The first signs of trouble on the company’s computer network came as a series of oddities in its enterprise-management system. Among them: transactions were appearing that couldn’t be substantiated and product orders were being placed that didn’t match any payments. So a senior executive from the Canadian high-tech firm phoned computer-security expert Richard Reiner, CEO of Toronto-based Assurent Secure Technologies, to ask him what the problem might be.
Assurent’s investigators suspected there had been a security breach—then went on to unearth a shocking scale of damage. One of the myriad hacker groups that continuously scour the Net for ill-protected networks had spotted a vulnerability in an online application the company used to communicate with staff. The hackers used that as an entry point into the firm’s core enterprise-management system — and they told their hacker friends about it. Word spread, and wave after wave of hackers swarmed in. Eventually, 30 groups were marauding through the company’s network. Yet, for three months, their victim had no clue it was under attack.
Some of the hackers were content to pillage, shipping goods from the company’s warehouse to themselves, free of charge. Others stole customer data and sold it on the black market. One group left a nasty memento: a script that randomly scrambled the firm’s supply database. Reiner says direct costs to the company, which he won’t identify, topped $3 million—and that excludes the hidden cost of losing its customers’ trust when they learned their data had been stolen.
An extraordinary case? No way. Reiner knows of several Canadian companies that have suffered similar losses from similar cyberattacks in the past 12 months alone. Nor was there anything unique or complex about the cause of the vulnerability: no one had trained the developers of the cracked application to design for today’s hostile online environment. They had simply used a general-purpose firewall rather than one configured to protect a Web application, and had neglected to install red flags to signal suspicious usage patterns.
It’s time Canadian entrepreneurs understood that computer crime is no longer just a bunch of teenage hackers making a nuisance of themselves — and that it’s not just big business’s problem. CEOs who figure they can ignore or underfund cybersecurity because “it won’t happen to me” need to wake up to the enormity of the threat.
For instance, the U.S. Federal Bureau of Investigation estimates that computer crime cost the American economy US$400 billion last year. Canadian stats are unavailable, because the RCMP’s crime database (which is currently under renovation) doesn’t break out cybercrimes. But Paul Poloz, a staff sergeant at the RCMP’s Technological Crime Branch in Ottawa, says police are seeing rapid growth in every computer crime category, including viruses, data theft, website defacement, “phishing” attacks, extortion and bandwidth theft. Worse, the array of threats is multiplying and causing damage ever more quickly.
Here’s an even scarier thought: lured by the potential for hyperprofits, organized crime is moving into the electronic underworld, raising the danger to a new order of magnitude. Most important of all is that cyberculprits are targeting smaller firms in a big way. Add everything up and the point becomes clear: computer crime is one of the biggest threats to your business.
The exponential growth of computer crime is evidenced in the latest Internet Security Threat Report from Symantec Corp., a Cupertino, Calif.-based cyberprotection provider. In the first six months of 2005, the number of Windows viruses and worm variants jumped by an alarming 48%. Phishing attacks, in which a fraudster purporting to be from a legitimate organization dupes e-mail recipients into supplying personal or financial data, soared 91%. And denial-of-service attacks, which barrage a website with requests in a bid to crash it, were up a stunning 680%, with small business the No. 2 target.
Yes, cybercriminals are increasingly acting on the knowledge that most small and medium-sized enterprises are easy prey. “Entrepreneurs have to recognize they’re more of a target now than ever before,” says Howard Schmidt, chief information security officer at San Jose, Calif.-based eBay Inc. and a former computer security advisor to George W. Bush. As the corporate sector has poured resources into protecting itself, “we’ve seen criminals migrating to the end-user and to SMEs as their targets, because people are less prepared at that level.” Just because online criminals have never heard of you doesn’t mean you’re safe. Schmidt says they’re “tremendously indiscriminate in picking out who their victims are,” going after easy marks regardless of size.
Attracting the mere attention of computer criminals can be a death sentence. “Once an intruder gets into your system,” notes Poloz, “the sky is the limit.” But you don’t have to be victimized directly to pay a price. Big businesses, many of which see SME suppliers as the weak link in their own security chain, could refuse to buy from you if you don’t meet their safety standards. Schmidt knows of two big companies that told SMEs they won’t give them any business until they improve their computer security.
