Who's looking inside your business? How hackers intrude

Issue Vol. 12 No. 1 January 2010 By Michelle D. Syc

Confidentiality is one of the keystones of the legal profession. It is critical that the information contained in a firm's digital files and documents are protected. Additionally, with the onslaught of identity theft, Massachusetts has enacted revised ID theft regulations which will become effective March 1, 2010. The new language aims to support the state's commitment to balancing consumer protection with the needs of small business. The updates take into consideration the size of a business and the amount of personal information it handles when creating a data security plan. This risk-based approach to protecting data however, does not relieve any business, including law firms, of the obligation it has to protecting the personal information of those it serves. Actually, it may encourage more firms, especially smaller ones, to re-examine their data protection plans.

Most companies recognize basic security as part of the cost of doing business. However, leaving your information systems exposed is a lot like leaving your front door unlocked 24/7. Even very small firms can attract unwanted attention from those with the skills to infiltrate their information systems, including servers, applications and operating systems. And, chances are, if they've been there, you may not even know it without the help of a forensic expert.

Because many organizations are unaware of the risk of computer attacks, technology security tends to be an afterthought in both small and large companies. Information technology (IT) professionals feel great pressure to maximize functionality and speed, and security controls are often credited for slowing the processes. However, when the proper security devices and procedures are built into IT systems on the front end, they can become seamless and efficient while also providing far greater protection from hackers and other security risks.

As a Certified Ethical Hacker and Certified Information Systems Auditor, I am trained to hack into my clients' systems, just as an unauthorized hacker would. An ethical hacker is an individual who is employed with or by an organization and who can be trusted to undertake an attempt to break into networks and/or computer systems to discover and address vulnerabilities in corporate, governmental and institutional information systems. Hacking is a felony in the United States and most other countries. When it is done by request and under a contract between an ethical hacker and an organization, it is legal. Ethical hackers help municipalities and other government bodies, businesses as well as nonprofit organizations, to become more secure.

Who's a hacker?
Hackers come in many forms, and their intent to harm can vary, as well. So-called "black-hat hackers" break into Web interface applications to gain access to servers to steal information or vandalize systems. But malicious behavior can also come from people you know by name, for instance, disgruntled employees. These individuals can cause public relations problems, such as defacing your Web site, or getting access to credit cards and Social Security numbers. Hackers target all types of organizations, including professional firms, private and public companies, government, and nonprofit institutions - so all need to take security precautions. The good news is that many of these precautions are neither difficult nor expensive to implement.

Common weaknesses
Fortunately, some of the most common security weaknesses require little to no cost to address. Using proper password complexity to secure data is a perfect example. Lack of proper passwords or weak passwords are considered "low hanging fruit" among hackers. By trying a brute force automated attack software that attempts 150 passwords per second, a five character password can be cracked in less than 24 hours.

Default password settings in hardware can also represent an open window to hackers.

Often, the passwords associated with the hardware aren't changed after purchase, so the manufacturer's default password is the only protection against intrusion. For example, if your firm installs a Cisco router and the password isn't reset, a hacker can easily infiltrate your network because manufacturers' default passwords are available to anyone on the Internet.

Poor access controls are also a common weakness within computer networks. Creating policies and procedures to manage access to the network and specific applications is essential to network security. Many organizations fail to eliminate "phantom users," such as former employees, from their systems, leaving the door open to individuals who may wish to cause embarrassment or damage. We encourage clients to implement User ID Auditing to ensure that the right people are on the system at any given time, with the right credentials and the appropriate security access.

Trends in hacking
Another trend in hacking should be of particular concern to smaller businesses, municipalities and educational institutions. Hackers who want to steal information or create damage at a high-visibility target, like a major corporation, need to do so under the cloak of anonymity to avoid being caught and prosecuted. To do that, they hack first into smaller, more vulnerable organizations and harvest that site's credentials - IP numbers and other identifying information - and take on that identity when hacking the primary target. This represents a problem for the smaller organization because the larger company can argue that a lack of proper security allowed the fraud to be committed.

Protecting your virtual assets
A vulnerability assessment is an effective way to protect your organization against hackers and malicious intruders. In a vulnerability assessment, a Certified Ethical Hacker attempts to break into an organization's systems and identify areas of weakness. This results in an analysis and specific recommendations for implementing security technologies as well as policies and procedures to control and monitor access to the system. After six months, a follow-up benchmark analysis is conducted to ensure that all recommendations were implemented and working properly. The service offers a high return on investment, not to mention peace of mind.

Facts and figures

Passwords protect (but only if you use them)

  • No passwords: Everyone in the organization should have a password of more than seven characters. They should be alphanumeric and difficult to guess. (No family names.)
  • Change passwords regularly. Passwords should be changed across the organization every 60 days.
  • Hardware passwords. System administrators need to apply these same password standards to hardware, such as routers, printers, servers and other access-protected hardware.

Total number of records containing sensitive personal information involved in security breaches in the United States since January 2005.
source: Privacy Rights Clearinghouse, Dataloss

It is estimated that the average cost of a data breach is $182.00 per record.
source: Privacy Rights Clearinghouse

In a recent Verizon business study:

  • 73 percent of data breaches resulted from external sources, such as hackers.
  • 66 percent of data breaches involved data the victim didn't know was on the system.

The Author

Michelle D. Syc, a Certified Ethical Hacker and Certified Information System Auditor, heads the Information Technology Assurance Service Group at Kostin, Ruffkess & Company LLC. She is responsible for evaluating information systems to identify vulnerabilities and recommend solutions to mitigate security weaknesses.