Security in Spotlight, as Breaches Rise
May 24, 2004
BOSTON -- Despite the rampant increase in "e-crimes" and high-tech scams, cyber experts here said that firms need not build the Fortress of Solitude to protect their computer systems and networks from hackers and viruses.
However, they should steer clear of being the lowest-hanging fruit on the tree, meaning firms should avoid making themselves ripe for the picking. Speakers at the National Investment Company Service Association's Technology Forum 2004 session "Vulnerability Management: Dealing With Worms and Hackers" said criminals often use the path of least resistance, choosing to attack firms that are the most vulnerable because of lax or misguided security initiatives.
Threats are ever-evolving and no system is foolproof. "You could spend a zillion million dollars and still not have an effective system in place," said Kevan Keegan, assistant vice president, MFS Service Center, Inc., and moderator of the panel.
There is a happy medium where firms can be smart about security, without going overboard, though, the panelists said. "We understand our threats [and] they are huge," said Diana Kelley, senior technology strategist for business software company Computer Associates. "But, technology for technology's sake doesn't make you any safer." The overall dollar amount allocated to systems security is less important than a company's attitude towards protection, as long as a reasonable amount of resources are provided to the initiatives. It boils down to the quality over quantity argument.
Kelley said one of the biggest gaffes a financial services firm, or any firm for that matter, can make is to take a silo-like view of security. "It's not just a firewall that sits on the perimeter of the company. It needs to be a part of the business," she said.
In fact, systems safekeeping and investment management can be viewed in much the same way, according to Kelley. "It isn't just security, per se, it's risk management. You need to know, analyze and understand the business management," she said.
Security breaches are becoming more common and almost a daily occurrence for major organizations. The panel illustrated the growing threat by citing recent news accounts. In early May, the Associated Press reported that 380,000 students, teachers and others associated with the University of California, San Diego, including applicants and alumni, had their confidential information compromised when hackers infiltrated the educator's computer systems. Also recently, Qualcomm's Eudora e-mail program had a dangerous system flaw, allowing the deployment of malicious code on vulnerable systems.
"It's always tough to talk about threats and not come off as an alarmist," said Brian Kelly, director of the Guiliani Advanced Security Center at Ernst & Young. "But the threat is evolving pretty rapidly."
James C. Burrell, supervisory special agent and supervisor of the Boston cyber-crime squad of the Federal Bureau of Investigation, said that firms are getting better at security, but are not necessarily motivated by protecting against criminal activity. Instead, they are primarily interested in safeguarding intellectual property for competitive reasons.
Burrell said his squad has done coordinated takedowns, and recently uncovered a case dubbed "Digital Pirates" that should be particularly alarming to financial services firms. In this case, an employee working for a financial services firm commandeered a company server and used the firm's bandwidth to distribute pirated copies of movies.
Aside from the misuse of company property and resources for illegal activity, which in itself could cause liability issues for the company, the breach also provided those pulling the movies from the firm's server a tunnel into the system, the panel members said. Once outsiders gained access to the firm's server to rip the movie files, the question then became, what else did the rogue employee open the firm up to? Were hackers able to exploit their free pass into the system to fish around for other sensitive information that could be used to rip off investors, or even the firm? Could outsiders send malicious files in though this security breach and cripple the system? Worms and viruses that can wreak havoc on IT departments and paralyze systems are on the rise.
An Inside Job
Alarmingly, the number of security violations being perpetrated by company insiders is about equal to that by outsiders, according to the 2003 CSI/FBI Computer Crime and Security Survey. Attacks by disgruntled employees are running even with those by hackers, illustrating the importance of employee screening. The survey consisted of 530 computer security practitioners in U.S. corporations, government agencies, financial institutions, medical institutions and universities.