MASHANTUCKET, Conn. — When the national CyberCrime 2001 symposium commenced
Sunday afternoon with Microsoft Corp.’s Corporate Security Officer Howard A.
Schmidt anchoring the keynote slot, it quickly became apparent that IT’s
consensus belief is that people with Internet businesses are ready for the
basics of security — and that’s it.
Unlike say, a highly technical conference engaging audiences with the
complex machinations of XML, Sunday’s lead-off speakers seemed to have been
given the missive of keeping the task of combating cybercrime simple.
And they did. From Schmidt to a Massachusetts police sergeant discussing
online investigation tactics, to an impromptu enterprise security overview,
the overall theme was that many people are not aware just how vulnerable
their systems are to attacks by knowledgeable perpetrators. But that’s what
makes the conference, hosted by Connecticut-based Internet Crimes Inc., so
useful: people seem to listen when they are told that their security system
is dated and therefore susceptible to serious attacks. Call it a case of
ignorance breeding concern, which begets paranoia. The result is that if you
build a secure system, the people will come.
Schmidt: The Basics of Critical Infrastructure
Who better to ignite a conference than the person who has to contend with
potential hacks on the largest software company in the world’s 6,000 servers
and 100,000 PCs in more than 400 different locations around the globe, which
is the makeup of what Schmidt smartly calls Microsoft’s “digital central
nervous system?”
While Schmidt ran through his slide presentation like he was late for a
flight, he kept it interesting with a number of cracks and interesting
observations. A former police officer, Schmidt told a story about when he
was working in that capacity in Arizona. He said that a new subdivision had
just been put in his area of coverage, and immediately the burglary rate
shot up.
“We couldn’t figure it out,” Schmidt said. “But after some investigation, we
found two things: 1) The door locks were vulnerable; all a perpetrator had
to do was pop them off with a twist — it took two seconds and 2) The slider
windows; a perp just had to put a little pressure on the window and it slid
right out of its tracks.”
Schmidt’s point was that once a few criminals figured this out, it was all
over the criminal contingent in that area of Arizona.
And how did this relate to computer security? Schmidt maintained the analogy
is clear: You can have what seems to be a rich, robust application, but the
minute someone finds weaknesses, they will be shamelessly exploited all over
the hacker world. Schmidt’s point is that technological security is
constantly evolving and if companies do not evolve with it, they are asking
for trouble.
While Schmidt delved into mostly general points about security (such as the
idea that since the mid-’80s, computer engineers have realized that security
“is not going to come from a guy with a 43-inch chest, but from a guy with
technical know-how”), he also managed to plug his illustrious and infamous
company, referencing Microsoft’s Information Assurance Program and its
10-step checklist of security. But he abbreviated said credo by listing six
basic points.
Schmidt said to consider these factors before you build or license something
important to your business: engineer it securely, administer security, test
its defenses, eliminate weaknesses, investigate threats, and finally, but
perhaps most importantly — educate the world.
Schmidt ended his discussion there, but he did so by driving home the
important point that companies should report hack attacks, worms, and
viruses, because if they don’t they are just paving the way for more perps
to challenge a network’s defenses.
Police Sgt. John J. McLean: How a Police Department Takes A Bite Out of
Cybercrime
According to Medford, Mass.-based Police Sgt. John J. McLean, Internet crime is investigated and dealt with very carefully.
In his presentation, complete with a useful detailed handout of how to
create profiles to lure potential perps, McLean discussed a number of
different methods he and fellow officers use to catch the bad guys. There
seem to be three main ingredients to investigating online crime — detecting
someone with a disposition to commit an offense online, going undercover to
nab the guilty party, and making absolutely sure that you document the
evidence.
And while McLean noted that this seems simple enough if an officer has the
technical and investigative know-how, there is a major pitfall a law
enforcer must be aware of: entrapment. McLean said detectives must know full
well that there is a line they may not cross — that there is such a thing
as deceiving and luring a potential perp so effectively, that they are
ensnared with no way out.
One ecurring theme that made McLean’s presentation so interesting, if not perplexing,
are the gray areas concerning both entrapment of a
potentially guilty party and violating certain laws in regard to fraud, or
bending the rules of identity to nab that suspect.
McLean often cited the example of child porn, which he noted was all-too-prevalent
over the Internet. If an officer became suspicious of certain activities, he
could create a profile complete with false identification and a picture. The
law states that a child’s picture may not be used, but if the officer agrees
to it, he could use a picture of himself when he was younger — one of many
loopholes McLean said investigators use to lure a pederast. However, the
picture can be used only after an investigator has culled sufficient
evidence to make such a bold move. That is, in the process of give and take
between a perp and an undercover officer posing as a child, the officer must
be very careful not to be too aggressive and to let the perp make a certain
amount of moves.
McLean said perps have gotten off the hook because of lack of hard
evidence (via e-mail, bulletin boards, etc.) and entrapment. The crux of
McLean’s lecture, is that officers must be fully aware of the myriad of
loopholes and pitfalls in online investigations a lawyer may use to score an
acquittal for their defendants.
Enterprise Security: Know Thy System
Wayne Pierce and Keith Salustro of consulting firm Athena Security were
happy to fill in for Cylink Corp. which was going to spearhead a
cryptography segment were it not for inclement weather.
Pierce led the discussion, going over what may seem to be mundane (but
absolutely necessary) protocols of protecting corporate security behind a
firewall or virtual private network.
Pierce said most companies err by not keeping security for their business
updated.
“Security is evolutionary,” Pierce said. “What worked six months ago, is not
necessarily what is going to work today because the sector moves at Internet
speed.”
After outlining the template of a security policy, which he called the
Constitution of a company’s protection, Pierce cited a number of cases in
which his company’s clients had security issues. Pierce said a regional
reseller had lost several employees and later became suspicious that a rival firm
was bidding lower prices for its products than the reseller itself. Pierce’s
company conducted an investigation and found that pricing information was
being routed to another account. Pierce and Co. thwarted the espionage by
reconfiguring the system — problem solved.
Pierce also noted a fascinating distinction between amateur and professional
hackers.
“The amateur hacker attacks a system,” Pierce said. “The professional
attacks a person.”
What Pierce meant by this is that an ordinary hacker will look for
vulnerabilities in a system, possible backdoors and things of that il
k. But
a professional will latch on to a specific person and look for information
via the unsuspecting employee. One such instance Pierce cited was a case with Motorola where a
professional called up an employee, chatted him up, gained his confidence
and then procured important account information.
Ultimately, Pierce’s impromptu talk circled back to the same themes Schmidt’s and
McLean’s discussions did — that people must be much more aware of what’s
going in and out of their system, as well as testing it regularly for
weaknesses. While these methods of network protection seem obvious on the
surface, all of the conference participants said it is surprising how many
people either aren’t aware, or don’t bother to secure their businesses.
