Data security is such a broad and technically complex issue that it is difficult to know where to start when it comes to threats.
One of the most familiar and oldest threats is hacking. Ever since computers could connect to the outside world, hackers have been searching for “hidden doors” that can give them access to systems and the data behind.
Sometimes, their intentions are purely mischievous – one of the most famous hacking victims was the Duke of Edinburgh whose private pages on the Prestel computer system were hacked by a 19-year-old in 1985. The only damage done was to the pride of BT, the telephone company that operated Prestel.
Hackers can also be driven by political objectives. At its most extreme, this is called cyberterrorism and it is something that governments take seriously after 9/11.
However, the threat from cyberterrorism has to date been mainly theoretical and most politically-motivated attacks come from “hacktivists” – hackers protesting a government’s actions or a company’s products. During the Kosovo conflict in 1999, for example, Nato computers were blasted with e-mail bombs and hit with denial-of-service attacks by hacktivists protesting the Nato bombings.
But for most businesses, the most damaging type of hacking is that driven by malice or monetary gain.
In a recent case in the US, a Florida-based computer consultant demanded to be paid more money by his former employer for a program he had created. When the company refused, he remotely accessed its computer system and changed all the passwords, thus preventing employees from logging on. The consultant was recently convicted of “causing damage to a protected computer system” and sentenced to pay $10,000 to the company to compensate the revenues lost.
It is difficult to protect against attacks by disgruntled employees, particularly if they have intimate knowledge of how a system works. But insider attacks are rare and the culprits usually caught.
More worrying are the anonymous hacking attacks by outsiders that have become more prevalent with the growth of the internet.
Hackers continually probe the internet searching for IP addresses with unprotected “ports”, which they can penetrate to reach the computers behind.
Firewalls help prevent these attacks and they come in two types: software and hardware. Software firewalls are cheapest – the more basic ones are free – while hardware-based firewalls offer more sophisticated features.
Big businesses invariably use firewalls to isolate their corporate network from the insecure internet. But they are less widely used by home users and SMEs, who are more vulnerable as suspicious internet activity will probably go unnoticed. A good website for testing firewalls and other security checks is ShieldsUP!
Even if businesses believe they have secured their data at the network level, their web applications may still be vulnerable to attack. For many businesses, the internet is now their window on the world. But it is also a window of opportunity for hackers who know how to exploit vulnerabilities in commonly-used website software.
For example, a San Diego man was recently charged with hacking into a university admissions website, where he accessed more than 270,000 applications containing personal data such as social security numbers. The university spent more than $140,000 on notifying the affected students and fixing the break-in.
The man used a well-known hack called “SQL Injection,” which lets the hacker directly access the database behind the website by entering commands into a form on the website.
Acunex, a Malta-based company specialised in website security, says SQL injection is one of the commonest hacking tricks today.
Unlike most hacks, it does not depend on a vulnerability in an operating system or browser. Instead, it exploits the naivety of website designers, who do not assume users will type commands into forms.
Acunex offers a downloadable scanner that can check whether a website is vulnerable to this attack and other popular hacking tricks, such as Google hacking – using Google to discover technical details about a website.
Phishing also exploits naivety, this time of the users of e-commerce sites. An e-mail is sent out en masse directing customers of an online bank or e-commerce site to visit a plausible-looking website where they are asked to update their personal information. The website is bogus and serves to steal the users’ ID and PIN code, which fraudsters later use to plunder their account.
Phishing is difficult to counter because it relies on “social engineering” rather than technology. Citibank customers, for example, who receive an e-mail that seems to come from that bank are likely to open it.
Phishing sites are up for a limited time – but long enough to collect the details on dozens of legitimate accounts.
“Phishing is very difficult to prevent because the phishers change URL (web address) every few hours so you cannot stop them by blocking URLs of known phishing sites,” says Neil Hammerton, founder and chief operating officer of Email Systems, a UK company that manages e-mail for businesses.
Fortunately, internet users are increasingly aware of the dangers of responding to e-mails requesting personal information.
So, phishers have developed a subtler way to collect the information: the “phishing trojan”. With this, the e-mail does not direct the user to a website but secretly installs a key-logging program, a type of spyware. If the user then visits a popular banking site, the key-logging software records the keystrokes the customer types when asked for their ID and password. The keystrokes are then secretly forwarded to the fraudster.
The best defence against this and other types of spyware is to install one or more anti-spyware programs. Lavasoft Ad-Aware, Spybot Search Destroy and Microsoft’s AntiSpyware are all effective and free.
Internet users should be very careful about downloading little-known anti-spyware programs advertised on third-party websites. Some of these programs are themselves spyware.
Spyware is closely related to viruses and Symantec, the US internet security company, uses the umbrella term “malware” to cover all email-borne pests.
“E-mail is still a viable vector for malware,” says Kevin Hogan, senior manager of Symantec’s security response centre in Dublin.
The traditional practice of sending out viruses in a random fashion still happens, but they do not have the impact that they had in the past, he says, because of the widespread use of anti-virus software.
In addition, most people now know not to click on “.exe” files or other program files attached to unsolicited e-mails.
The malware writers have thus had to adopt more devious ploys, such as exploiting vulnerabilities in PowerPoint or Excel files, which scanners will not automatically block because businesses regularly receive these types of file.
Spam is more of a nuisance than a threat and internet service providers now manage to block a considerable amount of spam before it reaches its destination.
The success of anti-spam software has also obliged spam senders to change tactics.
“Two years ago, spam was about people sending Viagra adverts but now it’s blurring into something less benign,” says Mr Hogan.
Today’s spam is thus likely to be “tainted” with adware, spyware and a host of other malicious codes.
The usual way to combat the growing range of malware is to install commercial programs to detect spam, spyware and viruses, but you must ensure they are regularly updated. An alternative for those who do not have the time or resources, is to hand the job over to a third party like E-mail Systems which offers piece of mind in return for a monthly fee.