Hacking for Dollars

Threats to information security come in all shapes and sizes, and from all directions: blended threats, mass-mailer worms, Trojans, phishing attacks, spyware, keystroke loggers, etc. Every day, one or more of these threats put critical information at risk in Internet-connected corporations and businesses around the globe.

One of the biggest differences between the threats of today and those of yesterday is motive. It used to be that a hacker demonstrated his or her skills to gain notoriety or bragging rights within the hacking community.

Now, however, it’s all about profit.

Show Me the Money

Malicious code for profit is the name of the game today. And how do online con artists and criminals get between victims and their money? More often than not, it is by duping unsuspecting users into doing something they should not—like opening an infected attachment, clicking on a fraudulent link, providing sensitive information to an untrustworthy source, downloading unsafe programs, and more.

Unfortunately, users often make it even easier for hackers to exploit their systems by neglecting to keep operating systems and other software up-to-date. And keeping up with such critical but cumbersome tasks is no easier for IT administrators who typically have so much to patch and so little time.

Yet, just one vulnerable system or a single gullible or careless user is all it might take for a hacker to gain entry into a virtual goldmine of confidential corporate data. Then what?

Trouble, that’s what. Security experts have observed what they refer to as “a worrisome trend” in the use of malicious code for profit. According to the our most recent, bi-annual Internet threat report, targeted Trojan attacks are being used for financial gain.

In one overseas case, several executives at large companies were arrested for allegedly using Trojans to monitor their competitors, costing those competitors lost bids and customers as a result. The Trojan provided complete access to the victims’ computers over the Internet.

And how did the Trojan get onto a victim’s system in the first place? Through a seemingly safe e-mail attachment, which was opened by its naïve recipient.

In another unrelated case, Trojans were sent to government agencies in the United States and the United Kingdom either via e-mail attachments or by exploiting a vulnerability in a popular word processing program. The Trojans were able to download other applications and open back doors on the compromised computers.

Just Say No

So, what does this mean to the CIO? It’s simply a reminder that when attempting to assess and manage risk, the place to start is with people. End users must understand the difference between safe and unsafe computing practices and must be held accountable for their actions.

The most appropriate forum for sharing this information is the corporate information security policy, which every employee should read and understand.

Among other things, this policy should detail the following:

  • Not opening e-mail attachments from unknown or unexpected sources.
  • Not clicking on any links included with suspicious messages.
  • Employees should not respond to e-mail requests for personal information.
  • No downloading of unauthorized software.
  • Employees should not divulge user ID and password information.
  • All antivirus, firewall, and other security technologies should be kept up-to-date.
  • Vulnerabilities in operating systems and software should be patched as quickly as possible by the appropriate technical personnel.

    People represent one of the greatest risks to information security and availability. Yet, they can also be one of the most formidable deterrents to information theft and compromise—if they understand and follow proven best practices for secure computing.

    With a well-informed workforce, organizations can take better advantage of the technologies of today and tomorrow while reaping the benefits of doing business efficiently and effectively in a highly connected and very profitable Internet-driven world.

    Mark Egan is Symantec’s CIO and vice president of Information Technology. He is responsible for the management of Symantec’s internal business systems, computing infrastructure, and information security program. Egan is author of “Executive Guide to Information Security: Threats, Challenges, and Solutions” from Addison Wesley and was a contributing author to “CIO Wisdom.”