May 29, 2000

From Pacific Business News

Hawaii faces threat of 'electronic Pearl Harbor,' FBI says Andrew Beach PBN Staff Reporter

Computer hackers are gearing up for a major conference in New York City in July. Called H2K, the meeting has all the trappings of a Lions Club get-together, including its own Web site www.H2K.net and travel discounts from Southwest Airlines.

But for information security managers for businesses here and on the mainland, the convention isn't just some kind of social get-together. They say hacking and other attacks on computer systems cost hundreds of millions, perhaps billions, of dollars in damages a year.

Special Agent Matthew Morin is Hawaii coordinator for the FBI's Infra Guard program, which aims to help counter threats to computer systems and networks. He says that with the Internet recognizing no borders, regional crime issues are becoming much more international.

However, he says Hawaii faces some unique threats due to its location and to the nature of some of the computer networks here.

"The combination of Hawaii's isolation and the large [U.S.] Department of Defense presence here means Hawaii could be vulnerable to an `electronic Pearl Harbor,' an attack on the state's electronic infrastructure," he says.

On the mainland, a community that experienced such an attack could call on help from the next town up the highway, but that option isn't open to Hawaii, he says.

Businesses take it seriously Although the FBI's concerns are national and in many ways focused on national security issues, some local businesses here are taking a close look at their security systems.

The International Systems Security Association has had a Hawaii chapter for 10 years, and there are now about 50 members of the organization here.

Its members are security professionals, and their primary concern is the security of computerized information systems.

Hawaii chapter president Frank Lohman says that the risks companies face from attacks on the information they have can be enormous. Lohman, who is security administrator for the Hawaii Medical Service Association, says that, for example, if information about patients were to get into the wrong hands, the damage would be "incalculable."

He says technical workers tend to be a mobile population and it is not unusual for people working for one company to know the infrastructure of another company.

Dealing with those issues is the job of the security professional, he says.

Hackers' tools, widely available on the Internet, can give even a novice "the keys to the kingdom," says Lohman, making it the security professional's job to know what tools are out there and what the fixes and countermeasures are.

Dave Cole, consulting manager for Atlanta-based security management company ISS Group Inc. (Nasdaq: ISSX), was in Hawaii last week to address the ISSA. He stresses the need for a company's management to clearly articulate the value of security. As well, companies should consider all facets of their "security architecture" -- the management side, which covers policy and awareness, operational aspects (covering processes and procedures) and technical (dealing with networks and applications).

Businesses should also perform regular security assessments, he says -- quarterly in the case of companies dealing with financial services.

Study reveals severity A recent nationwide survey of large corporations and government agencies by the San Francisco-based Computer Security Institute and the Federal Bureau of Investigation's Computer Intrusion Squad showed that 90 percent of respondents had detected computer security breaches in the last 12 months.

Seventy-four percent said they had suffered financial losses due to computer breaches and 42 percent were able to quantify those losses: those 273 respondents said they had lost a total of $265,589,940. The largest losses came from theft of proprietary information and from financial fraud.

Nearly three-quarters of respondents said they detected unauthorized access by insiders. However, 59 percent said their Internet connection was the most frequent point of attack, rather than internal systems.

Other findings:

25 percent of respondents detected system penetration from the outside;

27 percent of respondents detected denial of service attacks;

79 percent detected employee abuse of Internet access privileges;

85 percent detected computer viruses.

CSI director Patrice Rapalus says the trends the survey shows are disturbing. "Cyber crimes and other information security breaches are widespread and diverse.

"Clearly, more must be done in terms of adherence to sound practices, deployment of sophisticated technologies and, most importantly, adequate staffing and training of information security practitioners in both the private sector and the government."

Companies are often very reluctant to disclose when they have suffered attacks on their computer networks and the FBI is close-mouthed when discussing investigations, but the bureau's Morin says there have been computer attacks within Hawaii.

"This kind of stuff happens all the time," he says.

Forethought key to prevention Telecommunication company Sprint's group manager for information security services, Kevin Sullivan, was in Hawaii last week to address a seminar on computer security. He says the key to security lies in having a well-established, well-thought-out security policy. From that starting point, successful measures can easily be introduced.

Not having a defined security policy leaves a company open to threats, such as loss of service, having data altered or lost and having proprietary information compromised.

Sullivan says companies should always be aware of both external threats -- hackers who may try to break into the system -- and internal threats. "Internally, employees are the No. 1 threat, followed by employees who have just left the company."

He points out that today, "Hackers don't need to be rocket scientists." New programs and tools, which are widely available on the Internet, mean that only minimal knowledge and ability is needed to break into a site.

External threats companies face often include "Web site defamation," where the content of a company's Web site is altered to embarrass or harm the organization.

Another external threat is so-called denial of service, seen in the attacks launched against Yahoo! and eBay earlier this year. In these cases, sites are overwhelmed by thousands of simultaneous erroneous but time-consuming messages.

Traditional problems linger Old-fashioned theft is another external threat that Sullivan says companies must be more aware of.

Airport security inspections have become a rich feeding ground for laptop computer thieves, who work in pairs: one distracts the computer's owner after the computer has been put on the X-ray conveyor but before the owner has passed through the metal detector, while the other thief takes the computer as it emerges from the X-ray and disappears with it into the crowds.

Internal threats often include attacks on Web sites or compromising of data, but Sullivan says not all threats are malicious or intentional.

Ignorance is a major threat to security. "If a person working with computers doesn't know as much about it as they think, they can easily make configuration errors, leading to lost productivity."

Sullivan counsels increased training and limiting staff access to computers to counter this kind of threat.

As far as deliberate attacks and fraud goes, Sullivan says there is "probably an epidemic, but a lot of companies don't report the problem for fear of losing stock values or market share."

Sullivan says that security for too many companies is an afterthought, usually addressed only after they have been hacked. "Security has to be taken seriously, and at the senior management levels.

"Security policy is the first place to start, he says. Sullivan recommends assigning a priority to all sensitive information, and then concentrating on protecting the top 20 percent. The rest could be considered an acceptable business risk.

Planning a counterattack Countermeasures Sullivan recommends include heightening the consequences of committing fraud, limiting access to computer systems and increasing monitoring.

The FBI launched its Infra Guard program in Hawaii in March. Morin says the primary aim is to protect "critical infrastructure" such as telecommunications, transportation or emergency services.

"These are all services that people living here rely on from day to day," he says.

The owners of this infrastructure are primarily private companies, and Morin says the bureau has established a good working relationship with them. Infra Guard operates a so-called Alert Network, whereby participating companies can notify each other over a secure communications network of threats or attacks and what measures they have taken.

Morin says the bureau is working to raise awareness in Hawaii of computer security issues by hosting quarterly seminars.

"The best thing a company can do is have personnel familiar with their network environment. They are the front line for computer security," Morin says. "The other thing companies should do is to determine a security policy, instead of just throwing computers onto a network and growing without a plan."

Meanwhile, at hacker-oriented sites like www.2600.com successful attacks on company Web sites are commemorated in online archives. Ironically, the H2K site itself reports that it has had "connectivity problems," but they have been ironed out.

http://www.bizjournals.com/pacific/stories/2000/05/29/story4.html

-- Martin Thompson (mthom1927@aol.com), May 30, 2000