Cybercrime’s Next Frontier
even when security professionals manage to defend existing networks, the ever increasing demand for more access by legitimate users creates new vulnerabilities. Take the explosion in wireless data networks, which allow an organization’s employees to exchange messages and other data while wandering around with laptops and other devices. These networks provide malicious agents with “the next great frontier” for cybercrime, says Padgett Peterson, a Lockheed Martin security expert. The Internet is lousy with instructions for breaking into cell phones, pagers and personal digital assistants like the Palm. Intruders can also try “war-driving,” which involves cruising the roads around corporate or government strongholds with equipment that intercepts wireless data transmissions-no passwords needed.
In an attempt to defeat such drive-by hacking, many wireless networks incorporate the popular Wired Equivalent Privacy protocol, which scrambles all data sent over the network. Unfortunately, AT&T researchers led by Avi Rubin and guided by theoretical work published by researchers at Cisco and the Weizmann Institute in Israel cracked the scheme in August, essentially rendering it useless. Rubin suggests replacing the approach with a technique compatible with the new (and so far impenetrable) Advanced Encryption Standard expected to be adopted by government agencies by year’s end. But this won’t be much consolation to organizations that have already invested millions of dollars in setting up their wireless networks. “When the new standard comes out, all the wireless PC cards and base stations will have to be replaced,” says Rubin.
But no matter how successfully such technologies fend off existing threats, no end to the security wars is in sight. That’s because experts can’t predict perfectly what tricks criminals, spies and saboteurs will come up with next to turn our reliance on computers against us. “I’m always surprised by what the next threat turns out to be,” says Lockheed Martin’s Peterson.
To guard against threats that pros haven’t even imagined yet, Peterson advocates a different sort of defense: rethinking the basic architecture of organizational networks. Conventional corporate network architecture, he says, affords employees fairly open access to internal databases, while attempting to place generally ineffective restrictions on connections to the outside world. Under that scheme, he says, a malicious agent need only gain access to an employee’s computer in order to get into the databases.
Under the plan Peterson supports, users would have relatively open access to the outside world, while databases and other files are placed under severe and closely monitored restrictions. That way, an invader could take over Internet servers and employees’ computers but still couldn’t gain access to the databases and files-because nobody gets free access. “You have to be willing to reverse your thinking,” Peterson says. “Not many people are.”
There’s another weakness to address: law enforcement’s limited ability to respond to computer security threats. Despite increasing security efforts in both the private and public sectors, sophisticated invaders can more or less operate without fear of being tracked down, even if they are detected. “Law enforcement and systems administrators are always behind the curve,” says Settle. Experts agree that the FBI, which bears much of the federal responsibility for responding to computer attacks, is woefully ill equipped to deal with computer crime and terrorism. “If that’s where our expertise lies, we’re in trouble,” says Computers and Security editor David. That’s another reason most companies don’t bother to report break-ins when they manage to detect them. In the Computer Security Institute and FBI survey, only 36 percent of the companies that admitted to being hit said they reported the crime to law enforcement.
It may be, says security consultant Farmer, that the only reason we haven’t been victimized by a much more intense barrage of computer assaults is that most professional criminals and terrorists still perceive conventional physical attacks like armed robbery and bombings as providing more reliable payoffs. “That will change as we move our critical infrastructures online,” he asserts.
In the end, the solution may be to rethink what the Internet is good for, as Lockheed Martin’s Peterson suggests. Just as savvy travelers know not to pack irreplaceable possessions in a checked suitcase or walk in an urban park after dark, so organizations and individual users will recognize that highly sensitive data shouldn’t be sitting on easily accessed servers. “Security probably won’t improve in a technical sense,” says Farmer. “Only in a social sense.”
As for less sensitive information, well, organizations may need to accept the notion that the advantages of keeping it accessible outweigh the pain of occasionally having it swiped. Consider it a cost of doing business in a wired world-or to put it another way, an acceptable casualty of electronic war.