The Hidden Statistics

Sadly, no one knows what the crime rate really is. The best estimates and guesses are based off incomplete data. Every report tells us that the dollar value lost from crimes committed through network and system hacking is horrendous. So, do networks and systems really present such incredible threats to business, or is it simply an overreaction? If there is one thing years of consulting has taught me it's that people do not believe in crime when they cannot see it. Statistical reports have little effect on most executives when they don't see their partners and competitors having security issues. And what is so hard to see? Why do we hear so many statistics about how horrible the electronic crime rate is, and yet hear so few stories from our partners and competitors? Let's walk through an example:

Exploring the "Shhhhh" Statistic

Let's say we are roused at 2:00 a.m. (yes, it always happens at 2:00 a.m.) by a call from the night-shift support desk saying that the main accounting system has been running slowly and sporadically for the past hour. We arrive and conduct an investigation, only to find that someone from a country whose name we can't even pronounce has managed to find his or her way into the system and is currently downloading all customer financial information.

Quickly, we disconnect the system and put up the good, old "Under Construction" page while we phone the CEO and thumb through our Incident Response Plan for the local FBI office. After a brief and interesting discussion with the CEO, our policy book is slowly closed and returned to its dusty shelf, and we find ourselves spending the night alone with the system, performing our own investigation and pretending like nothing happened. In the morning, we get reminded of that wonderful confidentiality paper we signed as a requirement for our employment and are politely asked to not mention this incident to anyone ever again.

More often than not, when a client brings me in for an investigation, the story never leaves the room. Oh, the fascinating stories that will never be told of highly respected organizations experiencing multiple breaches in a day and exposing extremely sensitive data, sometimes openly, to the public! But, the "Shhhhh" mechanism is very powerful, and indeed very necessary. Can we really blame the executive who could easily face his or her own termination or the loss of his/her company if such information made the press?

The world is in a competitive race to become cyber-enabled and to build the most effective e-commerce presence. No organization can afford to have its customers, partners, or investors second-guess the safety of its services and data. Just as we would not expect a customer to buy a new Porsche in a dark alley in the middle of the Bronx, we would certainly not expect a customer to leave a credit card, financial, or medical information with an organization that just announced its third security breach of the year.

In general, the only cyber crimes that get reported are those that have an externally noticeable effect, such as the defacing of a public Web page, the spreading of a worm, or those with such minor impacts that knowledge of the breach would be of little interest. Most often, an organization will only report a breach if:

  1. It is an obvious breach that has been seen by the public and covering it up or denying it would cause more bad press than the breach itself.

  2. It is to the organization's advantage to announce the breach; for instance, as an excuse for not meeting a deadline, or to distract the media from other events.

  3. There is a direct legal obligation to inform customers of the breach. (Even in this situation, many breaches are not reported.)

These three factors apply only to a very small percentage of the security breaches that occur around the world. In light of "good business practices," the millions of security incidents including break-ins, theft, and data manipulation that occur daily go unreported and will continue to go unreported for the foreseeable future. Thus, it is important to remember a very important point: Everything WE would keep secret in our own organization, everyone else would keep secret in THEIR organizations. It does not mean there is no problem; it simply means that we aren't talking about it and it is harder to assess.

Recognizing the "Uh?" Statistic

There is another very important statistic that greatly weakens our security knowledge. I like to call this the "Uh?" statistic. So now it is 3:00 a.m., and our ever-so-vigilant night-shift administrator calls to let us know the system is acting funny again and things are really slow. He wants to reboot the system. He does so and everything returns to normal. When it happens again over the next few nights, the vendor is called and some patches are applied. After a few more incidents, everyone is at a loss, and the system is finally rebuilt from scratch with a new operating system, new patches, and a new copy of the application.

The incidents presented above probably cost the company a few thousand dollars, eight hours of work, and a few hundred upset customers. But it is nice when everything is working again. We just wish we knew what the issue was, if nothing else, to be assured that it will not happen again.

What we never discovered here was that an old login was compromised on this system and seven of its eight processors were being used as a game server for some college student and his/her friends (no laughing matter, this happens all too often). Now, having rebuilt the server, we have no idea it was due to anything but a system failure.

The fact is that intrusions are often difficult to detect. Sadly, many break-ins never get reported because companies never realize they were even compromised before all evidence is destroyed. Many technical issues are not actual issues with systems themselves, rather with the teenager who has used publicly available tools to hide his/her presence in a server. It is quite common to inadvertently destroy all evidence of a breach before anyone even has a chance to discover that an attack happened, thus further obscuring the world's perception of the scope of information security problems.



Inside the Security Mind(c) Making the Tough Decisions
Inside the Security Mind: Making the Tough Decisions
ISBN: 0131118293
EAN: 2147483647
Year: 2006
Pages: 119
Authors: Kevin Day

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net