So there you are, in your office, connected to the world by an Ethernet cable or a wireless connection. Your local network and all the Internet has to offer is right there, just for you. Somewhere on that network there is something called a firewall and a VPN, anti-virus and spyware programs, and perhaps even an intrusion detection/prevention system (IDS/IPS). Security? "Hey, I'm fine. Who's going to get through all this stuff?" you regularly tell yourself. "I mean, really, who's even going to know I'm here? Hackers usually go after the 'big guys,' all those name-brand companies, right?"

But for a financial advisor holding the purse strings to many sensitive pieces of client information including addresses and Social Security numbers, banking and trust accounts, securities and other types of investments, the integrity of the information is crucial. The size of the firm doesn't matter. These days, any business can simply be compromised by hacking programs scouring the Internet for any weak systems-and that system could be yours or your clients.'

 

Cyber-reality
The 2006 Internet crime report (www.ic3.gov/media/annualreport/2006_IC3Report.pdf) prepared by the FBI and the National White Collar Crime Center states that the total dollar loss from "referred cases of fraud" was $198.44 million, up from $183.12 million in 2005. Keep in mind though, their research shows that only one in seven incidents of fraud is ever brought to the attention of law enforcement or regulatory agencies. In other words, actual losses are much larger.

Cyber crime, one of the components researched for the report, shows that while complaints were down slightly between 2005 and 2006, the dollar amount stolen went up.So, even with all the security systems such as firewalls, VPNs, encryption, and anti-virus software, cyber crime continues to be a more and more lucrative industry. 2007 began with a record-setting number of data breaches. TJX, the parent company of store chains TJ Maxx, Marshall's, Bob's Stores and others, revealed that it had lost 45.7 million data records from just one attack. And perpetrators may have had unauthorized access to the company's systems for as long as a year and half before the penetration was noticed. TJX had firewalls, encryption and other security systems in place during the attack. Intercepted files and compromised data are among the many risks facing a business with unsecured systems and technology.

During the summer of 2007 alone, my firm Razorpoint Security Technologies witnessed a number of large organizations (with hundreds of millions to billions of dollars in annual revenue) with very little or no security, despite ubiquitous firewalls and VPNs. In one case, we discovered two major holes in less than 60 seconds. Seemingly every day there are reports in the news of cyber crime and compromised security. I offer this as a timely reminder of how security is still far from where it needs to be. It is truly mind-boggling how in 2007, with all that has happened in the security arena to date, people still have no idea what security is or should be. Consider that every year sales of security products increase, and every year cyber crime losses increase. We must stop relying solely on security buzzwords to protect our businesses!

 

What Security Isn't

Security is not IT. The reality is that security is separate from IT (information technology). Because cyber security touches technology, companies mistakenly lump these duties into what are usually overworked and undertrained IT departments. The people installing your Windows updates, fixing printer jams, and getting your e-mail to work are not the ones who are skilled and experienced in effective security countermeasures. It requires a different mindset, different training. Some firms divide their IT and security departments only after learning this the hard way. What's dangerous in having them merged is that the IT staff often sees security as just another line item along with resetting forgotten passwords, finding out why your e-mail isn't getting to your BlackBerry and ordering backup tapes. Particularly at companies where technology isn't a core competency (such as law firms, health-care companies, family offices and manufacturing concerns), IT staffs usually comprise just one single individual. An outside consultant may be tapped from time to time for specific, more complex tasks, but rarely are there dedicated security resources.

With physical security, business executives and celebrities hire bodyguards with a certain level of training and experience for personal protection. Rarely, if ever, do you hear such a security professional tout the fact that he or she just purchased a new type of firearm or pepper spray. This is because it doesn't matter; it's the experience you're seeking and not the gadgets. Don't get caught fumbling around in the security products game. It is trained, experienced personnel that makes the difference.

Compliance is not security. Another thing facing businesses is compliance. Several industries have sprouted up just to help companies remain in compliance with legislation and rules such as the Sarbanes-Oxley Act, SAS 70 (the Statement on Auditing Standards No. 70), HIPAA (the Health Insurance Portability and Accountability Act), and PCI DSS (Payment Card Industry Data Security Standard). However, businesses have mistaken security jargon laced within each of these compliance standards as actual security. My firm regularly performs security assessments for companies requiring one or more of these compliance certifications. Though the companies have met their compliance criteria, we frequently find that data can be cyber attacked. You could be compliant, and yet still completely insecure.

We recently performed a security assessment on a retail/e-commerce firm with damning results. The company is a known brand and grosses more than $2 million per day through its e-commerce site alone. Because of the types of transactions it performs, it is required to remain "PCI compliant." Over the past 12 months the company has aligned its business practices to remain within the PCI compliance guidelines, and thus it feels reasonably confident about its security. However, one of the directors believed a targeted security assessment was still something required to put his mind at ease. As a known retailer, buyers generate tens of thousands of transactions on their systems every day as they seek the hottest products. Just two days into our two-week security assessment, we uncovered what could have been devastating holes in these systems. While we believed from our review that no one had compromised their systems, with a little time and effort, most if not all of its customer data (names, addresses, credit card numbers, debit card accounts, etc.) could have been in the hands of cyber thieves. Shocked, the clients now fully understood how being "compliant" did not mean that they were secure.

ROBOT PROGRAMS DO NOT FOLLOW DUNN & BRADSTREET REPORTS AS THEY HUNT, AND THEY DON'T CARE WHAT YOUR MARKET CAP IS.

We're Not a Target

Along with the security myths about firewalls, VPNs, etc. comes a myth about how small businesses are immune from attack. All too often we'll hear, "Well, we're not a target. We're not a big bank or anything. Who's heard of us?" The reality is that 80% of all attacks are now automated. Carefully crafted robot programs (aka "bots") continuously roam the Internet looking for vulnerable systems. These bots do not follow Dunn & Bradstreet reports as they hunt, and they don't care what your market cap is. All they need is to find a vulnerable system, and then they dive in. Bots are agents that serve to make the networks of cyber criminals' stronger. It is from these infiltrated systems that criminals can launch lucrative attacks while cloaking their identities. Large numbers of bot-infested systems working together in concert are referred to as "bot networks" or "botnets." Anyone who has ever received a spam e-mail can thank a botnet.

In addition to building botnets, attackers break into medium-sized and small businesses, and even individual home computers, for other reasons. Some of these are:

 

Thinking Security

It should be noted that any recommendations regarding security should be implemented as part of a cohesive, well established policy and process. Merely making a technology purchase or clicking a check box does not by itself make for anything resembling effective security.

Some recommendations for configuring and maintaining effective security:

A SIMPLE ADDENDUM TO AN EMPLOYMENT AGREEMENT AND REGULAR COMPANY REVIEWS HELP CONSIDERABLY WHEN YOU'RE TRYING TO KEEP SECURITYON PEOPLE'S MINDS.

 

Not A Product

"Security is a process, not a product" is a famous adage in the security industry. It is very true. While there are numerous products to buy out there, none are effective in preventing an attack if there is no thought process behind their use.

Security considerations that should be contemplated are: Where do we need security? Where could we be vulnerable? What type of security do we need? How will this security be maintained and monitored? Are there assets we are trying to protect? Who needs access to these assets and for what reasons?

This is how to begin a security thought process, which should be reviewed and updated regularly. Buying a "Firewall/VPN combo" appliance online is not where you start.


Gary Morse, a 27-year veteran of the security and technology Industries, is the president and founder of Razorpoint Security Technologies Inc. in New York. More information is available at www.razorpoint.com.