Greater information security is one of the newest and most effective tools of technology. The world would be lost without it. Governments, businesses, and our everyday personal lives require that electronic information can be protected from falling into the wrong hands. Battles can be lost, fortunes can trade hands, and life as we know it can be significantly disrupted without security. The technology we use today will be insufficient in mere months because we are always trying to keep the adversaries of information security at bay. These adversaries include, but are not limited to hackers, lone criminals, malicious insiders, industrial espionage, the press, organized crime, police, terrorists, national intelligence organizations, and “infowarriors.” The last term describesing those that fight battles by attempting to compromise their enemies' information or network structure, disabling their capabilities[i]. In this paper, we would like to describe some of these adversaries and provide some real world examples of this type of activity.
The first type of adversary is the so called “lone criminal.” These criminals don't typically have a great deal of access, money, or expertise and their main desire is financial gain. Professional thieves look to enrich themselves by revealing an individual's or organization's private information: passwords, credit card numbers, bank account numbers, etci. One recent example was in 2008, when an Indonesian man was sentenced to 10 months in prison and fined $34,266 for stealing credit card numbers from US hotel customers. While working for Showcase Business Centers, he would go into hotel kiosks and load malicious software that would retain customer's credit card numbers. He would then create counterfeit cards and use them at various locations. This resulted in tens10's of thousands of dollars charged to other people's credit cards[ii].
Thinking this can't happen close to home? Think again. From December 7, 2007 to March 10, 2008 over 1,800 card numbers were used from the 4.2 million credit card numbers that were stolen from Hannaford supermarkets right here in the northeast. Malware was installed to catch information being sent “on the move” from store to bank. This was a very sophisticated attack that had ties going all the way back to Russia[iii].
Another group that poses a serious threat to information security is malicious insiders. These people are trusted bye the system they are attacking and cannot be affected by the security set up to protect from outsiders. This is because they are already in. They have high levels of access and their motivations may include: revenge, financial gain, institutional change, or publicity. An outsider typically steals $60,000, while an insider averages over 2.7 million dollars per successful attack[iv]. Most of the time, a negative event or experience for the employee will motivate their attack[v].
In 2005, “Data Broker Acxiom Corp experienced data theft that cost itthem 5.8 million dollars”. Employee's time and travel expenses, security audits, and encryption software were all stolen. It turned out to be a contract employee named Daniel J. Baas. This insider was later sentenced to 45 months in prison. Another example was over at Wachovia and& Bank of America where several employees of these institutions stole over 700,000 financial records and sold them to collection agencies for financial gainv.
These types of massive security breaches by insiders can be very embarrassing and have resulted in some companies not disclosing them. The problem with this is that the more time that passes between the data theft and the relevant parties being notified,
the greater the harm inflicted. Several states have now mandated full disclosure when it comes to the public's sensitive information. These new laws have teeth behind them as well. In Florida, companies can be fined $1,000 a day for lack of disclosure and after 30 days the fine will increase to $50,000 per month.
Some of the best practicesv for preventing insider security breaches are the following:
* Develop and publish access policies that can be used as a basis of prosecution or punishment
* Develop training and education programs for all employees
* Conduct background investigations on all employees and contractors who have access to sensitive information
* Classify corporate information and allow access only on a need to know basis
* Segment networks where possible
* Deploy monitoring tools with alert mechanisms
* Demand that trading partners and service providers inform you of the security protections in place at their facility
* Control physical access to buildings and offices, automate the logging of physical access and integrate it with network access monitoring
These do not guarantee security, but are a standardized set of rules that have been proven to work effectively.
