With the stakes so high, those problem-prevention numbers are a little surprising. How is it that the bad guys can be so easily deterred?
Criminals are far from the brilliant people the media tends to make them out to be. They are more likely to be opportunists who really don't have much of a technological understanding in general. They can be one-trick wonders: Find a tool on the Internet and run the tool against thousands of different computers, and statistically, they'll find any number of computers that are vulnerable to a completely preventable problem.
But they can be clever. When I have investigated crimes involving organized crime, I've been somewhat surprised by how much time these highly skilled criminals spent on "hacker" Web sites and ICQ.com [chat rooms]. They portrayed themselves as teen hackers, frequently girls, and sat there trying to play on the egos and insecurities of clueless teenagers to get them to divulge information on the systems they had broken into.
That's why detection of events is more important in some ways than prevention of the event. At least that way you know what you have to deal with, the nature of the threat. If you stop an attack but don't know about it, the attackers will likely keep coming at you until they find a real vulnerability.
When I do a penetration test, I tend to follow the methodologies that a real attacker would. I'm not talking about an imbecile computer hacker.
I'm talking about a real attacker who means to cause you harm or steal something of value. They figure out where the valuable data is and then they target it. When we go in and do those tests, we generally don't try to find only one unique way in. We look for the ways that others might get in to see evidence of their activity. Upwards of 50 percent of the time, I find real evidence of criminal activity.
When I'm investigating criminal activity that we know has occurred, we find about a dozen other cases in that same place that people didn't previously know about.
Your concern about information security goes beyond data theft to include viruses, malicious hackers and even extortionists, and your book's subtitle mentions spies and terrorists among the everyday threats out there. Are companies focused on the right dangers to information security?
The reality is that viruses are still killing us on a regular basis. And again, people just don't go ahead and use the features to automatically update their virus signatures. They have access-control types of things, personal firewalls and antivirus tools that sit there but don't get updated properlyand that's if they are turned on.
I actually have run across extortionists and it is a growing problem. An extortionist will send out a denial-of-service attack, then contact the company to say if they don't pay, then they will experience more massive attacks at critical times. Other attacks involve the perpetrator hacking into a victim system, stealing data or gaining root access.
They then threaten to expose the stolen data, like customer credit cards, ruining the reputation of the company. If they have root access, they may threaten to destroy the system.
The problem is especially critical for small businesses that deal with online transactions, because larger companies are harder to take down and losses by small companies are harder to absorb.
But it's not all dramatic stuff. I believe in death by a thousand cuts. Everyone is concerned with cyberterrorism, but small things are killing us. Even ChoicePoint was not a spectacularly big thing; it was a little thing that added up and became a public embarrassment because it happened at the wrong time politically. And even there, technology might have more quickly detected that event by scanning to determine how data was being used.
I'd like to see ISPs be held responsible for detecting bot activity and cutting it off the network until the computers involved get fixed. That would protect their interests and those of the user, too.
If you see a personal computer flooding the network, you knock it off the network until it is no longer a problem. It's like someone coming into your home and shooting people with your gun out your windowyou should just lock your front door.
I would also love to see my antivirus software go one step further, so that it somehow knows that spyware is coming in from one site on the Internet.
My system would then automatically report it to a central authority that knocks it offline. We should be able to do that now; it's more a matter of political will than technology. The lack of willingness to do so may enable homeland security attacks and other crimes to occur by leaving the network vulnerable.
Obviously the simple fixes you prescribe are more than a technology issue. The technology seems to be the easy part; it's the management that has to change.