If your network is hacked, the cyber bad guys could steal or trash your data — a hit that could be devastating if you lack deep pockets. They could knock your network out of action, costing you a fortune in lost business, then forcing you to invest staff time and hire pricey security experts to fix it. They could capture vital information and hold it for ransom. Or they could sell intellectual property you’re developing to a rival, threatening your firm’s future.
The risks aren’t limited to specific attacks, either. We’ve lived with viruses for so long you might figure you’re safe as long as you run desktop anti-virus software, but that’s no longer enough. You need protection at both the PC and server levels. And if you fail to install software patches within 48 hours of release, you leave your network wide open to e-vandals.(Read “The seven pillars of cybersecurity,” for more computer security tips.)
Protection levels that sufficed even a year ago are inadequate to meet a virus threat that has metastasized in two ways. As the Symantec report shows, the number of viruses is exploding. Worse, they’re spreading faster and faster. It used to be several weeks between the time a software vendor released a patch to fix a vulnerability and when hackers figured out how to exploit the flaw and attack unpatched computers. Now, collaborating via peer-to-peer networks, they develop hacks within a few days, and even low-skilled “script kiddies” can use automated scripts to commit sabotage. In August, hackers launched the Zotob worm to take advantage of a Plug-and-Play flaw in Windows 2000 less than 72 hours after Microsoft released the patch. Schmidt says we’re fast approaching “zero-day vulnerability,” when cyberattacks will commence the same day a patch is released.
As serious a threat as viruses pose, it pales in comparison to crimes driven by a more powerful motive than mischief or feeding a geek’s ego: profit. “Hackers are moving away from the personal fame of putting their tag on a website,” says John Weigelt, national technology officer at Microsoft Canada Co. in Mississauga, Ont. “We’re seeing a move to profit-oriented IT exploits by organized groups and individuals.” A report from McAfee Inc., a Santa Clara, Calif.-based firm best known for its anti-virus software, quantifies the magnitude of the shift. It estimates 85% of malicious software (a.k.a. malware) is written purely for profit.
The categories of for-profit offences, such as theft, extortion and espionage, are nothing new. What is new are the instruments that permit attacks on an unprecedented scale. Hacker sites offer tools with graphical user interfaces that make it easy for far more people to give computer crime a whirl.
Think like a criminal for a minute and you’ll see how many e-assets your company has worth plundering. One that’s easy to overlook is your bandwidth. With enough of it, a hacker can run a “botnet,” a network of robotized computers used for any number of nefarious purposes. Spammers are a key market for heisted bandwidth. Reiner says as they’ve found it harder to buy bandwidth from legitimate Internet service providers, some spammers have hired hackers to steal it by seizing control of company networks.
In September, a mid-sized Canadian firm learned it was a casualty of bandwidth theft when clients complained its website would no longer track their orders. The company called in a Web performance specialist, who asked whether the site was supposed to be spitting out 200,000 e-mails an hour. It wasn’t supposed to send any. Reiner’s Assurent was called in, and discovered that the firm had fallen behind on patch updates but figured it was safe behind its firewall. Hackers hijacked the corporate network, slowing it to a crawl. Besides losing customers, the company was flooded with e-mails from anti-spam activists accusing it of being a low-life bulk e-mailer.
Another vulnerability comes with the remote- and wireless-access systems that make your road warriors more productive. Paul Brousseau, SMB marketing manager at Hewlett-Packard (Canada) Co. in Mississauga, says unprotected businesses face twin perils: that unauthorized users will gain access, or that hackers will intercept data flowing to and from authorized users.
According to research by WhiteHat Inc., a Burlington, Ont.-based computer-security company, mobile workers at two-thirds of small businesses neglect to activate the built-in encryption features on their wireless devices. That makes it a slam dunk for “war drivers” using a Wi-Fi-enabled PDA or laptop to intercept wireless messages sent over a Wi-Fi network.
The McAfee report cites an example of how exposed some networks are. Two war drivers sitting in the parking lot of a U.S. home-improvement outlet logged into its local wireless network, and from there hacked the retailer’s national network. They repeatedly stole credit-card data and installed malware that crippled several computers.
