Electronic attacks on the rise*

Phishing, Trojan horses… what will attackers think of next? Even more important, how can you keep one step ahead?

*This is an expanded version of a summary that originally appeared in the September 2006 issue of CAmagazine.

By Greg Murray, PricewaterhouseCoopers

Talk about radar and anti-radar. Just when companies think they’re protected from electronic attacks, someone thinks up a new way to infiltrate their systems.

Threats to information security have become highly targeted, organized and costly, resulting in billions of dollars in economic damage each year. The total has grown exponentially in the past decade and will continue to grow for the foreseeable future.

Electronic attacks have also become extremely fast today. Attackers can write programs in less than 24 hours, distribute them to millions of computers and then vary the program just enough to subvert an organization’s controls.

The threat landscape is changing so quickly that many organizations are in reactive mode when managing their information security. They wait until they’re attacked – and then work feverishly to respond – even though the damage is already done.

This won’t do anymore. Breaches of security mean losses of money, credibility and even strategic information such as long-term business plans. Just ask yourself how much your business strategy is worth in your competitors‘ hands.

For businesses today, information security is about building up their security capabilities and defences and becoming as flexible as the attackers. They also need to foster a culture of security within their organization, which is one of the best defences against electronic attack.

Some threats businesses face
Often it’s the unplanned threats that can damage an organization the most. Corporate assets such as e-mail, instant messaging, VOIP, wireless or Bluetooth provide alleyways for malware (malicious software) to penetrate your defences. As attacks on security and privacy become more sophisticated, the list of threats continues to grow. Here are some of the most common:

Phishing – This type of social engineering attack tries to trick people or gain their trust to obtain sensitive personal or corporate information. A common approach is to masquerade as a trusted business (e.g., a bank, insurance company, telecommunications company) and ask for private information. Phishing was once thought to threaten only e-mail or instant messaging, but it’s a much larger threat now.

The latest scams have attackers sending e-mails with links to VOIP phone numbers – and these ”fake” call centre representatives sound and act just like the real thing! End users may inadvertently reveal personal or corporate information without even realizing it, weakening your security.

Trojans – These applications present themselves as legitimate programs, but are actually designed to steal your personal or corporate information. The attackers are smart, often disguising their application as something of value. This was the case with the Haxdoor-IN Trojan, which allegedly provided a 2006 FIFA World Cup wall chart and schedule. The reality was that Haxdoor-IN allowed unauthorized parties onto your computer without your knowledge.

Spyware/keystroke loggers – These applications record and track user activities while on their computer, then send this information to unauthorized parties without the users’ knowledge. This malware has become very sophisticated, as was the case with Spyware.SmartKeyLogger. This program monitors and records keystrokes, instant messages, Internet, application usage and can take periodic screen shots to send to unauthorized third parties.

This type of threat can cause financial and operational risk issues. For example, if the CFO is preparing a company’s quarterly numbers to report to the market in a week’s time, Spyware.SmartLogger could penetrate your defences and take a screen shot of the draft numbers. The attackers could release this picture on the Internet before the numbers are officially released. The potential for regulatory and brand damage is considerable.

It’s all about money
For the attackers, it’s all about money. They launch their malicious attacks to steal a company’s information and people’s identity, and then profit from their sale.

One way attackers can do this is through identity theft. This can create a vicious cycle of fraud and pose significant security challenges. Unfortunately, most businesses aren’t even aware of the extent of the issue.

Identity theft goes something like this: Attackers subvert corporate controls, stealing personal or corporate identity information. The attackers use this stolen information to pose as legitimate customers and defraud other organizations. Adding insult to injury, the attackers continue to obtain more and more identity information as they move from organization to organization, defrauding each as they go. The result is a vicious cycle of stolen identities, lost information, potential brand damage and fraud.

And it looks like a new cycle is starting. In June the American Institute of Certified Public Accountants (AICPA) reported that in February 2006, a hard drive was lost in shipping. The personal information of more than 330,000 of its members was unencrypted on the drive. Worse yet, there are reports that that the AICPA was potentially in violation of its own security policies, making this breach a potpourri of security and privacy issues.

So why is identity theft so devastating? The answer is simple: identity is core to almost any customer facing or internal business process. Whether you’re buying a car, getting a new phone line or logging onto the corporate LAN, identity is the key. Allowing a compromised identity to access legitimate information breaks the bond of trust with your customer or end user. And if people can’t trust you, they won’t do business with you.

So what’s the answer? Locking down your systems to protect your information? No. If you put overly restrictive controls in place, your system may become too difficult to use. Externally, this could force your customers to go elsewhere. Internally, your employees may become less productive.

At the end of the day, it’s a fine balance between information protection and ensuring people have secure access to information they need.

So how do you deliver secured services that protect customers and end users while meeting their business needs? You need to know the state of your information security, know the threats you face and remember that information security is a business risk issue.

The state of information security
To prevent breaches of security and information theft, you need to know what you’re protecting and where it’s located in your environment. In The Global State of Information Security 2005, a worldwide study by PricewaterhouseCoopers and CIO magazine, 47% of respondents reported information/economic damage as “unknown,” 26% didn’t know how their information was attacked and 25% didn’t know who was attacking them.

The study also found that 55% of organizations did not know who to contact when their security had been breached. This statistic suggests that security program awareness and crisis planning are not undertaken in many organizations. Failing to anticipate a crisis situation will result in just that – a crisis. Businesses should anticipate that a security breach will become public and plan accordingly.

But even this is not enough. Companies also need to practise the plan to make sure it works. If it sits on a.shelf and is never tested, would you really feel comfortable relying on it during a full-blown public crisis?

Identify the threats
Organizations need to identify the threats that are out there, the probability of attack and the impact on their operations. This analysis is needed to help set security priorities, budgets and performance metrics. Many organizations overlook this activity and forget that not all information assets have the same value to a business.

Planning for information security threats should also be business-wide and include representatives from throughout the organization. Businesses that undervalue the activity of identifying threats are often rewarded with failure, before even launching their information security program.

Information risk management (IRM)
Organizations also need to become as flexible as the attackers. This means taking a broader view of security and focusing on information risk management (IRM). IRM includes all aspects of information protection and usage. As a starting point, organizations should include security, privacy, paper records and electronic records in their IRM program.

Once the scope of IRM has been defined, organizations should identify what information needs to be protected and anticipate how different types of information will evolve over time. Their ability to inventory, track, monitor and access these information sources must evolve at the same time. In short, IRM systems and processes should be structured with change being the norm.

Clearly, threats to information security are constantly becoming more advanced and costly, but business can keep up. By fostering a culture of information risk management that incorporates privacy and security, they can make sure their ability to block threats evolves faster than the threats themselves.

Greg Murray is the Security & Privacy Leader for the GTA at PricewaterhouseCoopers.