Internet Security Industry News
Ethical hackers test for IT network weakness
August 5, 2003
In a 17th-floor corner office in north Toronto, a group of computer nerds is feverishly attacking Corporate Canada -- and getting paid for its efforts. ''If you have a system on-line, you will be a target. You are either a target of choice or a target of opportunity,'' said Simon Tang, manager of Deloitte and Touche.
The executive oversees a buzzing computer lab of 10 so-called ''ethical hackers,'' a team of experts that probes the computer systems of corporate clients, searching for vulnerabilities and weaknesses.
Ethical hacking, or "penetration testing," is a niche business spun out of the corporate world's increasing dependence on the Internet. As a firm's on-line presence grows, the risk of attack from hackers multiplies. Consulting firms large and small are lining up to serve the lucrative market to make computer systems more secure by finding their flaws. This year, Forrester Research Inc. estimates the amount of money spent worldwide on computer security will hit $13.5-billion (U.S.), twice the total spent in 2000. By 2006, spending will climb to $20-billion, Forrester predicts.
"The pie is growing. As more and more companies move their systems on-line, the need is growing all the time," said Mr. Tang, who, at the age of nine, rewrote the software code for a slot machine video game. Everyone is vulnerable to a hack attack. According to on-line security firm Symantec Corp., the average U.S. company is probed by hackers about 30 times a week. Most probes fail to find a weakness, but 15 per cent of attempts are successful intrusions into a company's network.
The rate of cyberattacks is rising. Symantec reports the number of vulnerabilities in networks and software jumped 81.5 per cent in the second half of 2002 from the same period in 2001. Computers in the home are susceptible, too, as residential cable and DSL connections to the Internet that are running all the time provide hackers with a potentially open door to data.
Last week, the U.S. Department of Homeland Security issued an unusually grave warning to all computer users running Microsoft Corp.'s Windows operating systems. The department's cyber security branch detected a dramatic increase in Internet-wide scanning for vulnerable computers. Industry watchers fear a co-ordinated hacking attack on a global scale is imminent. There's some truth to the nerd stereotype -- it is believed that the bulk of hackers are young urban males spending too much time in front of a computer screen. These young hackers, or so-called "script kiddies," exchange software code via the Internet, downloads that can ease entrance into unprotected systems. Companies are under assault internally, too, from disgruntled employees to malevolent maintenance staff.
"Security is one of those things that skips through the ranks. . . . If you don't stay on top of those things, there are people out there that will take advantage," said Boro Marinkovich, director of technology infrastructure solutions at T4G Ltd., a Toronto Internet security firm. All computer operating systems and software have their weaknesses and flaws, he said.
"Code is code and bugs are bugs. There's probably a certain percentage of bugs inherent in any code. It's just how much is that code used to make that set number of bugs apparent," Mr. Marinkovich said. He added that cuts in tech spending mean on-line security is often put on the back burner, especially at small and medium-sized firms.
Elesh Kadakia, a systems solutions manager for networking vendor 3Com Inc. in Santa Clara, Calif., describes the Internet as a "multidimensional puzzle" for business. For competitive reasons, companies must broaden their electronic presence to serve potential customers, partners, suppliers and employees. But that expansion can be fraught with risks and requires greater security, he said.
"As you extend your network to outside a traditional firewall, you open yourself up to certainly more risk than if you didn't. But then, if you didn't open up your network, you lose business opportunity. It's a double-edged sword," Mr. Kadakia said. Enter the ethical hacker. With an array of computer hardware and software at their disposal, ethical hackers attempt to duplicate an actual hacker attack. First, a company's Internet presence is probed for weaknesses; if successful, the network is breached. Access is escalated, first as a user and then as an administrator. In a "capture the flag" exercise, the ethical hacker attempts to take control of the network and retrieve as much data as possible.
Each year, a major Canadian bank has a wager to see if its network can withstand a hacking attack, said one consulting source. The bank has yet to collect on the bet, the source said. Deloitte & Touche reports that more than 95 per cent of its hacking attempts are successful. The Toronto lab team regularly gains access to payroll records, employee directories, purchasing accounts and patient information. In one exercise, the lab was given three weeks to crack a client's computer system. It took two days.
"If we can do it, chances are other people can do it, too," Mr. Tang said. "And some companies may not be aware of it. That's the horror of the story."
Attack of the computer nerds
February, 2000: A 15-year-old hacker known as Mafiaboy attacks Internet sites operated by Yahoo Inc., Dell Inc., CNN, Amazon.com Inc. and eBay. His denial-of-service bug hits the computers with requests over a six-day period, shutting down the sites for a total of 16 hours.
July, 2001: CodeRed, a computer worm, attacks Microsoft's networking software. The worm finds weaknesses in computer systems and copies itself as it travels. Downtime and computer costs total $2.6-billion (U.S.).
November, 2001: Microsoft releases games console Xbox. The system's powerful processor, sophisticated graphics and audio system make it a favourite of hackers, who are able to convert the Xbox into a powerful PC for less than $200 (U.S.). It's estimated more than 200,000 hackers have downloaded the software necessary to complete the conversion.
January, 2003: The SQL Slammer worm creates havoc on a worldwide scale. Internet service providers in South Korea shut down, plane schedules are disrupted and about 13,000 Bank of America automated teller machines shut down. Damage is estimated at $1.1-billion (U.S.).
March, 2003: The U.S.-led invasion of Iraq inspires a wave of pro- and anti-war hacking. Between 3,000 and 5,000 government and corporate sites around the world are shut down and defaced each day, including Arabic broadcaster Al-Jazeera.
May, 2003: Russian-based hackers search U.S. corporate Web sites for vulnerabilities, stealing data and credit card numbers. Then, via e-mail, the companies are warned that their Web sites are insecure. The hackers promise to return the data and fix the breach for a fee. U.S. government agencies arrest more than 130 people. An estimated 89,000 consumers and businesses are taken for $176-million (U.S.) over the course of five months.
Story by Keith Damsell
Click here to order your Proxy Sentinel™ Internet security server today!
Site optimized by Pagina+™
Powered by Sun Hosting
Search engine keywords by Rank for Sales
Development platform by My Web Services
Internet Security.ca is listed in
Global Business Listing