Although insiders are probably the biggest threat to information security because of the unique access they hold, they are not the biggest group that threatens. This group is hackers. Hacking also presents problems for companies, universities and law-enforcement officials in every industry and country. Hackers will receive the thrills and chills of their rebellious acts and then have all that adrenaline, making them feel really good. Hackers also gain many possessions from hacking. One thing that they gain is knowledge. Not just knowledge of how to hack, but knowledge of the systems that they are hacking into and knowledge of different security precautions that people take to tryused to to keep hackers out. Hackers must understand the systems they break into extremely well in order to hack into them. Hackers They will read up on the different programs and. They will also go to conferences to learn about new techniques to, and new ways that one can break into a systems easilywithout a lot of work. A hacker attempts to receive anything he/she wants from hacking into other computers. They can download, or copy to their computer, applications, games, and many different kinds of powerful programs for the computer. They can make credit card numbers. They can also make calling card numbers. If a hacker can gain access to the telephone companies' computers, they can wreak havoc on the telephone system. Phone numbers can be changed, identities switched, etc.. The type of phone that a phone number has can be changed; for example, a regular house phone can be changed into a pay phone. When a person tries to dial out, they get a request for money. Many things can happen by hacking into a telephone company. Even with all of the laws that the government has passed, hackers have yet to be significantly slowed down and brought to justice in large number due to the difficulty locating them. As authorities gain knowledge of the latest techniques hackers are using, new methods are being developed. Authorities must quicken their response time or the world will be buried in hackers, making just about anything difficult to accomplish[vi].
The last group covered here will be Industrial Espionage agents. Most recently, the FBI's web siteWorld Wide Web page was hacked and turned into a racial hate page. Anyone can access files from a WWW page, but changing them is very hard. That is why most hackers don't even bother with it. This wWeb site should have been among the safest and most secure in the world, yet late in 1996, it got hacked. To change a web page, hackers simply upload a new, modified version of the web page, in place of the original. But fortunately, almost all Internet Service Providers (ISP), the computer you dial to for Internet access, have protection called a firewall. Firewalls kick off all users trying to gain access or change information that is not authorized. Theft and destruction of company files is increasing faster than anyone who has the ability can stop it.
Espionage and intelligence is no longer the exclusive domain of monarchs and governments. It has become a must for modern international business. Large corporations around the world particularly in Western Europe and Asia now hire agents to gather intelligence on their competitors and other countries. The goal of economic espionage is to steal trade secrets, plans and confidential procedures or anything to give your company or country a competitive edge over another. Sometimes this espionage is conducted by companies and sometimes it is conducted by national intelligence and passed on to domestic companiesi. The areas that interest industrial spies the most include radiation transfer technology, systems diagnostic and testing software, traveling wave tubes, aviation technologies, microwave monolithic integrated circuits, inferred signature measures software, radar technologies, wet processing systems, information management and processing, simulation technologies, physical security technologies, and ram-jet engine and ram-jet technologies[vii]. Although this is not all of the areas that modern spies target, it will give you an idea of the scope of the problem. How do industrial spies go about collecting information? It is a well known fact that modern spies have used all of the collection methods used during the cold war for collecting information on industrial competitors. Practitioners of modern espionage seldom use one method by itself, but combine them into concerted collection programs. Countries and corporations have been known to turn legitimate transactions or business relationships into stealthy collection opportunities. Some of the methods of information collection listed below are most often used for legitimate purposes. Including them here is not to imply illegal activity; they are used to show as potential elements of a broader, coordinated intelligence effort[viii]. Sometimes these efforts are legal, and sometimes they become aggressive enough to make them extralegal.
The groups listed are just some of the threats out there. Companies, nations and users must understand who these threats are and how they think. Because to compete with and defeat this adversary, we must become more nimble and more intelligent.
[i] Schneier, B. (2000). Secrets & Lies: Digital Security in a Networked World. Indianapolis, IN: Wiley Publishing.
[ii] Computer Fraud & Security. (2008). Indonesian hacker jailed for credit card theft. 4, 4.
[iii] Zetter, K. (2009). TJX Hacker Charged with Heartland, Hannaford Breeches. Wired. Retrieved from
[iv] Verton, D. (2001). Analysts: Insiders may pose security threat. Computerworld. 35, 6.
[v] Lynch, D. M. (2006). Securing Against Insider Attacks. Information Security and Risk Management, 15(5), 39-47.. Retrieved from
[vi] Willison, R. (2006). Understanding the perpetration of employee computer crime in the organisational context. Information and Organization, v.16(, 4), 304-324.
[vii] Giraldi, P. (2010). Washington Report on Middle East Affairs. 29, 3,17-18.
[viii] Palumbo, F. A. (2008). Journal of Convention & Event Tourism. 9, 4, 277-292.