Life in the Electronic Fortress

by rthieme on April 12, 1997

Life in the Electronic Fortress

published in the Small Business Times (Milwaukee WI)

Innocents Abroad

I received a telephone call recently from a young friend. Marcus (not his real name) was excited. Marcus lives and works in Tokyo, where he spends his days breaking into electronic bank accounts. then moving the money into hidden accounts. He documents his every move, enabling the banks that pay him to learn from his intrusions.

But that’s not why Marcus was excited.

He was excited because the government of Japan had just offered him a good salary and more computing power than he ever dreamed. All he had to do was become an electronic espionage agent on behalf of the government.

Marcus decided not to accept the tempting offer. He did not want to betray his country. He was thinking of his future, he said.

After all, Marcus is twenty years old.

Every Company a Country

That story tells us what kind of war has replaced the Cold War, with its well-defined enemies and mythological underpinnings of a political and economic Armageddon.

In a global economy, every business must act as if it is an independent country and engage in intelligence and disinformation activities, not as an afterthought, but as a presupposition of doing business.

In a knowledge economy, information is money, and those who know how to get it and link it into meaningful patterns have power.

Who are the good guys?

The head of an FBI computer crime squad says he worked for three years to create cross disciplinary teams consisting of both branches of the FBI’s traditional structure — civil crimes and espionage. Electronic crime crosses boundaries. The national borders we take for granted evolved recently, in the past few hundred years. Borders that appropriately defined and secured our economic and political life are now semi-permeable membranes. Even when an intrusion into a computer network looks like a civil crime, we don’t know who is paying for the work and where the information will wind up.

Americans are often naive about the realities of the new marketplace and the behaviors it mandates. Other countries’ governments work hand in hand with businesses on behalf of their mutual self-interest.

The French Government cooperated with Air France, for example, to bug first class seats in order to overhear the conversations of business travellers. France grants draft deferments to young people in exchange for their migration to America to work as “moles” in American companies. Hotels in South Korea, Japan, and China are often wired to eavesdrop on all conversations. Loose-lipped Americans compromise trade secrets and business strategies without even knowing it.

The People are the System

Recently I consulted with a firm that had obvious, elaborate security procedures.

I asked about employee turnover.

“We’ve had a lot lately,” said my host. “Hundreds of people coming and going. Why?”

I thought of a conversation with an employee of a company reeling from waves of downsizing. When I finally connected with a human being after being lost in voice mail for a week, I expressed ny frustration.

“I know,” she said with a sigh. “We thought we could plug new people into the system. We found out that people ARE the system.”

People are the system. The information and energy that define an organizational system is intrinsic to the people who constitute it.

Just as in spy stories of old, angry employees who think they were treated unfairly are weak links in the chain fence.

It’s not Chips and Switches, it’s People

According to a programmer at Secure Computing, a maker of firewalls to protect networks, 85% of security breaches are people-related.

Security is always a trade-off between ease of use and realistic precautions. You can lock yourself in a fortress and never come out, but then you can’t work. Only the dead are truly secure.

Ever watch college students track a grass path that cuts a few seconds from a paved route? People always take short cuts when it saves time or energy.

Ira Winkler of the National Computer Security Association relates how he was hired as a temp by a five billion dollar corporation to evaluate security. He had a computer terminal and an email address. In three days, he secured the plans, patents, blueprints, and correspondence related to four and half of those five billion dollars. Had he been a genuine enemy agent, he would have simply disappeared, taking copies and leaving the originals intact.

Winkler knew how to hack the computer network, but most of what he needed came from “social engineering,” talking people out of significant information. He worked late and wandered the cubicles, taking advantage of violations of standard procedures (like leaving passwords on post-it notes on a monitor.)

What Are They After?

An expert at Price Waterhouse’s Enterprise Security Solutions says that highly visible or obviously valuable information is most at risk. John Darbyshire oversees security penetration services for PW. His teams simulate the behavior of intruders on every level from scaling walls and rummaging through trash to breaking through firewalls and talking secretaries out of passwords.

Darbyshire is often the first to raise a red flag for the companies he works with. Most businesses still operate in a small town frame of mind, leaving doors unlocked and windows open.

The sophistication of recent attacks and the dollar value of losses are increasing, he believes. His surveys indicate that large losses are widespread. but kept out of the public domain by companies unwilling to lose face by admitting they have been penetrated.

What is to be Done?

A local enterprise, Sun Tzu Security, suggests an evaluation of all aspects of security. Firewalls alone can lull business owners into a false sense of security. Complacency makes people careless.

Sophisticated artificial intelligence applications now on the market like Net Ranger or Network Flight Recorder monitor behavior patterns of users looking to gain access and disconnect those who evidence suspicious patterns.

But beyond electronic counter measures, Sun Tzu suggests developing rigorous policies for maintaining security at a reasonable level.

Some Essential Steps

+Perform an “information system risk management” analysis and include “the people who are the system” in that analysis.

+Evaluate realistically the value and visibility of proprietary data. Assume that if it is valuable, a competitor will try to get it.

+Do not build an organization, then tack on security as an afterthought. See the entire business as a system of information and energy and build security into that system from the inside out.

+Develop a comprehensive plan and rigorous procedures with strict accountability.

+Maintain a state of appropriate anxiety. Remember: to be afraid is appropriate to our current circumstances, to be complacent is suicidal.

Be prudent, not paranoid, and protect your business with reasonable realistic precautions.

{ 0 comments… add one now }

Leave a Comment

Previous post:

Next post: