In an environment where one determined computer hacker can cost a business its corporate reputation, not to mention a stack of money, and where individuals can lose sensitive personal and possibly financial information, it might be assumed that only a small number of businesses would not be on top of the situation.

Not so, says J. Michael Gibbons. The response from business to the unparalleled threat has been in some cases good, but in others decidedly patchy. Gibbons cites a survey carried out by IT industry analyst the Gartner Group. It reported that of the Forbes 1,000 richest companies, only 75 per cent had or would appoint a Chief Information Officer (CIO). That leaves 250 of America's biggest companies without a CIO, which is crucial in the battle against Internet fraud.

Gibbons' experience of IT crime is extensive, stretching right back to the mid-1980s when it started to become a problem. Joining the FBI in 1985, Gibbons rose to become chief of the Computer Investigations Unit of the FBI. Handling cases whose names sound like something Sir Arthur Conan Doyle might have thought up had he been around today, some of Gibbons' earliest cases included the "Internet Worm" investigation and the Hannover Hackers. The latter saw a German gang break into the Pentagon in 1986, stealing documents then selling them onto the KGB. The case was later made famous by the best-seller "The Cuckoo's Egg" written by Cliff Stoll and which remains required reading for students of Internet security. "It shows that hackers just using brute force methods can break into just about one out of every twenty computers which they try," says Gibbons.

"It was interesting that even early on back then, the group was communicating across the net back in 1986, a good eight or nine years before the Internet really got off the ground and the World Wide Web started kicking in," he says.

If Internet crime is not a new phenomenon, the methods used have become far more sophisticated as the rewards for successful hackers have grown, says Gibbons. "The difference is that a lot more people have developed automated ways to break in," he explains. "There are all these 'scripts' that have made it simple for people to break in. You don't have to be a rocket scientist. Hackers share information in trusted enclaves and share techniques."

As online banking, business and communications have entrenched themselves, so have the problems grown. "I was very shocked during the last three years when I saw the increase of people trying to break into computers. 2004 was 'The Year of the Bot' as I call it, when we saw automated attacks at unprecedented levels. The problem has been growing at a faster rate than I could have imagined," adds Gibbons.

However, according to Gibbons other trends are showing that some business is realizing the potential damage and is taking action. "A lot of the large companies also have to trust their own private information as well as their customers' information with other companies. We've seen a trend where some companies are actually vetting security posture policies of their trading parties with whom they are going to share the data with."

As for individuals, they have to learn to protect themselves with up-to-date firewalls and anti-virus software says Gibbons. "If you do business online you personally stand to lose account logons and passwords - there are programs out there which capture your keystrokes."

When you accept an email or download an executable file, these may contain viruses. Some viruses can infect merely by visiting certain websites.

Easy enough then: just don't run executable files from people you don't know. Unfortunately, it gets more complicated.

'Social engineering'

Gibbons describes a scenario where someone is the victim of a focused, organized attack - not an automated attack which takes a scattergun approach. In this example, the secretary or typically a senior executive might receive a call from someone purporting to be from the Finance Department with an important spreadsheet sent from such-and-such an account that the secretary should really take a look at.

Such an attack includes an element known as "social engineering" - combining technology with good old-fashioned trickery to bypass security measures. Once infected, the hacker has potential access to a range of information, including the victim's credit card details, online banking arrangements and personal numbers and passwords. "People are trained not to open files from untreated sources, so these sources in effect become trusted ones," explains Gibbons. "This is not a technology issue but a people and process issue."

In which case and given the disparate nature of these attacks, how can a business defend itself? "If you keep your anti-virus up to date and you know what you are doing, you're probably very good against unfocused attacks," says Gibbons. "If someone has a focused attack then you would have a problem because you would have to protect yourself against 20 or 30 different attacks. Targets are where the money is, and those people are going to have to have exceptional protection," he says. "We adopt an enterprise view following about 17 different control areas covering people, processes and technology. We work with the company to build policies for each of those areas based on the sensitivity of the data that needs protecting.... It's a pragmatic approach."

Unsurprisingly, Gibbons stresses the growth in the industry in the process and management side of the business and not just implementation of security devices. "It's a 24/7 responsibility in this day and age," he says. For instance, not so long ago the period between a vulnerability being announced and an exploit (attack) being launched could be a week or two. Now an attack may take as little as 4 hours. "What happens if someone discovers that vulnerability at midnight? Do you have someone working between midnight and four in the morning to patch your system?"

Gibbons believes that with security centres in Wellington, Hong Kong, Amsterdam and the US, outsourcing security to specialist companies can prove cost-effective for small, medium and large businesses where there may be hundreds of critical security devices.

He also says that businesses have to be prepared for the eventuality of data loss or breach of security. "It may not even be their fault. Firewalls have been known to fail," he says. Questions asked include whether a company should keep operating or cut itself off from the Internet temporarily. A company under attack will also need to find out where the attack came from. "If you just have a system administrator just mucking about they can actually really damage and destroy the trail left by hackers," says Gibbons.

Meanwhile, disposal of data can be ignored by businesses that fail to wipe disc drives when they sell old computers revealing sensitive information.

Protection in store

Security standards are rising with more sophisticated access becoming the norm. We are all used to first level access, which might include a user ID and a password. The next level up might take the form of a two-factor ID with two passwords or shared secrets - which may be enough depending on the security of the data, says Gibbons. "Banks in Hong Kong are now moving towards a two-factor authentication," he notes.

But it is "Biometrics" which is providing the next level of security. Biometrics, which includes fingerprint, retinal and iris scanning technologies, are increasingly available and affordable. "What we like about biometrics is that they are portable and supposedly less fallible than just some password or shared secret. The technology is lowering in cost. Iris scans are now used in Amsterdam's Schiphol Airport," says Gibbons.

Whilst iris scanning is "tough to beat" he says, other techniques can depend upon the quality of the instruments. "One (fingerprint) reader was fooled by someone who pushed their thumb on a gummy bear and used the imprint on the reader." Iris scanning also benefits from not having the negative connotations associated with fingerprints, often used by law enforcement agencies. Such technologies may replace older password systems as they become cheaper and more widespread.

"We hadn't seen any real changes in the protection of computers until the last year or two, specifically about access," he concludes. "If you think about it, the primary way people get into computers is by a shared secret, either a name or an account number. Now we are seeing a lot more fraud, so they are raising standards so you need more than just a password. There are more organized gangs, more criminal groups because there's more profit to be made."

(HK Edition 08/04/2005 page4)