Tuesday, January 19, 2010
Companies Fight Endless War Against Computer Attacks
Google’s confrontation with China — over government censorship in general and specific attacks on its systems — is an exceptional case, of course, extending to human rights and international politics as well as high-tech spying. But the intrusion into Google’s computers and related attacks from within China on some 30 other companies point to the rising sophistication of such assaults and the vulnerability of even the best defenses, security experts say.
“The Google case shines a bright light on what can be done in terms of spying and getting into corporate networks,” said Edward M. Stroz, a former high-tech crime agent with the F.B.I. who now heads a computer security investigation firm in New York.
Computer security is an ever-escalating competition between so-called black-hat attackers and white-hat defenders. One of the attackers’ main tools is malicious software, known as malware, which has steadily evolved in recent years. Malware was once mainly viruses and worms, digital pests that gummed up and sometimes damaged personal computers and networks.
Malware today, however, is likely to be more subtle and selective, nesting inside corporate networks. And it can be a tool for industrial espionage, transmitting digital copies of trade secrets, customer lists, future plans and contracts.
Corporations and government agencies spend billions of dollars a year on specialized security software to detect and combat malware. Still, the black hats seem to be gaining the upper hand.
In a survey of 443 companies and government agencies published last month, the Computer Security Institute found that 64 percent reported malware infections, up from 50 percent the previous year. The financial loss from security breaches was $234,000 on average for each organization.
“Malware is a huge problem, and becoming a bigger one,” said Robert Richardson, director of the institute, a research and training organization. “And now the game is much more about getting a foothold in the network, for spying.”
Security experts say employee awareness and training are a crucial defense. Often, malware infections are a result of high-tech twists on old-fashioned cons. One scam, for example, involves small U.S.B. flash drives, left in a company parking lot, adorned with the company logo. Curious employees pick them up, put them in their computers and open what looks like an innocuous document. In fact, once run, it is software that collects passwords and other confidential information on a user’s computer and sends it to the attackers. More advanced malware can allow an outsider to completely take over the PC and, from there, explore a company’s network.
With this approach, the hackers do not need to break through a company’s network defenses because a worker has unknowingly invited them inside.
Another approach, one used in the Google attacks, is a variation on so-called phishing schemes, in which an e-mail message purporting to be from the recipient’s bank or another institution tricks the person into giving up passwords. Scammers send such messages to thousands of people in hopes of ensnaring a few. But with so-called spear-phishing, the bogus e-mail is sent to a specific person and appears to come from a friend or colleague inside that person’s company, making it far more believable. Again, an attached file, once opened, unleashes the spy software.
Other techniques for going inside companies involve exploiting weaknesses in Web-site or network-routing software, using those openings as gateways for malware.
To combat leaks of confidential information, network security software looks for anomalies in network traffic — large files and rapid rates of data transmission, especially coming from corporate locations where confidential information is housed.
“Fighting computer crime is a balance of technology and behavioral science, understanding the human dimension of the threat,” said Mr. Stroz, the former F.B.I. agent and security investigator. “There is no law in the books that will ever throw a computer in prison.” nytimes