Network Security: the new challenge

With over 40,000 sites on the World Wide Web containing some form of "hacker tools," the ranks of hobbyist hackers and writers of computer viruses are expected to grow exponentially.

Just about any sufficiently motivated information technology novice can trash the stock exchange website or redirect it to a porn site. Just about anyone with basic programming skills and an unhealthy sense of adventure can unleash another ILOVEYOU virus and destroy stored data anywhere in the world.

Remko Jacobs, chief executive officer of I-Sentry Solutions, Inc., says the Internet, due to its open nature, "will remain unstable, not secure, and open to abuse and exploitation." And anybody wired up is a potential target.

The Computer Emergency Response Team (CERT), formed in 1988 to attend to reported systems break-ins and to assist in the development of fixes, logged only six cases in the year it was organized. After 10 years, CERT recorded 3,734 cases, rising to 8,268 cases in 2001.

Approximately $440 million of real, quantifiable losses were incurred last year from computer crimes and security breaches in 270 organizations. The United States government is expected to experience over 300,000 Internet attacks this year when Internet crimes are expected to take place every 20 seconds.

A survey by the Computer Security Institute (CSI) showed that 30 percent of reported computer systems were penetrated while 55 percent reported unauthorized access by insiders. The same survey found that most firewalls were configured incorrectly and that among desktops with modems that were penetrated, dial-up systems were the most vulnerable.

The survey called the "CSI/FBI Computer Crime and Security Survey" is conducted annually as a public service by the CSI, with the participation of the San Francisco Federal Bureau of Investigation’s (FBI) Computer Intrusion Squad. It aims "to heighten security awareness, promote information protection, and encourage cooperation between law enforcement and the private sector," said CSI editorial director Richard Power in the Spring 2001 issue of Computer Security Issues & Trends, a publication of the CSI.

For any business, the statistics predict heightened risk. Loss of client confidence is a real risk, particularly when cybercrime involves loss or alteration of confidential information such as personal accounts and financial transactions. Loss of profit is a risk should prolonged downtime in an operating system occur. There is also the potential for legal action if significant data are lost or violated.

Website defacements and denial-of-service attacks are among the most humiliating incidents for businesses, causing loss of goodwill and translating into missed opportunities to interact with clients.

Jacobs said: "Hackers don’t respect local business hours. Business – access to business resources – is increasingly global and hence, round-the-clock. This simply means that the protection of resources needs to match their availability."

The growing need for reliable data security has prompted more and more companies to seek the help of professionals in managing their requirements. And while there are only a few who can claim expertise in IT security, some firms still believe such service should be provided in-house, rather than be outsourced.

"It’s a question of trust," said Mari Lolarga, head of the data security group of Adtel, Inc. "There has to be trust between the service provider and the customer. I guess the kind of trust network security consultants ask from the client is the same kind of trust the client would necessarily give to an in-house security specialist."

Lolarga noted that majority of security violations occur due to the weakness of in-house systems, rather than the immense skill of attackers.

Jacobs concurs. "Do you realize that your system administrator can read all your email without any issue? Encrypted files and passwords can be cracked in minutes and 70 percent of intrusions are actually internal attacks," he said.

Also listed among likely sources of attacks are independent hackers, competitors and disgruntled employees. Incidents reported include theft of proprietary information, sabotage of data networks, system penetration by an outsider, insider abuse of Internet access, financial fraud, denial of service, virus, unauthorized insider access, active wiretapping and laptop theft.

Adtel and I-Sentry formalized a partnership in January 2002 to jointly offer network security consultancy. The partnership offers an independent and objective assessment of network security requirements to corporate clients, as well as corresponding management tools for specific risks detected during evaluation.

And while current information shows that eight of 10 companies are not even thinking about network security yet, experts believe the need for it will soon be recognized as more and more people go online – in the office or from their homes.