohibits the possession or use of hacking tools, industrial espionage and interfering with another's computers. This convention includes a provision providing for civil, criminal or administrative corporate liability where "the lack of supervision or control" of an employee allows the commission of these cybercrimes for "an economic benefit for oneself or for another". When this law is implemented, companies that have hacker employees may face a corporate criminal or civil liability, raising the possibility that traffic out of a corporate network should be controlled in addition to the inbound traffic. The first step in protecting your information is to insure that all the latest patches for your software are installed. For programs such as Office 97 that are no longer tested for security vulnerabilities there appears to be no solution but to upgrade. Install and use a virus detection program and insure it is regularly upgraded with the latest virus signatures. Within an organization, most security analysts support a layering of security where everybody gets a minimum of protection, but particularly sensitive computers and subnets are provided with greater restrictions and enhanced protection. Just as financial audits verify the integrity of the financial system, organizations should consider outside computer security audits to monitor the integrity of their information systems. We cannot live today without our computers. We need to understand that this tool is not the same as the filing cabinet of several years ago. Our information is now potentially exposed to about 120 million computers around the world. It behooves all of us to work to insure that our privacy is protected. (See Figure 1 Below)