Are we vulnerable to cyber-attacks?
(FORTUNE.COM) -- With war on Iraq underway, the possibility of a terrorist response is on all of our minds. In addition to the other things we have to worry about, this is likely to be the first major war that takes place with the entire world linked together by one continuous set of electronic signals. That creates immense dangers of war-related hacking and cyber-terrorism.
Even without war, the risks of cyber-attack have been growing daily. The British consulting firm mi2g said in a report this week that verifiable digital attacks worldwide have caused economic damage of more than $16 billion so far this year, almost double a year earlier. And 64 percent of digital attacks worldwide have been against North American targets, compared to about 30 percent a year ago.
The attacks themselves are changing, too. "The new kinds of attacks are more malicious, not kids in the basement hacking," says Jim Kollegger, CEO of BBX Technologies, which makes security software for Windows networks. "We're seeing arms merchants for digital wars. Some hacker agencies in Bulgaria and China have found holes in the Microsoft fabric and are crafting toolkits to take advantage." That means anyone can cause trouble. You don't have to be a good programmer anymore.
Protest hackers are an increasingly serious problem. The website of the American Academy of Diplomacy was defaced with the phrase "NO WAR" earlier this week. The mi2g firm says anger about U.S. policies is generating protest hacking from Brazil, France, Indonesia, Mexico, Morocco, Romania, Saudi Arabia, Turkey, and the UK. Now mi2g says protesters are shifting targets, from government and military to business. Others agree.
Retired Marine Lt. Col. James Emerson, a vice president of Princeton-based ICG (formerly called Internet Crimes Group), says the companies most at risk are those seen as symbols of American global presence. If so, they ought to increase their cyber-security. "Companies should be asking, 'Am I someone who just might end up in the wrong place at the wrong time on the web? And is the risk I was willing to accept this morning the same risk I'm willing to accept at the start of hostilities?'"
The good news, in a way, is that both mi2g and ICG say the vast majority of serious damage from cyber-attacks is caused by organizational insiders. That means disgruntled current and former employees, along with consultants and others with trusted access. What can you do? Monitor and vet your trusted personnel more closely, says mi2g.
Most organizations say they're getting more serious about security. A recent Gartner survey finds that "data security concerns" are the second most important priority for CIOs, only slightly behind "costs and budget pressures."
Yet vulnerabilities are huge. For instance, contrary to popular perception, open-source software has gaping security problems. A recent Aberdeen Group report stated, "Open-source software...is now the major source of elevated security vulnerabilities for IT buyers."
It added, "Unix- and Linux-based systems are just as vulnerable to viruses, Trojan horses, and worms [as those from Microsoft]. Furthermore, Apple's products are...vulnerable now that it is fielding an operating system [OS X] with embedded Internet protocols and Unix utilities." This Mac user wasn't thrilled by that.
And Microsoft, while taking many steps to increase security for its customers, is also adding to their headaches. In a policy announced late last year, it decreed that henceforth software will no longer be supported indefinitely with free updates and security patches, though support will always last a minimum of five years. Support for MS-DOS, Windows 3.X, Windows 95, and Windows NT 3.5X has already expired.
But users of the world's most popular server software, Windows NT 4.0, face a decision soon. IDC calculates that NT 4, which originally shipped in July 1996, is used in about half of the world's 8.2 million Windows-based servers (as of year-end 2002). This June, Microsoft begins charging for non-security NT 4 upgrades, and on December 30, 2004 it will stop issuing all fixes and security patches for NT 4. So all those servers need to be upgraded soon. That's a good thing for Microsoft's revenues (and for PC sales), but I'm sure many owners of those increasingly vulnerable NT servers haven't got a clue. Microsoft intends to start telling them loudly this spring when it releases Windows Server 2003.
We've all been bequeathed the near-miraculous gift of one big global network-but we're only starting to recognize how vulnerable it makes us, too, in a time of crisis. As is so often the case, the gift brings with it huge responsibilities.
Cybercrime News Archive