The Price of Secure Data
The current rash of Web hacking makes security purchases easier to justify, but when do their costs outweigh their benefits?
With the recent, very public outbreaks of crackers disrupting businesses on the Net through massively distributed denial of service attacks, many businesses have been installing security software like never before. The scary legalities that they may have to face if their compromised systems are implicated in an attack are usually more than enough of a reason for the management to push through the purchase requests and the overtime that the tech staff request. But is all of this really necessary? Are we, in typical North American fashion, overreacting to what we have been led to perceive as a threat?
In 1798 Thomas Malthus wrote an influential paper entitled Essay on the Principle of Population. In it, he describes what we now know as the Law of Diminishing Returns. In its original form, the law states that "if one factor of production is increased while the others remain constant, the overall returns will eventually decrease after a certain point." This law can be applied to many aspects of modern life, security included. While the adage that you can never have too much security may be true, there is certainly a point where the purchase, installation, configuration and maintenance of a new security package outweigh its benefits.
First are those crackers who subscribe to the George Leigh Mallory school of thought (when asked why he climbed Everest, he responded "Because it's there"). These individuals generally attempt to gain entry to a computer system just to prove to themselves that they can do it, and by and large, they are not intentionally malicious towards your system. Usually these people do not pose a direct threat to your system, but they are a pain nonetheless.
Next are the jokers of the computer world, the crackers that, after gaining access to your system, make moves to modify the behavior of your computer. Using their access to your system, they will play practical jokes on you, often sending messages to users as they work, or perhaps redirecting their Web browsers to a less socially acceptable Website. Again, the actual threat here is not so much lost or stolen data, but rather the time and effort spent playing cat and mouse with these people while tracking them down.
For some businesses, loss of their information and files are of the greatest importance. If your competitor decides that they would like to see how your new widget works, they may choose to employ a cracker (or group of crackers) that specialize in "information retrieval." A good deal of fear has been built up around this type of cracking, most of it resulting from mass media (Hollywood's depiction of a "hacker" often falls into this category). In my experience this fear is unfounded, as the majority of the data circulating internally in a company is not mission-critical, nor particularly secret. A much more common method of corporate espionage is to simply pay off someone on the "inside" to get the information required...but I digress.
Perhaps the smallest, but deadliest, groups of crackers are those who take a sick pleasure in the destruction of others' property and data. With the mentality similar to that of a common vandal, once they have gained access to your system they will go about indiscriminately destroying whatever they can get their hands on. They will take over your systems, locking you out, taking down your servers, perhaps even attacking others through your captured systems. Thankfully, these types of attacks are very rare, and are generally not a good reason to lose sleep at night.
Now that we know what kinds of people we are dealing with, we must decide how we should respond to the threat posed by them. Make sure that you know the limitations of your current system. Also know how these limitations can be pushed back or removed entirely. For example, if you are concerned that someone may take out your network by flooding your bandwidth, get a backup Net connection (it doesn't need to be as fast as the primary, but it should be able to take a modest load for the most important communications). If possible, an entirely different provider should host this backup connection. This will hopefully shield you from an ISP-specific attack. (For example, if someone decides that they hate @Home, and they attack the @Home network, your DSL service would continue unaffected.)
If you don't have a security policy, make one. If you do, make sure that it is up-to-date and that everyone that needs to know it does. This document should not be considered to be a static object, but should be reviewed on a regular basis and adapted as situations change. A good security policy will give you the framework from which you can build your defenses.
What sort of criteria can you use to "rate" the likelihood of an attack against your system from some or all of the above listed types of crackers? First of all, you need to evaluate what type of company you are trying to secure. A data-warehousing firm will require much more security than an architectural firm, just as an architectural firm will require more security than the corner flower shop. The type of data that you keep is also relevant, as the more interesting or enticing the data is, the more brightly the digital candle will burn, and the more crackers will be attracted to your systems.
Visibility on the Net is a very important concern. If you run a major ecommerce site, the chances are you are going to be attacked, long, hard and often. However, if you just have a site that is rarely visited, and then only by parties that are looking specifically for you (the corner flower shop) you will be much safer. Anonymity among the masses is a useful feature for small businesses when it comes to security, but it is not something that you should count on.
If you have a reputation for having a weak or poor security system, you are much more likely to be attacked. More effort will be required to secure your systems to prevent any of the low- to medium-skill level crackers from getting through.
An obvious question that is often overlooked is: "What kinds of damage are we really worried about?" If your company runs on online catalog, then having someone crack into your system and download a copy to spread around the Net is not really that large of a problem. However, if this person comes in and starts replacing your pictures of furniture with pictures of their camping trip, then you've got a problem. Similarly, if you are running an ecommerce site, having someone change the selling prices of your products could potentially be detrimental.
A good rule of thumb is that if the data is important enough to protect, then it is certainly important enough to be backed up on a regular basis. Running nightly backups on your file server can protect you from disaster, either through a mirroring program that dumps a full image of the drive as of that evening, or by using an incremental tape backup. It is important to realize that more data loss will occur from mistakes made by employees, and through hardware failure, than typically will ever occur from a cracker. By backing up your data, you are not only performing due diligence with data protection, but you are also creating a digital log book that allows you to see what files were modified by whom and when (useful for when you are trying to track down when a breach occurred).
Spending money on security is hardly a cut-and-dry affair, but a good metric to use for a cost-benefit analysis is to first determine the value of the data. Losing your customer database is (probably) not nearly as costly as losing your accounts receivable file. Second, try and take into account how much the data is worth to someone else. For example, Western Union's database was just another information source for them in which they stored various pieces of information about their customers, including how to bill them (we're talking credit card numbers here, folks). To a cracker who discovered that this database was freely accessible to the outside world, it was a source for hundreds of thousands of valid credit card numbers, complete with the names and expiration dates on each of the cards. To paraphrase those new VISA ads:
Customer Information: $1,000,000
Cost saved by leaving it unsecured: $20,000
The looks on all those annoyed customers' faces when they found out they have to cancel their cards: Priceless
Needless to say, the loss of confidence in the service that Western Union offers from this mistake will certainly lose them far more money than it would have cost them to secure the information in the first place. In fact, it wouldn't surprise me if Western Union receives a bill in the mail a few months down the road from the credit companies affected for all of the additional manpower required to change each and every one of the affected customers' credit cards, let alone if they decided to ask for compensation for the amount of time it took to sort out all of the fraudulent claims that will undoubtedly occur. The moral of this story is to spend what is necessary to secure the data that you have.
Which brings us to an interesting point. Should these companies be storing this data online? As part of a proactive loss-prevention program, you could keep only the absolute basic set of data accessible online. For Western Union, if they absolutely needed to keep their customers' credit card information, they could keep the majority of it offline. Just think how much less damage would've been caused if only the last 24 hours' worth of credit card transactions were actually accessible to the Web. Fewer overtime hours would be logged at the credit card companies as they tried to handle the flood of calls; less money would have to be spent on spin-doctoring the event; and ultimately, less additional costs would be passed on to the consumers.
To sum it up:
Don't spend $100,000 for a new firewall and router just to secure $10,000 worth of data.
Don't forget that you have competitors that have less scruples than you.
Backups are a good thing and can save you in even the most dire of circumstances.
Finally, don't leave any important or sensitive information on a computer that can be accessed through the Internet.
SecurityPortal is the world's foremost on-line resource and services provider for companies and individuals concerned about protecting their information systems and networks.
The Focal Point for Security on the Net (tm)