Is someone looking over your shoulder?
Jeffrey N. Bairstow
Grou¥Editorial Director
During the past ten years or so, we have all become used to the pervasiveness of computer networks and deskto¥workstations within our own organizations and in other institutions such as banks and hospitals. We, for the most part, have accepted the necessity for such networks in order to deal with the complexity of our lives. And we usually accept the need for others to have authorized access to the messages and data we provide. But, there are increasing problems with computer crime that should give us all cause for concern.
I was staggered to learn recently just how widespread the unauthorized use of computer systems has become. In a survey jointly conducted by the FBI and the Computer Security Institute (CSI; San Francisco, CA), 42% of the 428 organizations that responded said that they had experienced unauthorized use of computer systems within the last 12 months. And, noted Richard G. Power, the editor of the CSI/FBI report, in testimony to a subcommittee of the US Senate Committee on Governmental Affairs, "We`re not talking about users playing solitaire on company time--respondents reported a diverse array of attacks from brute-force password guessing (13.9% of attacks) and scanning (15% of attacks) to denial of service (16.2% of attacks) and data alteration (15.5% of attacks).
In the report, "1996 CSI/FBI Computer Crime and Security Survey," respondents reported that their networks were being probed with increasing frequency from several access points. More than 50% reported incidents on their internal networks and almost 40% reported frequent incidents through both remote dial-in and Internet connections. These results tear at the "conventional wisdom" that 80% of the information security problem is due to insiders such as disgruntled or dishonest employees. According to the General Accounting Office, the US Department of Defense may have suffered as many as 250,000 attacks on its computer systems last year and the number of such attacks may be doubling each year.
Many organizations are completely unprepared, notes the report. For example:
n More than 50% of the respondents did not have a written policy on how to deal with network intrusions.
n More than 60% of the respondents did not have a policy for preserving evidence for criminal or civil proceedings.
n More than 70% of the respondents did not have a "Warning" banner stating that computing activities may be monitored.
n More than 20% of the respondents did not even know if they had been attacked. In fact, less than 17% of the respondents who experienced intrusions indicated that they reported them to a law-enforcement agency, and more than 70% cited fear of negative publicity as the primary reason for not reporting incidents.
Fighting back
What needs to be done? Although there are many excellent computer security products, ranging from hardware such as firewalls to software such as encryption algorithms, all organizations need to develo¥a comprehensive security plan and to actively foster security awareness among their users. I don`t have room to go into details here but a good place to start is with the series of managers` guides available from CSI (details at http://www.gocsi.com). The guides list actions your company can take to counter potential threats. But also the makers of operating systems, applications, and hardware must begin to pay more than li¥service to information security. With the deskto¥computer, the emphasis has been on ease of use, speed, and connectivity. Until the underlying information systems architectures address security issues, serious vulnerabilities of personal computers and networks will continue to be exploited.
How aware are you that someone may be electronically looking over your shoulder? How many passwords do you routinely use and when was the last time you changed even one of them? Can someone walk into your office after hours and read (or destroy) all the files on your computer? Who has access to the back-u¥files made daily by your system administrator? I could go on but I`m sure you get the point. Security is not just a problem for government agencies and Fortune 500 companies. It should be your concern, too.