Things have changed
We are in a technological whirlwind, and most people don't realize the magnitude of the threats that are coming with this increase.
Things were much simpler when I came into the world in 1946. Something else came into the world that year which would begin to cause a change in everything we do. The first U.S. built solid state computer was born about 100 miles from my birthplace in Baltimore, Maryland in that same year. Its name was 'ENIAC', and it lived in a room about 40' X 40' in Philadelphia, Pennsylvania. When it was 'powered up', rumor has it that its 18,000 vacuum tubes would cause the lights in the city to dim just a little. The world would never be the same. The computer was officially 'born'.
Thirty five years would pass before I would 'own' my first personal computer in 1980. It was a TRS-80 Model III with whopping 16K of main memory. For an additional $1,000 I could have added 2 180K floppy drives and gone all the way up to 48K of memory. Having that kind of computing power available in someone's home was almost unbeliev-able at the time. Those 180K (about 1/5 of a megabyte) floppy disks began to be used by small businesses to hold their accounting records as well as other important information needed to run a business. The 'bad guys' of the world were beginning to figure out that this new thing called a personal computer could help them in their work as well. The first laws ever addressing High-Tech Crimes were about to be written.
1984 And Counting
1984 was a milestone year in many ways. There were no computer crime laws yet, but computers were beginning to be seen in the news, and in the movies. The now famous movie 'War Games' was making the rounds at the movie houses, and a new magazine called 2600 was finding its way into the hands of some curious computer hackers. Both of these events are still having their impact today.
If you haven't seen the movie 'War Games', you need to. If you saw it in 1984, you need to watch it again! Just about every threat and vulnerability used in the main plot is still a major concern today. Software programs called 'War Game Dialers' reportedly got their name from that movie, and there are millions more modems out there today then there were in 1984. How many are connected to your systems, and more importantly, are they unprotected? Could someone begin the entry process into your networks by running a 'War Game Dialer' and finding that open modem?
The magazine 2600 makes for some interesting reading, and it has been published every quarter since 1984. (The first few years were published monthly on 8.5 X 11 paper). Most people are shocked when they first read it. For years now, I have been recommending that corporate auditors and security managers (both technical and physical) need to keep up with the vulnerabilities described in this magazine. They need to check all corporate computers, Internet connections and WEB sites to be sure that available patches have been installed in order to help prevent a disaster that could place their company in the headlines.
A New Type Of Disaster
Just what is a disaster? According to Mr. Webster, it is 'a sudden calamitous event bringing great damage, loss or destruction; a sudden or great misfortune.' Way back in 1980 when I was banging away on my TRS-80 Model III, not too many businesses, or even individuals could tie that definition directly to a computer. Today, there are very few people or businesses who wouldn't scream DISASTER if their computer goes away and there was no recovery plan or capability.
Let's narrow the disaster focus just a little and talk about computer crime. This is the new kid on the crime block, and it is leading to some very serious high-tech disasters for some companies.
The first federal computer crime law didn't appear on the books until 1986. This is a brand new problem for corporations as well as for law enforcement. It's so new that many people don't know who to call for which type of a crime. A recent article mentioned a frightening statistic about high-tech crimes. It stated that as many as 97% of all high-tech crimes go UNDETECTED! That's undetected, not unreported.
Who Are The Criminals?
They could be anybody today. About ten years ago, all we heard about were Hackers as the reported 'bad guys'. That's far from true today. Just about every home now has a computer and a modem. (Unlike the 1985 War Games movie where the 1,200 baud modem that the hacker used was still pretty rare. Today, 56,000 baud modems are quite common, and modem speeds are climbing as fast as processor speeds.)
Always associating the word Hacker with the word Criminal is something that I have never agreed with. Many criminals might also be hackers, but I believe that most hackers are not criminals. Hackers like those who write for 2600 magazine (The Hacker Quarterly) freely write about vulnerabilities that they discover. It's our job as security specialists to insure that our companies are not open to these vulnerabilities. If this were a completely criminal element intent on simply committing crimes, they would probably not tell us about the vulnerabilities that they discover. They would simply remain silent and use them against us.
