Mistakes Companies Make in Computer Crime Prevention
Re-published with permission from White-Collar Crime Fighter, www.wccfighter.com.
I've been working with large companies on information security and internal computer crime for more than five years and have been in law enforcement for more than 15 years as a detective investigator as well as a detective commander.
To this day I am amazed that top managers of Fortune 1,000 companies are still in the same boat when it comes to computer crime: No one thinks their employees would ever abuse their company's computers to steal, sabotage or spy.
This management attitude is especially mind-boggling since the vast majority of costly computer crimes are committed by their own employees!
If you walk out of your house with $50 in your wallet and a couple of credit cards, you feel pretty secure just tucking the wallet in your jacket pocket or purse. You don't need a bodyguard to protect you and your money.
However, if you walk around with $2 million in your briefcase, you would naturally worry about being targeted by organized criminals or other would-be thieves. You probably would hire a couple of muscular fellows in black leather jackets to make sure you get safely from Point A to Point B.
Somehow, when it comes to computer crime, this common logic gets neutralized among top managers. Most think it's enough to spend a few thousand dollars on firewalls, anti-virus (AV) software and intrusion detection software (IDS). Their IT managers tell them the best products to buy and assure them that they can install everything perfectly...and the bosses walk away thinking the company's vital electronic assets are safe and sound.
Wrong! That's the same as walking around town with $2 million in your briefcase with no leather-bedecked tough guys to prevent someone from coming up and snatching your precious cargo.
The situation is so bad that I know several companies that spend more on fresh squeezed orange juice in a year than on protecting the information and financial assets critical to their viability.
Here's a scenario that, while hypothetical, could very easily be real...
A large American company is the market leader in a certain type of industrial adhesive. The company invested several million dollars researching and developing the chemical formula for the product and is now reaping solid returns by selling it for $5 per gallon.
One day a scientist at the firm gets fired. He is furious. Before packing his belongings and leaving, he uses his authorized access to the company's computer system to download the secret formula for the adhesive to a CD. He pops the CD out of his machine, packs his things and is escorted out of the building.
Six months later, a Chinese company introduces a perfect clone of the adhesive. The only apparent difference is the brand. But the real problem is that the price for the product is only $1.95 a gallon.
Reason: The American company's disgruntled ex-employee decrypted the files for the secret formula, made a copy of the CD and sold it for a tidy sum to the Chinese company which then used a factory with laborers getting paid $1 per day to manufacture it.
Result: The American company loses 75% of its market share within a year.
Note: This crime—commonly referred to as intellectual property theft--could just as easily have been committed by an employee without access to the protected formula—by stealing (or guessing) the password of an employee who did have access and copying the files from that machine.
From my recent experience, it's clear that the most common computer crime threats fall into the following categories...
Intellectual property theft (as in the example above).
Closely related: Economic espionage—where a competitor (or disenfranchised insider) hacks the organization's system to examine—and often to steal—confidential data.
System sabotage—by external malicious hackers...or by employees or ex-employees with the technical ability to shut down part or all of your organization's systems.
Embezzlement—where an accountant or auditor electronically diverts company funds to his or her own account, disguising or obscuring the transactions within the normal day-to-day financial operations of the business.
Fortunately, there are products on the market that could have prevented the adhesives disaster from occurring. I use SilentRunner in my work to screen for potential crimes like this.
How it works: It detects and records every log-in to the organization's computer system—both from outside the firewall and from internal users. This includes recording the entire contents of every session. It flags any entries that look unusual and alerts the operator to possible unauthorized entries.
The organization's security professionals can then quickly find out where a suspicious log-in came from, when it occurred, what information was viewed and whether the entry was authorized.
Powerful advantage: In addition to the monitoring and recording function, just knowing that management is using a monitoring application and recording every transaction within the network is enough to deter many would-be internal computer criminals.
Cost: Usually well under $100,000... and often less than the annual cost of fresh-squeezed orange juice!
In addition to investing in the necessary computer security technologies, there are several vital operational security measures to take...
Conduct thorough awareness training. All employees must be made aware of how incredibly easy it is for the company to be ripped off, disabled or even destroyed by internal (and external) computer criminals. They should know how sniffers, keylogging software, wireless vulnerabilities, etc. all put the company in jeopardy unless someone is there to stop the attacks.
Important: You may need to bring in an independent security consultant to demonstrate to senior managers how costly a computer crime can be and to prove why a modest investment in security equipment and training is a small price to pay for a good night's sleep.
Isolate sensitive departments. Technologists refer to this as creating an "air gap."
Example: The company's R&D department should be completely shut off, electronically, from the rest of the company and from the rest of the world. Allow no servers or networks in the department to be connected in any way to other company servers...or to the Internet. In fact, retrofit the machines in these departments so that they have no CD drives and no floppy disk drives.
I also urge companies to prohibit use of Windows XP on machines used for sensitive work because you can plug an MP3 player, a portable hard drive or even a digital camera into the machine and it will allow you to copy files to these devices.
Continuously patch all systems. Organizations that are serious about protecting their assets know that financing this function is money well spent.
Develop and stringently enforce computer usage policies. The organization needs crystal clear guidelines of what employees can and cannot do with the company's computers.
Essential: Have an expert go through every line of the policy with all employees to ensure that the entire policy is fully understood. Require employees to sign a statement that they have undergone this training and accept responsibility for adhering to the policy.
Good computer security boils down to four simple principals: Deter... Defend...Detect...Document. You can take care of all except "defend" with an application like SilentRunner. To defend your organization against computer crime, your AV, IDS and firewalls—together with employee training and enforcement of strong policies—will provide you with a good measure of protection.