The list of threats goes on. A hacker could steal customer data and sell it on the black market for the going rate of US$2 to US$10 per stolen identity. An employee downloading music at work could inadvertently infect your network with a keystroke logger, a type of spyware that steals usernames and passwords as they’re punched in. Cybercriminals could buy a pallet of old computers from a recycling plant, retrieving data that’s truly deleted only after you’ve applied a special wiping program. Or someone could crack your HR records, selling employee performance reviews to a headhunter so she could go after your star staff.
More ominous than the crimes themselves are the new faces behind them. Organized-crime groups are spotting rich pickings as the Net becomes central to the economy. “They realize they can steal valuable information without having to have guns and car chases and shoot people,” says Trent Dyrsmid, CEO of Vancouver-based Dyrand Systems Inc., a provider of IT services.
No one knows how much computer crime is perpetrated by online mobsters, says Schmidt, “but clearly there’s been more structure, more organization about it, and some of the trails seem to lead back to places in other parts of the world where there is a large organized-crime element.” Dave Thomas, chief of the FBI’s Computer Intrusion Section, says eastern European crime groups have moved onto the Net in a big way. So far, traditional Mafia groups have not, but Thomas predicts that they will.
“Criminals have realized the huge financial gains to be made from the Internet with relatively little risk,” states the McAfee report. And hacker circles offer just the expertise they need. There are no hard figures on how far the “hackers for hire” phenomenon has progressed, but anecdotal evidence suggests frightening potential. James Lewis, who wrote the McAfee report, says some hacker sites now advertise hackers for hire, and professional criminals are the biggest patrons. Another sign of the times: in March, the FBI arrested a 16-year-old New Jersey hacker and the businessman who had hired him to launch denial-of-service attacks to disable competitors’ websites. Damage surpassed US$2 million.
The McAfee report identifies a dozen countries worldwide as centres of organized computer crime. Leading the pack are the U.S. and Russia. The latter shares with some other countries in eastern Europe a chilling combination of powerful mobsters and a deep pool of people with advanced computer skills and few legitimate job prospects.
The professionalization of computer crime, including the signs of an emerging mobster-hacker alliance, should make you pine for the good old days of teenaged nerds making mischief online. The fat profits from computer crime threaten to expand its scope and sophistication radically in the same way as the illegal-drugs trade morphed from informal networks of small-time dealers into a multinational business moving vast quantities of a full narcotic catalogue.
Despite these trends, entrepreneurs’ behaviour suggests widespread complacency. WhiteHat CEO Rosaleen Citron encountered a company with $12 million in revenue that didn’t even have a firewall for its website: “I told them that, sooner or later, they’re going to get taken down.”
You can’t measure the degree of complacency directly, but a study by Computer Associates International Inc. of Islandia, N.Y., offers some hints. It states that 25% of larger SMEs and 50% of smaller ones use non-expert staff to maintain their IT systems, while more than 30% who back up their servers haven’t checked their ability to recover files in more than a year. Fully 20% have no backup systems at all. All this, even though statistics from the National Archives and Records Administration in Washington show that almost half of businesses that experience catastrophic data loss go bankrupt immediately.
Donna Childs, New York-based co-author of Contingency Planning and Disaster Recovery: A Small Business Guide, says that most SMEs lack awareness of the risks. Big companies are better informed, but are reluctant to report cybercrimes to avoid calling attention to their vulnerability: “Because it’s underreported, people don’t appreciate how frequently it occurs.”
Joe Greene, Ottawa-based vice-president of IT security research at IDC Canada, an IT research firm and consultancy, says small businesses and many mid-sized ones tend to limit their focus to viruses, whereas larger companies take steps to deal with a range of threats. eBay’s Schmidt attributes entrepreneurs’ complacency to low levels of knowledge about IT security, a view of security as an expense that yields little return and a widespread belief that only the big guys are at risk.
Microsoft’s Weigelt states the risks of such attitudes bluntly: “Cybercriminals target weak machines wherever they exist. No one is immune.”
And there’s no end in sight. “This game of cat and mouse will continue forever,” says Dyrsmid. The good news is that although you can’t protect your company against every threat, you don’t have to. Given the modus operandum of the average e-thug, you need only enough protection to deflect his attention to someone who is unaware of the greatest new threat to business.