Who Shall We Rob Today?
by Michael Whitlock - Managing Director, MPW Associates - Thursday, 6 April 2006.
Remember those old black and white movies, the stocking masks, the pick axe handles, the sawn off shotguns and the white 2.8 Jaguar as the getaway car? Lots of action and great car chases!

A far cry from todayís highly organised and sophisticated bandits, with high performance computers, network sniffers, switched on hackers, infiltrating software and highly motivated planted operatives.

While the former makes for exciting cinema viewing the latter makes for big time computer fraud.

There is no doubt that computer crime is not only on the increase but the perpetrators are also becoming more and more imaginative, with an increased emphasis on direct infiltration (according to a study commissioned by the National Hi-Tech Crime Unit (NHTCU) 68% of information stolen was done by insiders). What can the potential victims do to stop this ever increasing treat?

The simple answer is Ė look out for everything; and then look again. There is no simple solution. The most effective answer, already adopted by many of our major and more progressive companies, is to establish a dedicated security department reporting directly to the main board and having the authority to impose those standards and procedures necessary to close the gaps in the system.

With a well structured security department in place the most effective plan must be to formulate a hit list which will address each of the security components that most affect the particular nature of the business. Every business will have its own view of what elements constitute the greatest risk to its data security and consequently itís vulnerability to fraudulent attack but there are some common basics that should be addressed by all. These basics would include the effective use of Anti-Virus software, preferably a version that automatically updates itself to the latest level, a very solid hardware Firewall also maintained to the latest specification and of great importance a very effective email control system (DMZ) kept under very tight control.

So much for the basics, what else can be done to make a significant impact on overall data security? For companies where there is a tangible value to their data (banks, commercial lawyers, government, military etc,) one of the first priorities must be the implementation of a solid Network Data Encryption system, ideally a hardware based system, which is both immune to unwelcome infiltration and provides far greater performance than is available by using software encryption.

Employees at all levels are potentially subversive. To build strategies that clarify and enforce what is expected of staff is key to protecting the company's data and so also the company itself. There is little point in employing expensive hardware and software to protect the companyís data if staff has no knowledge of what is expected of them, or what procedures should be followed. For instance employees may choose to download their personal email from Hotmail or Yahoo, thereby circumventing the expensive email control system. Unless they are explicitly made aware of the hazards to the company of this type of activity, they will carry on regardless. Spending a fortune on preventing viruses entering your network and then letting your employees bring in their sons or daughters homework on disk to be printed out on the office colour printer brings similar exposure and possibly opens the door to the more obvious sins of surfing porn or sports sites!


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Mon, Feb 8th