VSJ – March 2006 – Work in Progress

Ian JA Walker, FIAP picks up from his first article in December’s Work in Progress to look at a few of the issues involved in responding to e-Crime.

For as much as we could produce hardware and software systems that are impenetrable, to do so may well produce systems that are impractical to use. Consequently, we must draw a balance between the desire for ultra-secure systems and their functionality and practicability in business.

Much of what we need to do, not just as an industry but globally as computer users, is to eradicate those bad practices that provide criminals with an easy route towards exploiting others. For example:

  • sharing logon IDs and passwords
  • leaving terminals logged in over lunch or break periods
  • keeping notes of passwords, user IDs and pin numbers (for everything from our credit and debit cards to our computer terminals) in our wallets or diaries
  • failing to shred those annoying advertising letters for everything from life insurance to magazine subscriptions.

All these things can lead to criminals having an easy life at your expense. One of the newest scams is that, using Bluetooth sniffers, criminals are able to detect whether you have your laptop in the car, even if you are not actually using the Bluetooth connection.

Many businesses are reticent to report e-Crime to the National High Tech Crime Unit because they fear losing ‘street cred’ when it’s all reported in the press. However, the vast majority of cases dealt with by NHTCU never get into the newspapers as most are dealt with confidentially. Some never even make it on to NCIS – the National Crime Information System. As an industry, we, as providers of hardware, systems and services have a strong role to play. This isn’t just about designing new security tools or ensuring that security features are incorporated into the software products we produce. It’s also about ensuring that our clients and users of our services are made aware of, and educated about, the risks of failing to ensure an adequate IT security policy for their businesses or failing to ensure they have adequate firewall, anti-virus and anti-spyware measures in place.

For as little as £30 a year, a single PC can be protected and this cost reduces per system in volume licensing situations (based upon the current cost of Zonelabs ZoneAlarm Internet Security Suite). So for much less than ten pence a day, both businesses and home-based computer users can effectively reduce the risks that e-Crime presents to everyone by closing down those systems open to criminal abuse.

Over a working lifetime, the cost of a product like ZoneAlarm is going to be about £1,200-£1,500 per computer. Yet a single incident of computer crime on your business might see it lose tens of thousands of pounds (on average e-Crime costs a business between £10,000 and £40,000 per incident and that excludes the cost of disaster recovery).

We must continually invest in the research and development of new tools and practices for our clients and enable them to invest in them at a cost-effective price. We must reduce globally the length of time it is taking to produce patches to resolve security vulnerabilities in operating systems and applications software. If criminals can exploit a specific vulnerability in six days, then why can’t we produce a patch to resolve that vulnerability in less than 54 days? We ought to be able to expect the software houses producing operating systems and applications to focus on ensuring that, from the outset, their applications are designed to a set of standards that are secure. We would then be happier to purchase a separate Firewall, Anti-Virus and Anti-Spyware provision as a part of what I believe we must all learn to accept globally – individual responsibility.

We must start almost from the cradle with tomorrow’s generations of young people who will enter the workplace by shaping their attitudes towards the needs for Information and Systems Security. Domestic and small business users of computers should be encouraged to ensure they have protection for their computers featuring both hardware firewalls as well as personal software firewalls, anti-virus and anti-spyware.

More must be done to counteract the flow of spam emails. Many of them carry more than that ‘too good to be true’ deal or that offer to extend, expand or enhance things we either have not got as a part of our anatomy or actually would prefer not to extend, expand or enhance.

It is the freedom that spam enjoys to clog up bandwidth (it accounts for about 34% of the total at the moment) that enables criminals to engage in other forms of activity, such as Denial of Service attacks on mail servers.

ISPs globally should be moving away from dynamic IP allocation (i.e. generating a new Internet address every time you log on) towards static addressing for every terminal. Static addressing makes a terminal explicitly traceable and reduces the risks of ghosting or pirating an address because all communication between user terminal and the Internet at large would be in the equivalent of a virtual private network.

The current core infrastructures of the Internet – the UNIX based systems at its heart – have been with us now for more than forty years. Perhaps we are moving towards the point where this grand old technology needs to move into retirement and to be replaced with more modern systems and tools that are designed to create more stability and greater resilience against e-crime and other odious practices.

Governments also share a duty of responsibility of course, in shaping new legislation to deal with the threats faced by business and individual users of computer systems and data communications. But we cannot alter the attitudes of users with new laws. Firstly, our thirst for being able to process more information more quickly will not be able to be satisfied with current hardware technologies. For now though, businesses can protect themselves. The Internet is a relatively safe environment for businesses to use to their advantage and for home users to use for leisure and other activities, as long as certain precautions are taken. However, e-Crime is not just an issue allied to the Internet and data communications. It exists in other forms. Disgruntled members of staff may steal client databases, often causing double-edged damage to their employer’s business by collapsing or destroying the database as they leave. Or they may leave back doors into the employer’s database to be exploited a second time round using remote access. Such actions are already offences under Section 2 of the Computer Misuse Act 1990 and as such are criminal offences punishable in a court of law with imprisonment. However, in order to secure safe conviction it is vital that companies not only have robust IT security and staff disciplinary procedures but that these are kept up to date in the face of the evolving range of potential risks there are in the world at large.

At the end of the day, however, we must move businesses away from their ‘Cheap as Chipz’ culture in acquiring computer systems. Whilst we don’t want our clients to pay more for their computing, the fact is that, whilst the perception of buying the cheapest available variety of computer is that it saves money, the reality is a good distance from that premise.

You can contact Ian at iwalker@sdandits.com

[Interesting project or development? Let us know at eo@iap.org.uk!]

Comments are closed.