[ISN] Firms wage electronic war on industrial espionage

From: mea culpa (jerichoat_private)
Date: Sat Jan 23 1999 - 12:56:00 PST

  • Next message: mea culpa: "[ISN] Security elite form SWAT teams to attack viruses"

    Monday 18 January 1999
    Firms wage electronic war on industrial espionage
    Matthew McClearn, Calgary Herald
                                       
    Rachel Niebergal, Calgary Herald / Keyboard Scan
    Office break-ins, corporate hooliganism, industrial espionage and the
    countermeasures game against them are nothing new in the business
    world.
    
    But in the past, such activities might have involved two guys in a
    pickup keeping tabs on the competition using binoculars or diving into
    dumpsters, or a disgruntled employee photocopying important documents
    and mailing them to outsiders.
    
    Increasingly, the war for proprietary information is waged on a shady
    digital battlefield.
    
    "The same things that have always happened are now happening
    electronically," says Mitch Tarr, vice-president of sales at Calgary
    security firm Jaws Technologies Inc.
    
    Because security policies tend to come straight from head office,
    computer security is a particularly important issue in Calgary.
    
    "In the majority of companies in Calgary, we see that their data is
    very valuable to them, and that's reflected in their IT (information
    technology) budgets," says Jaws security consultant Brian Lynch.
    "Securing that (data) is an additional step they need to take."
    
    Sizing up electronic information theft is difficult. Fearing bad
    press, scared customers and concerned shareholders, companies usually
    keep quiet about attacks on their systems -- if they are even aware of
    them.
    
    Further, companies rarely prosecute their attackers -- partly to avoid
    embarrassing publicity, but also because computer crimes are
    notoriously difficult to prosecute.
    
    An American study by the Computer Security Institute and the Federal
    Bureau of Investigations in 1998 found that information thefts
    resulted in losses in individual cases of between $300 and $25 million
    US.
    
    Those attacks cost domestic U.S. firms $300 billion US, and $140
    billion in overseas operations.
    
    "The fact is, corporate espionage or information gathering and
    intelligence is a big business," says John Hess, senior manager at
    KPMG Investigations and Security Inc. in Calgary.
    
    "Fortunately, a lot of corporations are very ethical about how they
    collect it . . . but there are (countries and businesses) that
    actively collect corporate intelligence by any means."
    
    Adds Lynch, "We're seeing more malicious forces like government- and
    business-sponsored hackers. Obviously, they're very organized and
    well-funded. The majority of hacks do come from hobby hackers and
    curious thrill-seekers."
    
    When companies lose control of proprietary information, there are
    consequences.
    
    A KPMG survey found that Canadian corporations suffered an average
    loss of $178,000 per information theft (electronic or otherwise).
    
    "When you have a theft of information, it could be absolutely
    devastating to the company," says Hess. "Corporate Canada is still
    awakening to the fact that those threats are real."
    
    Experts say businesses large and small generally don't put enough
    locks and chains between their proprietary information and outside
    hands.
    
    "It's something that, by default, businesses don't do enough due
    diligence on," says Tarr. "What you see is organizations using
    technologies have so many challenges . . . it's hard to keep security
    at the forefront of their IT plan."
    
    Companies expose themselves to electronic assaults on their systems in
    two key ways. Firstly, there is a multitude of technological portals
    through which outsiders can hack into a system. An Internet connection
    or a particular department system not under a company's security
    umbrella are two of many examples.
    
    Says Tarr, "Almost all organizations using technology and attached to
    the outside world are at risk."
    
    Equally important are the ways in which employees themselves,
    deliberately or otherwise, create vulnerabilities in security.
    
    For example, a conniving attacker posing as a human-resources manager
    can often get passwords from naive or unsuspecting new employees over
    the phone.
    
    Hackers call it "phreaking." Security professionals prefer the term
    "social engineering."
    
    "It's amazing what people will tell you if you ask them nicely and in
    the right way," says Tom Keenan, dean of continuing education at the
    University of Calgary, who has a keen interest in information
    security.
    
    Hackers are experts at exploiting cracks technological and social.
    They are an organized community with formidable knowledge. Hackers
    exchange tricks of the trade and knowledge about vulnerable businesses
    in chat rooms on the Internet and even at conferences like DEF CON,
    held in Las Vegas every year. Security professionals are attendiung
    these conferences to keep tabs on the enemy and even recruit them.
    
    "You fight them (hackers) with knowledge and preparedness," says
    Phillip Banks, vice-president of KPMG Investigations and Security.
    
    "Your security people have to become knowledgeable as to the threat .
    . . and make sure you have a system that's capable of protecting
    itself."
    
    Just as there are many ways for hackers to get in, there are plenty of
    tools to keep them out.
    
    Passwords, data encryption, firewalls (stopgates for incoming and
    outgoing data) and network-monitoring tools that observe traffic and
    activity are examples.
    
    But these tools are ineffective if not implemented in conjunction with
    a comprehensive security policy.
    
    That includes personnel training and security awareness about issues
    like disclosure of passwords, and storage and destruction of
    information.
    
    The level of security depends largely on the value of the data a firm
    has.
    
    There are few limits to how secure you can make your information or
    how much money you can spend steeling yourself against the outside
    world.
    
    Keenan recalls a Toronto software-consulting firm that considered
    placing its systems in a lead-lined room to prevent competitors from
    spying "using special antennas.
    
    Yet their phone lines weren't protected, so anyone could wiretap them
    from the hall.
    
    "The reality is, people often get hung up on the wrong thing and spend
    a lot of money locking up a door when there's a window wide open
    somewhere that they haven't seen."
    
    As well, when battening down the hatches, companies need to balance
    security and convenience.
    
    Excessive security can cut into productivity,, and there's a tendency
    for employees to find ways around irritating information-security
    measures, much as they may prop open locked doors to avoid the hassle
    of fumbling for keys.
    
    "Security has to be balanced," says Banks. "Corporations exist to do
    business and make money, and they can't be subservient to security."
    
    No amount of security can fully protect a system from hackers, who can
    and do find cracks in even the most rigourous and high-budgeted
    security efforts, like those of NASA, the military and the Pentagon.
    
    "Even organizations that have a significant number of zeros behind the
    dollar sign are falling prey to this sort of thing," says Banks. "I
    expect it to increase."
    
                                    [LINK]
                  Copyright  1999 Calgary Herald New Media
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:17:08 PDT