[ISN] Survey: Hackers Thrive on Sloppy Employees

From: InfoSec News (isnat_private)
Date: Wed Oct 10 2001 - 00:39:28 PDT

  • Next message: InfoSec News: "[ISN] [defaced-commentary] Another prime example of "hacktivism""

    By Alexander Boreiko 
    Wednesday, Oct. 10, 2001
    Russian corporate computer networks are hacked into twice as often as
    in Western Europe, while e-crime thrives on careless computer users,
    according to Ernst & Young research.
    Sixty-five percent of those surveyed by Ernst & Young encountered
    problems with computer security sometime in the past year. Companies
    most often suffered from computer viruses, network crashes and
    unauthorized access from inside the company.
    Thirty-nine percent of respondents reported that hackers broke into
    their system -- twice the level in Western Europe. However, only 26
    percent experienced vital systems failure, compared with 70 percent in
    Western Europe.
    Hackers frequently took advantage of glitches in security -- for
    example, misconfigurations in network monitors -- and the carelessness
    of users, who often leave default and guest passwords unchanged,
    according to the survey.
    Half of the companies in the survey experienced virus attacks --
    frequently caused by workers opening files from questionable sources.
    Hackers usually break into systems to steal commercial information or
    tamper with finances; but Russian companies reported that these types
    of attacks accounted for only 3 percent and 6 percent of all
    break-ins, respectively.
    Experts from Ernst & Young say the problem is bigger than it seems,
    and say the relatively low percentage figures are a result of hackers
    cleaning up their tracks.
    In Moscow alone, e-crime accounts for $12 million to $15 million in
    losses yearly, according to law enforcement authorities.
    If a hacker doesn't break into a system, he or she can still cause
    considerable damage by launching a denial-of-service attack, said
    Michelle Moore, head of the information technologies and risk
    department at Ernst & Young's Russia office. A DoS attack overloads
    the network system by sending false queries, cutting access to real
    "Hackers launch DoS attacks so the day wouldn't be wasted," said
    Moore. "It is comparable to a burglar who cuts the telephone and
    electric wires of a house he isn't able to get into, out of spite."
    In the United States, 70 percent of companies polled by the FBI said
    they experienced unauthorized access to their computer systems
    sometime last year. Fifty-nine percent of the attacks came over the
    Internet, while 38 percent where launched from within a corporate
    network. Seventy-four percent of respondents reported financial losses
    attributed to hacking, while 42 percent even evaluated the losses.
    Losses totaled some $265.6 million.
    Most companies have anti-virus programs and network monitors as safety
    precautions. However, they focus on technical safety measures, rather
    than organizational ones.
    Russian companies toy with technical devices without determining what
    risks their systems face, in order to identify what safety measures
    the system requires. This leads to a lack or overabundance of
    software, analysts say.
    Because the Internet has made national borders invisible, companies in
    different countries are encountering the same threats to their
    information's safety. But Russia's legislation and technology is
    underdeveloped and not prepared to fight computer crime, Moore says,
    and no local companies have a formal system for tracking down breaches
    into operating systems.
    "A very big fraction of breaches happen because employees are not
    careful with information and it falls into the wrong hands, or they
    run applications that are not familiar to them," said Svetlana
    Trofimova, manager at the Kaspersky Lab, Russia's leading anti-virus
    software developer. Uneducated employees present the biggest risk, she
    The E&Y survey showed that 32 percent of respondents had not tested
    their security systems' effectiveness.
    One way companies can test their security is with planned hacker
    attacks. However, most Russian companies have not used this method and
    have no clear idea of how secure their information is.
    Ernst & Young specialists test systems by simulating a hacker attack
    on their clients, finding soft spots in the system. Almost always,
    companies hire outside help to test their security system only after a
    Furthermore, only 38 percent of Russian companies have installed
    breach detectors into their systems.
    "One of the main problems is a lack of financing geared toward data
    security," said Trofimova. "Today, close to 90 percent of companies
    need security systems. A significant number are government
    institutions that lack funds and can not defend themselves
    To effectively protect a company from hackers, an analysis of the
    company's business processes and the risks associated with them must
    be made, said Alexander Galitsky, head of the TrustWorks computer
    security company. With that information, a security policy can be
    developed, technical infrastructure created and technology geared
    toward fulfilling the policy.
    "As far as I know, this is not practiced in Russia because,
    traditionally, Russian companies don't pay for consulting," he said.
    "Many consider a network monitor, door security and disconnecting the
    internal network from the Internet sufficiently safe."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Oct 10 2001 - 03:47:44 PDT