CSA Explains… Security & Sabotage

Friday, May 2 at KPMG’s Chicago offices, sixteen individuals gathered to understand the legal, business, and technological implications of electronic sabotage. While many people would rather ignore the issue and treat it as a nuisance, the panel of speakers and moderator took data security and potential sabotage extremely serious for it directly affects their business model, the operations of their clients, and the general public’s ability to expect transactions devoid of fraud.

Detection and Risk Mitigation

The moderator, Mr. Jeffrey L. Punzel, CTO & Founder of AssureBuy began by sharing the common process by which a business begins to treat security and sabotage seriously. First, a forensic expert tracks occurrences of electronic sabotage. Second, the forensic team uncovers weakness, usuallyimplanted by oversights in programming or planning. And third, the business adopts a policy after the initial incident to both lower the occurrences and mitigate the effects of future incidents.

Mr. Christopher Bartley, Director of Solution Development, Lakeview Technology spoke most directly to what businesses can do to mitigate the potential damage by electronic sabotage. Security should be implemented at the application, database, service, network, storage, and facilities level. It should include an implemented management plan for detecting attacks, escalating incidents, and recovering systems. Security strategies include avoidance and recovery service level agreements. While no system can be 100% secure, detection, reaction, and recovery mitigate the risk of attack.

To manage electronic security, there are several public services. One of Mr. Schulman’s favorites is ISAC, Information Sharing and Analysis Center. There is one for several industries, including an IT ISAC at www.it-isac.org and an Energy ISAC at www.energyisac.com/index.cfm. These ISACs benefit the business community by providing a non-competitive forum for sharing virus information and attacks. At the IT-ISAC website, the dashboard is updated daily with the latest virus information, top ten target ports for attack, the overall threat level, and any new issues.

Attacks

An example of route of attack in ecommerce provided by Mr. Jay S. Schulman, Manager of Information Security Services at KPMG, includes the capturing of a web page, the alteration of the price for an item, then the submission of the order for the lowered price. The computer system will often process taxes correctly, charge the credit card for the lowered price, and direct distribution to ship the item, all without detecting the fraudulent activity. While most ecommerce sites have prevented this attack by pulling prices from a secure database, some early version sites have yet to be corrected.

Alternatively, Mr. Richard N. Patterson, Special Agent for the US Secret Service spoke of how a foreign crime ring had stolen a large database of credit card numbers and personal identities. They then purchased plane tickets with the stolen credit card numbers and sold them over eBay to unsuspecting travelers. When the travelers would arrive at their destination, agents would make inquiries and confiscate the fraudulent tickets, sometimes leaving travelers stranded in foreign countries. While the perpetrators of this crime have been identified, charges could not be brought because they were operating in a foreign country.

Mr. Schulman clarified the severity of electronic sabotage the need for security. On January 24th, the SQL Slammer Worm infected 10,000 computers within 25 minutes of its release. In 2003, it is anticipated that there will be 2 million attacks PER DAY. Mr. Patterson added that high speed internet connections and Gigahertz home computers give people the power to attack. Yet despite these worrying statistics, the entire panel agreed it is much less likely that individual will be a victim of credit card number theft through ecommerce than charging a dinner at a restaurant.

Law Enforcement

Mr. Patterson of the US Secret Service Electronic Crimes Task Force clarified the role of law enforcement in electronic sabotage. While the US Secret Service was originally founded in 1867 to combat counterfeit currency, their mission has expanded. Credit card fraud was included in 1984, the Patriot Act of 2001 added computer fraud, and the 2002 Protect Act included child pornography within their jurisdiction. The mission of the Electronic Crimes Task Force is it to protect, prevent, and suppress computer crimes. When the US Secret Service works with a company with regards to security and sabotage, their goal is to minimize the disruption to business and manage the collection of evidence necessary for law enforcement.

One of the difficulties facing the US Secret Service is the number of attacks originating from outside of the US boarders. Crimes initiated in foreign countries against US corporations, their websites and databases, cannot be brought to justice without the agreement of the foreign law enforcement agencies. Some activities, such as credit card fraud, are not even recognized as crimes by foreign governments. As such, many known criminals are allowed to continue their operations outside of our boarders.

Implementing Security and Managing Sabotage

Risk mitigation and law enforcement are the key issues with respect to electronic security and sabotage. Like other business risks, the metrics for determining the correct strategy include an analysis of the frequency of attacks and the severity to the business and its customers if an attack occurs. While the incidents of credit card numbers theft from ecommerce transactions are much rarer than incidents of similar theft from standard transactions, the potential severity of these thefts are much higher. A single computer criminal act can steal an entire database of credit card numbers and personal identities wreaking much greater business and personal havoc than that produced by skimming credit card numbers from restaurants or gas stations. For this reason, electronic security and sabotage is taken very seriously.