Survey: Hackers Thrive on Sloppy Employees

[InfoSec News <isn () c4i org>]

http://www.themoscowtimes.com/stories/2001/10/10/049.html

By Alexander Boreiko 
Vedomosti 
Wednesday, Oct. 10, 2001

Russian corporate computer networks are hacked into twice as often as
in Western Europe, while e-crime thrives on careless computer users,
according to Ernst & Young research.

Sixty-five percent of those surveyed by Ernst & Young encountered
problems with computer security sometime in the past year. Companies
most often suffered from computer viruses, network crashes and
unauthorized access from inside the company.

Thirty-nine percent of respondents reported that hackers broke into
their system -- twice the level in Western Europe. However, only 26
percent experienced vital systems failure, compared with 70 percent in
Western Europe.

Hackers frequently took advantage of glitches in security -- for
example, misconfigurations in network monitors -- and the carelessness
of users, who often leave default and guest passwords unchanged,
according to the survey.

Half of the companies in the survey experienced virus attacks --
frequently caused by workers opening files from questionable sources.

Hackers usually break into systems to steal commercial information or
tamper with finances; but Russian companies reported that these types
of attacks accounted for only 3 percent and 6 percent of all
break-ins, respectively.

Experts from Ernst & Young say the problem is bigger than it seems,
and say the relatively low percentage figures are a result of hackers
cleaning up their tracks.

In Moscow alone, e-crime accounts for $12 million to $15 million in
losses yearly, according to law enforcement authorities.

If a hacker doesn't break into a system, he or she can still cause
considerable damage by launching a denial-of-service attack, said
Michelle Moore, head of the information technologies and risk
department at Ernst & Young's Russia office. A DoS attack overloads
the network system by sending false queries, cutting access to real
users.

"Hackers launch DoS attacks so the day wouldn't be wasted," said
Moore. "It is comparable to a burglar who cuts the telephone and
electric wires of a house he isn't able to get into, out of spite."

In the United States, 70 percent of companies polled by the FBI said
they experienced unauthorized access to their computer systems
sometime last year. Fifty-nine percent of the attacks came over the
Internet, while 38 percent where launched from within a corporate
network. Seventy-four percent of respondents reported financial losses
attributed to hacking, while 42 percent even evaluated the losses.
Losses totaled some $265.6 million.

Most companies have anti-virus programs and network monitors as safety
precautions. However, they focus on technical safety measures, rather
than organizational ones.

Russian companies toy with technical devices without determining what
risks their systems face, in order to identify what safety measures
the system requires. This leads to a lack or overabundance of
software, analysts say.

Because the Internet has made national borders invisible, companies in
different countries are encountering the same threats to their
information's safety. But Russia's legislation and technology is
underdeveloped and not prepared to fight computer crime, Moore says,
and no local companies have a formal system for tracking down breaches
into operating systems.

"A very big fraction of breaches happen because employees are not
careful with information and it falls into the wrong hands, or they
run applications that are not familiar to them," said Svetlana
Trofimova, manager at the Kaspersky Lab, Russia's leading anti-virus
software developer. Uneducated employees present the biggest risk, she
said.

The E&Y survey showed that 32 percent of respondents had not tested
their security systems' effectiveness.

One way companies can test their security is with planned hacker
attacks. However, most Russian companies have not used this method and
have no clear idea of how secure their information is.

Ernst & Young specialists test systems by simulating a hacker attack
on their clients, finding soft spots in the system. Almost always,
companies hire outside help to test their security system only after a
breach.

Furthermore, only 38 percent of Russian companies have installed
breach detectors into their systems.

"One of the main problems is a lack of financing geared toward data
security," said Trofimova. "Today, close to 90 percent of companies
need security systems. A significant number are government
institutions that lack funds and can not defend themselves
adequately."

To effectively protect a company from hackers, an analysis of the
company's business processes and the risks associated with them must
be made, said Alexander Galitsky, head of the TrustWorks computer
security company. With that information, a security policy can be
developed, technical infrastructure created and technology geared
toward fulfilling the policy.

"As far as I know, this is not practiced in Russia because,
traditionally, Russian companies don't pay for consulting," he said.
"Many consider a network monitor, door security and disconnecting the
internal network from the Internet sufficiently safe."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.