Network Computingwww.networkcomputing.com

Over the past year, we've been keeping a close eye on what has been hitting the news, and what hasn't, in the area of computer crime. Whether you obtain your security statistics from Web defacement mirrors, such as attrition. org, or the FBI/CSI report, one thing is irrefutable: The problem is getting worse. This being the case, the questions we set out to answer are: a) What is causing this trend and b) What can be done about it?

We found that the solutions aren't wrapped in any bleeding-edge security products, unbreakable crypto-algorithms or fleets of uber hackers. Unfortunately, the remedies are a bit more complex: They involve changing some of the ways businesses operate.

Roots of the Problem

The only thing consistent about the term computer crime is the staggering number of concepts associated with it. Ask a law enforcement agent what the term means, and he or she will most likely recite cases of electronic fraud, credit abuse or industrial espionage. Ask a security-product vendor about how to stop it, and you'll often get a long diatribe about strong encryption or security framework "solutions." Ask enough executives about their approach to dealing with it, and you will inevitably receive some discourse about managed risk, the cost of IT and their organizations not being a target. So when people use the term computer crime, what exactly are they are talking about? Web defacements? DoS (denial of service) attacks? Compromised systems? Fraud? Theft? Industrial espionage? It appears that even the phrase computer crime has its fair share of problems. The truth of the matter is that all those examples, or none of them, may be involved when it comes to computer crime. Computer crime can be initiated using everything from the elegant insertion of some mischievous code to the down-and-dirty instance of copying data onto a floppy and walking out the door. Cutting-edge techniques and technology may or may not have anything to do with it. For the sake of clarity, however, we will be categorizing all our examples here as computer crimes. These crimes generally fall into four areas: fraud, data theft, data manipulation and destruction.

Undeniably, when it comes to raw firepower and anonymity, the wholesale adoption of the Internet has helped the bad guys on the hacking front. Attackers continue to use compromised hosts as launching points for more stealthy escapades, and the Borg-like features that have manifested themselves in next-generation distributed DoS tools are bringing information warfare to a whole new level. It's no surprise that the FBI/CSI (Computer Security Institute) report on computer-crime trends indicates that organizations this year had 70 percent of all attacks originating from the Internet. What might come as a surprise, however, is the breakdown of dollar losses. Despite the advances in exploitation trends that the Internet has provided, according to last year's FBI/CSI computer-crime report, more than 75 percent of all dollar losses came from internal intrusions. That's quite an interesting statistic. The number of security incidents originating from external attacks is definitely on the rise, but the internal attacks are the real financial killers.

So what's at the root of this trend? Hardened perimeters with mushy innards. It's usually much easier to infiltrate a company from the inside because most organizations place a huge emphasis on defending the perimeter but do little to detect, much less protect against, hostile internal activity. This is a mistake. While external attacks such as DoS escapades, Web site defacements and data-mining efforts can be humiliating, they're rarely financially devastating--except to dot-coms, which can be leveled by DoS-related incidents.

Furthermore, generic attacks, such as simple host compromises, require limited skill sets. More complex, and often more devastating, feats frequently require niche skills or a unique position held by the attacker. Pulling off such complex attacks remotely is not impossible but is definitely less likely to happen. The skills barrier makes it far easier, and less expensive, to go in as a contractor or employee, get close to the targeted information and gut a company internally. And this is precisely what is happening today. Let's look at more examples of attackers on the inside:

In 1997, the home of David Hawkins was raided, and the source code to Cisco Systems' PIX firewall was discovered on two of his machines. Hawkins, a former employee of TNI (Translation Networks Inc.), which built the original PIX and was later acquired by Cisco, was using the code as a base to launch his own firewall product. Charges were later filed against Hawkins, and in May a jury in Santa Clara, Calif.'s Superior Court convicted him.

In 1998, a network administrator for Omega Engineering was accused of activating a digital time bomb that destroyed the company's most critical manufacturing software programs. The company claimed more than $10 million in damages and lost productivity. The jury found the administrator guilty, though the case is still open because of complications surrounding a juror. (Since the case is still pending, we've chosen not to use the defendant's name.)

Earlier this year, an ex-employee of Intel Corp. pleaded guilty to charges of disrupting chip manufacturing: After Paul Barton was fired and his computer account was disabled, he dialed in remotely and deleted some files from one of the systems that controlled automated manufacturing.

These are a couple of the well-publicized cases. Digging into some of the less-publicized ones, we see similar trends but without the convictions. Extortion attempts based on stolen information and credit cards. Pieces of code being used to jump-start competing start-ups. Health-care and patient data being copied or monitored. Executives' laptops being stolen and resold to their owners at exorbitant prices. Trojan code appearing in Y2K fixes. So while the number of cases has increased and the methods of exploitation have diversified, one thing has been consistent: how the attackers have been discovered and caught.

Cisco cracked its case--without using any earth-shattering technology--when Hawkins' thinly masked endeavor was demonstrated at a trade show. In the case of the aforementioned smuggled engineering diagrams, a system administrator discovered the documents on a server and was savvy enough to start an internal investigation. Another incident involving internally stolen credit-card data was flagged by the organization's legacy expert system when the cards started being used. So while a data-forensics specialist might be summoned for a particular kind of evidence gathering, or an intrusion-detection system might be deployed to look for a specific type of traffic, for the most part "high-tech" criminals are being caught via old-fashioned, low-tech means. People monitor logs, initiate accounting mechanisms and examine audit trails.

What can IT specialists learn from these trends? They can infer a number of things, all of which are in reach but have continually proven elusive.