Local companies battle cyber crime
Source: Daily Breeze.Com
By Muhammed El-Hasan
Date: December 01, 2003
ATTACKING THE HACKING Companies find defending themselves from cyber crime is a growing problem
Boeing’s Bob Jorgensen likes to talk about how well the aerospace giant protects its computer systems from cyber attacks.
Such comments reassure customers and investors. But they also can hurt the company if made too often and too public, he said.
“If we do too good of a job, then we set ourselves up to be a target from that community of hackers that think, ‘OK, you think you’re good? We’ll see about that,’ ” said Jorgensen, a spokesman at Boeing’s Seattle-based Shared Services group, which oversees computer security for the company’s global operations.
Indeed, that community of hackers is bombarding Boeing and many other companies and individuals worldwide with viruses, worms and other destructive tools.
With the surge in computer communications, particularly the Internet, businesses and private users must take greater precautions to prevent security breaches.
That threat represents a boon for South Bay companies that specialize in cyber security, including Computer Sciences Corp. and Infonet Services Corp. of El Segundo and Razorwire Security in Redondo Beach.
Infonet, which provides cyber security products and consulting services, is seeing average annual growth of 15 percent to 18 percent across all security services, said Martin Dipper, a vice president based in London.
“There has been a consistent increase in the demand for managed security services as the risk of cyber crime has increased and the attackers have become more organized,” Dipper said by e-mail. “It is no longer just the amateurs who are attacking companies. There are now organized gangs of cyber criminals who target companies for profit.”
Razorwire Security in Redondo Beach was established in 2000 to tap into the growing demand for cyber security.
“The basic idea in security is what’s called defense in depth, a military term,” said S. Ramesh, Razorwire’s president and chief software architect. “It means having multiple layers of security, so that if one layer is breached, you can detect them and stop them before they are able to get to your vital data.”
Ramesh said the threat also comes from insiders, as many successful attacks are done by people “within the network.” It might be an employee, ex-employee or a vendor with access to the network, he said.
For that reason, information at Long Beach-based Farmers & Merchants Bank is on a need-to-know basis, said Robert Graham, senior vice president and manager of information systems.
“The more people that have access, the larger your risk, because it’s a commonly known situation that your biggest security risk is internal, not external,” said Graham, whose bank has branches in Torrance and Rolling Hills Estates. “Every connection we have internally or externally, whether it’s to the Internet or anywhere else, is monitored, controlled and restricted.”
Annual cyber security spending in the United States across all industries is about $30 billion to $50 billion, or about 3.2 percent of total information technology costs, said Mark McManus, vice president of research and technology at Computer Economics, a Carlsbad-based computer industry research group. That’s up from 1.5 percent to 2 percent of total IT spending just a few years ago, he said.
That figure could grow to 6 percent to 7 percent of total IT spending in two years, McManus said.
The number of reported computer attacks in the United States is staggering. So far this year, 114,000 attacks have been reported, up from 52,000 in all of 2001, he said. It’s unclear how many malicious attempts at testing a computer system’s defenses occur.
Worldwide financial losses at companies and government agencies from cyber attacks are projected to surpass $12.5 billion this year, McManus said. The figure was a relatively meager $500 million in 1995.
“It’s a huge market. There’s a payoff,” said Ron Knode, global director of security services for Computer Sciences Corp. “We have about 1,000 people providing this service around the world. It’s a healthy market. And in some cases, it’s kind of sad that’s it’s such a healthy market.”
Some companies are using unorthodox methods to fight cyber crime. On Nov. 5, software giant Microsoft Corp. vowed to pay a bounty of $250,000 each to anyone who helps authorities find and convict the original creators of the “Blaster” and “Sobig” viruses that spread across the Internet last year.
The problem has grown so serious that in 2001 the Federal Bureau of Investigation began operating squads of agents focused exclusively on cyber crimes that range from viruses and computer hacking to fraud rings and child pornography. Cyber crime represents the FBI’s No. 3 priority after counterterrorism and counterintelligence.
The bureau’s Los Angeles office houses five cyber squads, said Frank Harrill, supervisory special agent for Cyber Squad One in Los Angeles.
“What we’re seeing today, in stark contrast to the mid-?s and early ?s, is that the Internet . . . has so altered our lives and expanded our ability to communicate, it has really expanded the size of the criminal population because people can commit crimes and fraud from their desks,” Harrill said. “Computer extortions are committed by people in Romania and Ukraine, all over the world. If you don’t have firewalls and other protections, your computer can be used to attack other systems.”
The motives vary widely and include attacks by corporate competitors, anarchists and teenage hackers who do it for sport.
“You could potentially impact anything from a 911 system to a power grid to a dam,” Harrill said. “There probably isn’t a person out there who isn’t a target in some way or another. Even if you don’t have a computer, your personal information is still sitting somewhere in some database in some computer system in some building, which in some way or another is vulnerable to hackers.”
Terrorism also can be a factor in cyber crime, although definite statistics on such attacks are unavailable, Harrill said.
“This is a new and changing area of law enforcement, and what it defies is any neat way of categorization,” he said. “You don’t know. Is it a probing by someone with a darker aim than just criminal financial gain?”
Cyber crime is not so much a domain of terrorists as activists, said Clarence Augustus Martin, a terrorism expert at California State University, Dominguez Hills.
Martin cited the example in recent years of animal rights activists using an “e-mail bomb” to crash the server at a Swedish research institute. “It can wipe out an entire database,” Martin said.
Another driver of the growing cyber security industry comes from government. Last year, Congress passed the Sarbanes-Oxley Act, which forces CEOs and chief financial officers at public companies to guarantee the accuracy of quarterly and annual reports.
With executives facing a possible $5 million fine and 20 years in prison for willingly falsifying results, companies are taking extra precautions to prevent anyone from tampering with the financial data.
“You’re worried about the believability of the information. Has it been manipulated by people who shouldn’t have access to it?,” said Knode, of Computer Sciences Corp.
The largest portion of companies’ cyber security budgets come from the technology and consulting services used to prevent attacks. But proper employee training can add another security layer.
At Boeing, employees are required to take an annual training course on protecting against cyber attacks. The courses cover such topics as how to keep one’s laptop safe during a business trip or recognizing inappropriate questions from someone in a business meeting, said Jorgensen, the Boeing spokesman.
“The toughest part is changing employees’ behavior for them to recognize that they are a key part of the security,” Jorgensen said.
^macro[showdigestcomments;^uri;Local companies battle cyber crime]