It's unfortunate to have to say this here, but many of the criminals could be people working directly for your company. For many years, I didn't believe it when I read that as much as 80% of all crimes against a company start on the 'inside' of the company. Ten years of working with law enforcement, as well as companies who have been victims, have changed my mind. The number of 'inside jobs' may be even higher than 80%. Things like pre-employment screening, employee awareness training and frequent audits can go a long way towards lowering that number for your company. An ounce of prevention may now be worth more than a 'ton' of cure. Start now!
Where To Go For Help
There are several places where you can go for help, and as the Internet continues to grow, more will be added. I'm going to share two of my favorites with you. The first is a group that was started by the Department of Energy several years ago.
They are called the Computer Incident Advisory Capability (CIAC) Group, and they have been helping people like you and I for a long time now. The information which they provide is always accurate, timely and detailed concerning newly discovered computer security vulnerabilities and countermeasures.
Their WEB site will provide a wealth of information and point you to many other security related WEB sites.
CIAC also has an e-mail self-subscribing mailing list for receiving CIAC-BULLETINS as they are published. These bulletins have become an interesting way for me to watch the growth of the 'threat' associated with computer security.
Just a few years ago, there might be a new security bulletin sent out about once each month on an average. Things have changed. My incoming e-mail now has brings me a new CIAC-BULLETIN almost every day. Someone in your company needs to get those bulletins and then check to be sure that you are not vulnerable to the security concerns which they address.
In the body of the e-mail message, include the words 'subscribe ciac-bulletins' (without the quotes.) I can't say enough good things about CIAC. Let them help you.
The second group that I want to tell you about is the High Technology Crime Investigation Association (HTCIA).
This association was started about ten years ago as a network for law enforcement and technical security specialists to be able to help each other in reacting to this new threat called High Tech Crime.
The HTCIA is now an International association, and new chapters are forming in many cities, states and countries each year. Many of the high tech crimes which have been committed have led to some interesting high tech disasters for the companies who were victims.
If there is one thing that we have learned over the past few years of dealing with these new crimes, it is this! PREVENTION is much better (and probably cheaper) than reaction, recovery and possible prosecution of these crimes.
Doing whatever you can to PREVENT being a victim may save you many sleepless nights and possibly your entire company.
Learn more about the HTCIA by visiting their International Home Page at http://htcia.org.
You can also contact me directly (The HTCIA International Public Relations Director) by e-mail at firstname.lastname@example.org. Many of you would be eligible to join or even start a chapter in your area.
I'll do whatever I can to help you to become involved with this excellent network.
Never Stop Checking
More than ever, security and disaster prevention are issues that we have to 'live' everyday, and not simply react to after we experience an incident. We can not afford to ever stop checking for security holes as technology continues to impact everything that we do. Those security bulletins that are coming every day may quickly start coming every hour of every day. Will any of these new bulletins have an impact on your corporate computer systems? If someone doesn't keep up with all of these newfound problems, as well as the solutions which are published to fix them, your next disaster could become your worst high tech nightmare? You can bet that the computer criminals are keeping up with them.
This new threat is a nasty, silent one that we all need to watch very closely as we work together to keep up with the vulnerabilities. I always try to remain optimistic, but after having dealt with these issues for ten years, I really believe that this problem will get much worse before it begins to get better. Keep checking, and it won't get worse for you!
Come ToMy Workshop
I was both honored and thrilled to have met so many of you at my breakout session in Atlanta last year. The session was titled 'High-Tech Crime: A New Type of Disaster That You May Not Have Planned For.' Those one hour sessions are great, but as a speaker, they can be frustrating. There is so much to cover when describing high-tech crimes and high-tech disasters, that I frequently go home wishing that there would have been just a little more time for the session. Well, I have some good news for me, and hopefully for some of you. Thanks to a number of you requesting it, I'll be presenting a three hour workshop at the San Diego Conference. My workshop will take place on Sunday, March 15, 1998, and I'll be sure to bring some surprises. My hobby is probably the most unique and interesting hobby in the world, and you'll have to attend my session to see what it is. I'll be looking for you. Until then, thanks again, and Sleep Well!
Jack Wiles has over 25 years experience in security related fields. He is a senior contributing editor for the Carolina Computer News where he writes a monthly security or diaster recovery related article. Recently he has retired from the U.S. Army Reserves as a lieutenant colonel.