Risk & Economy » Regulation » Hacked to Death

On 2 August last year, shortly after lunch, the email server at £90m-turnover West Midlands engineering business Faux Components was running unusually slowly. Later, screens in purchasing, sales and human resources also slowed. The company, which ran a popular enterprise back-office system, had experienced such slowdowns before, although it thought a recent server upgrade had resolved the bottleneck. Around 4pm, things speeded up, and no one thought any more about it.

The following Thursday, the company’s three top salesmen each received a call from a headhunter whose guesses about their current salaries, sales records and bonus levels proved surprisingly accurate. The carrot that the headhunter dangled was too juicy for them to ignore, and, following a series of whirlwind weekend meetings, each of them resigned – only to discover that the other two were quitting, too, to join the same employer.

Three days later, the first of a dozen or so calls were received from major customers wishing to cancel contracts. Suddenly, they were getting a better deal elsewhere: a competitor had contacted them, displaying an unusual level of understanding regarding their contract needs, the prices they were paying, and the likely volumes they would require.

The next whiff of trouble came from the purchasing department. The senior purchasing manager made her regular quarterly trip to the north of England, taking in four major suppliers. Over the years, she had negotiated some fairly good deals with these suppliers – better than most of the competition was getting, she was sure. No longer: in turn, each supplier had come under pressure to offer an identical deal to a competitor, which appeared to know chapter and verse on the current arrangements.

Worryingly, the competitor had then sought to improve the deal, observing that its volumes would soon overtake those of Faux Components – something that was only possible if Faux Components was to lose some major contracts.

The purchasing manager reported this to the board, but it had more pressing concerns.

The bank had told the board that Faux Components was in danger of breaching its banking covenants if it didn’t pay in funds immediately. When the FD investigated this surprising shortfall, he was horrified to find that a series of automated payments had been made to a Ukrainian bank – with each calculated to be just under the limit that would trigger manual supervision and sign-off.

Later, when Faux Components was just a file in the Receiver’s office, it emerged that the same competitor that had poached the sales executives, and also cannily re-negotiated its supplier contracts, had subsequently launched a new product line. The designs were uncannily like those Faux’s designers had been working on in the weeks prior to the company’s demise.

Naturally, they had been held in digital format on the company’s computers.

But, by then, there wasn’t much anyone could do. Faux Components was ancient history and no proof has been found that the competitor had done anything illegal, despite a cursory police investigation. The competitor was located in Rochdale, which has a high level of Ukrainian immigrants, but none of the competitors’ managers were Ukrainian, spoke Ukrainian, or had made business trips to the Ukraine. Nor, it seemed, was computer hacking a crime in the Ukraine – if, indeed, that was where the hack actually emanated from.

This tale is fiction. But it isn’t fantasy. Computer hacking is on the rise, and estimates put the cost to business at billions. Indeed, a recent survey by America’s Computer Security Institute found that 90% of businesses and government agencies surveyed had experienced security breaches in the past 12 months. Furthermore, 44% of those had ascribed a cost to the hacks they had experienced – which collectively added up to $450m.

Despite the paucity of hard information about hacking, some trends are apparent. First, hackers are no longer content to hack for mere malicious enjoyment. Defacing websites? Corrupting files? That’s fine for beginners, but the experts have found there’s money to be made. Typically, this involves stealing information from a company’s systems. Often, the company is then held to ransom. Quite how often this happens is hard to say: few companies want to go public with the fact they’ve paid $100,000 into a Bahamian bank account in exchange for not having their customers’ credit card numbers posted on the internet.

Second, it’s becoming clear where hackers operate from. Popular hotspots such as the former Soviet bloc, Pakistan and China are being augmented by new arrivals from Israel, South Korea and Germany. But, according to recent research by Riptech Inc, an Internet security specialist in Alexandria, Virginia, the country that generates the most hack attacks is the US.

This startling statistic is connected to another: 70% of successful hacks, says the US Internet Security Consortium, come not from foreigners in faraway places, but from insiders. In other words, the people from whom your systems are at greatest risk are your employees – or rather, more usually, your ex-employees.

The FBI, for example, is investigating how a former Ford employee gathered the names, addresses, account numbers and credit histories of 13,000 customers from the company’s systems. In another case, an unhappy former employee of Global Crossing sucked a wealth of information on 8,000 former colleagues from the company’s human resource system – and then posted it on his website.

While random malicious hacks are certainly on the rise, the incidence of actual information theft remains relatively low. “It’s still way over-hyped,” says Cate Quirk, an analyst with AMR Research of Boston, Massachusetts.

While the theft of intellectual property does occur, vendors with something to sell are magnifying the risk as a scare tactic, she asserts.

The trouble is, “not much risk” is not quite the same as “no risk”. And for companies with valuable data to protect, the risks – and costs – of hacks and hack prevention need to be finely judged. Which is why an increasing number of companies, on both sides of the Atlantic, are talking to companies that describe themselves as “managed security service providers”. For a fee, these companies will protect your systems, monitoring them 24-hours-a-day to guard against unauthorised access.

One such is Internet Security Systems, a fast-growing 1,500-employee publicly-quoted company that numbers 48 of the Fortune 50 among its clients, and which has headquarters in an anonymous-looking office building in a quiet suburb of Atlanta, Georgia. Business is booming, says Patrick Grey, a muscular Vietnam-veteran and former FBI agent – latterly with the FBI’s National Internet Protection Centre – who heads the company’s anti-hacker “X-Force”. Partly this is because businesses’ computers are linked to those of their suppliers and customers. “Invariably, these sprawling networks tend to reduce corporate security to the level of the least secure link,” says Grey. This weakest link may not be on your systems, at all – but on a supplier’s system, one or two levels, down the supply chain – yet you are still going to be hacked.

The systems that protect companies from hackers are located deep down in the basement of the Atlanta Internet Security Systems building – and in its centres, in Detroit, Rio de Janerio, Stockholm and Tokyo. In a room that can only be reached through a series of number-coded security doors, technicians sit at desks equipped with multiple computer screens, talking quietly into headset microphones, while typing feverishly at their keyboards. At the front of the room are four giant screens, constantly updated with flickering graphs, world maps and statistics. Think NASA control room, but on a slightly smaller scale, and you’ll be on the right lines.

“We don’t run our customers’ networks,” says Grey. “Instead, we tell them when they are under attack, and what sort of attack it is. And we tell them what the risk is, and if the attack is going against a network that is vulnerable to that attack.” Interestingly, although Internet Security Systems often has the resources to stop an attack, many corporate customers’ internal IT policies prohibit this – because it would mean, however temporarily, handing control of their network to outsiders.

Although the company is coy about some of the means by which it can halt attacks, its technical prowess is undoubted. Its co-founder Tom Noonan, attends the regular National Security Commission meetings chaired by President George W Bush, and these links between the company and the US government first brought the notorious “Code Red” worm virus threat to US government attention. Code Red seemed harmless, until Grey’s X-Force decoded it, and realised that on 1 August 2001 it would replicate itself across Internet servers around the world. Despite the warning, some 355,000 servers around the world were compromised.

The moral is that the hackers’ greatest ally is corporate indifference, rather than clever code. Some 85% of the time that Internet Security Systems is called in, says Grey, the problem has been an already well-publicised security weaknesses, for which fixes are readily available. And a good proportion of the remainder can be handled by basic security precepts.

“If you don’t have any business with the Pacific Rim, why allow Pacific Rim IP addresses to access your system?” asks Grey.

Read more