Anticipating Threats Massachusetts

By Lauren Barack

CIOs can no longer rely solely on security updates and patch management companies to keep their businesses safe from hackers and criminals. Recent attacks to computer networks have shown how dangerous today's security threats can be. When MyDoom brought down the servers of software company SCO earlier this year, the damage was so extensive and expensive that the firm offered a $250,000 reward to anyone who could catch the virus creator. The SQL Slammer worm that hit hard in January caused airplanes to be grounded and ATM machines to malfunction, all of which added up to a reported $1 billion price tag. Even Internet businesses -- companies that should be in the know, such as eBay and America Online -- have fallen prey to hacks and malware (short for "malicious software").

The onslaught of threats continues, and groups that track attacks made across the Internet are finding these dangers on the rise. Recently, the SANS Institute's Internet Storm Center, which monitors the activity and traffic on the Internet, noted that unprotected servers were getting hacked approximately every 13 minutes. In fact, about 80 percent of the activity on the Internet is taken up every day by viruses, worms, spyware and other forms of malware, according to Peter Cochrane, a co-founder of technology consultancy firm ConceptLabs.  Experts believe so-called "zero-day" threats -- a virus or worm that hits the Internet within minutes of the announcement of a known software weakness -- are a very likely danger.

CIOs who rely on a reactive approach are potentially endangering their company's data. This wait-and-see mind-set gives attackers the edge. In some cases, companies literally pay the price, as they become victims of hacker extortion. For example, a hacker will attack a company with a DDoS (distributed denial-of-service attack), and then threaten to do it again if not paid. At least six to seven thousand companies are paying online extortion demands, according to Alan Paller, director of research of the SANS Institute. "[The hackers'] motivation is money and extortion," agrees Lance Spitzner, a founding member of The Honeynet Project, a five-year-old non-profit hacker research group. "The easiest way for them to make money is to threaten to attack again, rather than actually launch the attack."

The Right Support: Proactive rather than Reactive

Companies need to review their approaches to protecting their networks. A secure system will implement every software patch and utilize every notification it receives. But a company must think like a hacker -- and start using proactive tools to anticipate the source of an attack, and how it might enter a firm's network. A proactive CIO will:

• Share secrets with competitors so that everyone in a similar industry is following best practices. If one firm is compromised by a computer attack, a competitor will often find its customers demanding potentially costly assurances of their security. By sharing information with competitors on how each keeps its own system secure before an attack happens, firms can save time and money.
  
  
• Hire firms that specialize in breaking into their IT infrastructure to find vulnerabilities before hackers do. This should be done at least annually, to locate and then neutralize any insecure portal.
  
  
• Demand a direct pipeline to software vendors. Instead of relying on notification messages, major clients of software vendors are eligible for early versions of patches. Hackers understand that an open-patch release dispatched by a software company is an alert to where the vulnerabilities lie in an existing system. Less public communication between CIOs and software vendors will help eliminate this exposure.
  
  
• Train employees to be cautious when callers request information such as their password or user name. "If you did not initiate the conversation, then do not give out your information," says The Honeynet Project's Spitzner. A telephone on an employee's desk is as much of a danger to an IT Infrastructure as a hacker discovering a software flaw. If a hacker can get an employee's name and password, they can have open access to a computer mainframe.

With new ways of thinking, CIOs can start implementing proactive tools to not just react to threats, but anticipate their arrival. A holistic approach -- one that involves not just an IT department and employees, but industry colleagues as well -- is the strongest firewall.

Lauren Barack's work has been published in Business 2.0 and Wired.