NAVIGATION   QUICK LINKS
Region News
Welcome from the CC
GLR CCM
GLR Calendar
GLR Staff Directory
 
DIRECTORATES
Administration
Aerospace Education
Cadet Programs
Chaplain Service
CISM
Communication
Command
Counter Drug
DDR
Emergency Services
Homeland Security
Information Technology
Inspector General
Logistics
Operations
Personnel
Professional Development
Public Affairs
Safety
 
HOT LINKS
CAP National HQ
GLLR CAP-USAF
Region Staff College
Resources
 
GLR COMMANDS
Illinois Wing
Indiana Wing
Kentucky Wing
Michigan Wing
Ohio Wing
Wisconsin Wing
 

INFORMATION TECHNOLOGY:

Thursday, December 27, 2007

IT security: are you the weakest link? 

from ENN

Global industry entered 2007 with a new understanding on IT security. From SMEs to multinationals there was an acknowledgement that security was becoming more important, yet few seemed to put this knowledge into action.

There were plenty of reasons for businesses to be aware of the threats: the previous year had seen several highly-publicised scandals surrounding data theft but most firms seem to have become desensitised to the hysteria.

"There was a lot of publicity and reporting of scandals but many people had the attitude that 'it couldn't happen to me'; people have this arrogance and belief that they aren't at risk," said Conor Flynn, technical director with IT security firm RITS.

Flynn said 2007 was highlighted by a series of high-profile data loss incidents that showed firms have failed to learn from the past mistakes of others.

In August, recruitment website Monster.com was a victim of spear phishing, a variant on one of the more popular modes of cyber-crime. "Traditional phishing involves blasting an e-mail out to millions of people, spear phishing is far more targeted and far more likely to be successful," said Flynn.

The hackers that attacked Monster were able to steal specific information about customers of Monster due to glaring lapses in security. A virus which recorded the information being typed on a staff computer allowed the hackers to gain access to the password for the system and wreak havoc with the data.

"They scraped out all 1.6 million applications that were on the system. They then sent fake job offers to clients in order to get their bank details, in some cases they requested a payment," said Flynn.

It's estimated that up to 100,000 people suffered financial loss due to Monster's blunder. This could all have been avoided with a bit of common sense on the part of the recruitment site, according to Flynn.

"A little bit of application intelligence software in their systems would have spotted that a user was looking up IDs faster than people can type and that would have raised the alarm," said Flynn.

While incidents such as Monster showed how lapses in security infrastructure still need to be mended, 2007 marked the year where people became the most important link in the security chain. Most firms have enough firewalls, most have enough virus filters, but most don't do enough to ensure the foot soldiers in the IT security battle are used properly.

This was most glaring across the water in the UK when HM Revenue and Customs (HMRC) managed to lose data for 25 million people. From start to finish this was an example of how not to secure data, and it all resulted from one weak link. The UK National Audit Office wanted a sample of information for 100 people in HMRC's database. Then a junior programmer entered the fray.

"The programmer subverted all the controls that were in place and extracted the full database for 25 million people who receive child benefit in the UK and sent them off in the post," explained Flynn.

What's more, the programmer didn't even send it by registered mail. Perhaps they figured that because stealing post in Britain is technically considered stealing from the Queen and is therefore capable of being considered treason, that the disks would be safe. Whatever their rationale, the disks failed to arrive at their intended destination.

"HMRC was contacted so they sent them again, and once again they didn't get there. They subsequently sent them a third time, this time by registered mail," said Flynn.

The first set and third set of disks arrived around the same time as each other but the middle set is still missing in action. That middle set has details for 24,999,900 more people than was requested in the first place and whoever is in possession of the disks can potentially access a wide range of personal data on those people, including credit card and bank details.

Flynn said that Irish businesses were equally as negligent in their approach to security as their international brethren. "In 2006 there were 15,000 victims of data loss [here]. Based on what we have seen so far this year we expect that figure to more than double in 2007," he said. "We are being desensitised, it's almost as though we have to resort to shock tactics."

With new threats looming in 2008 shock tactics may be the only way to give industry a much needed wake-up call.

In its predictions for the year ahead IT security expert Websense said it expects more cross-platform attacks with multifunctional devices such as the iPhone being targeted by hackers. Events such as the Olympics are also expected to be used in large-scale social engineering manipulation by hackers.

There is hope though, as Websense predicts governments and industry will look to fight back and shore up their defences.

If the tide is to be turned firms need to take a look at their frontlines. Businesses can implement all the firewalls they want, but a USB key in the hands of an uninformed staff member is all it takes to turn a fortress into a house of cards.

 

Previous News Posts

February 2007  December 2007  January 2008 

This site was developed by Great Lakes Region IT Services.
Contact the IT/W to report any technical problems.