By Paul Horn
Policy is not purely a go-it-alone concept, especially in our
increasingly interconnected online world. A group of more than 40
organizations, including American Express, Citigroup, Merrill Lynch,
and IBM, has formed the Data Governance Council. This global effort is
aimed at going beyond traditional approaches to security, privacy,
compliance, and operational-risk policy, in an effort to promote a
more complete approach to data governance.
Last year for the first time, proceeds from cyber crime were greater
than proceeds from the sale of illegal drugs, according to recent
comments by Valerie McNiven, an adviser to the U.S. Treasury Dept.
"Cyber crime is moving at such a high speed that law enforcement
cannot catch up with it," she says. The profile of the typical cyber
criminal is changing fast, too. If you think that's a lone hacker
sitting in a college dorm or a basement recreation room, think
again. Cyber crime is rapidly evolving from the domain of misguided
pranksters, to elaborate, profit-driven schemes involving
organized-crime syndicates that may be based around the block, or
halfway around the world. It's estimated that 85% of malware today is
created with profit in mind. The sobering corollary to that statistic:
only 5% of cyber criminals are caught and prosecuted.
Just as crime will prevent people from moving into a neighborhood, so
also will cyber crime make people reluctant to enter and trust the
electronic world. This will hinder interchange between people,
businesses, and governments, impacting everything from education to
commerce.
Inside the Mind
So, if cyber criminals are more organized today than ever before, our
response to them must also take on new structure and
focus. Individuals, organizations, law enforcement, and info-tech
solutions providers must all join to take on the evolving challenge of
cyber crime. Specifically, new strategies and solutions are needed in
three key areas -- people, policies, and technology.
Let's start with the people factor. One key to thwarting cyber
criminals: figure out what makes them tick. In the mid-1990s,
high-tech companies realized that a key step to improving the security
and privacy of a business' IT infrastructure was to try to break into
it. This resulted in a new job category: "the ethical hacker."
These are highly trustworthy individuals and teams who understand how
malicious hackers work and who use their skills to detect vulnera-
bilities and devise ways to mitigate, or even eliminate, security
weaknesses. And it's done all in cooperation with clients or law
enforcement.
Look in the Mirror
In the early days of ethical hacking, these professionals were able to
successfully break into their targets 80% of the time. It's
unfortunate that this rate of success has not notably decreased, a
sign that today's systems remain vulnerable as hackers continue to
adapt to new security measures. However, the lessons learned by these
early ethical hackers are being incorporated into the practices of
modern law enforcement around the world.
Just as today's law-enforcement agencies deploy specialized teams in
counterterrorism and white-collar crime, cyber-crime expertise has
become a requirement as well. The FBI has already identified fighting
cyber- and high-technology crimes as No. 3 among its top 10
priorities.
Aside from better understanding how criminals are thinking and acting,
the "people factor" also means achieving a better understanding of the
potential implications of our own behavior. Organizations must look at
their security programs, not only at a technical level, but down to
the actions of each person and how he or she interacts with the online
ecosystem. Behavioral insight will help fight not only intrusions into
the network but extrusions in which users may, inadvertently or
knowingly, permit data to fall into the wrong hands.
Global Campaign
Then there's the matter of policy. Security policy deals with the
hundreds, even thousands, of laws and regulations with which
organizations must comply. Equally important, however, security policy
refers to the policies organizations create for themselves, their
business partners, and customers: expectations for behaviors and
outcomes that an organization has in place to create a secure
environment in which to do business.
Security policies enable the governance that protects one of the most
valuable assets of a company -- its data, relating to both corporate
secrets and the private data of its employees and customers.
But policy is not purely a go-it-alone concept, especially in our
increasingly interconnected online world. A group of more than 40
organizations, including American Express, Citigroup, Merrill Lynch,
and IBM , has formed the Data Governance Council. This global effort
is aimed at going beyond traditional approaches to security, privacy,
compliance, and operational-risk policy, in an effort to promote a
more complete approach to data governance.
Data Flood
Data governance helps organizations fix decades of indulgent
data-collection practices. Companies have more data than they need --
they don't know where it is, what it's worth, who owns it, who
maintains it, or what it will cost the organization if it's
stolen. They're concerned about governing access to confidential data
such as legal contracts, patents, trade secrets, software code,
financial data, stock trades, merger-and-acquisition activity, and
patient records. The council is working to define technology and
policies for helping companies get a grip on the data
deluge.
Finally, no approach to fighting cyber crimes is complete without
careful consideration of technology. No one should underestimate the
technical capabilities of today's cyber criminals. So new technology
must be developed to go beyond rapid response, to anticipating and
heading off new cyber-crime techniques.
One approach involves broader use of an established capability:
cryptography. Simply defined, cryptography is the process of
translating data into a format that can be read only by authorized
users. This can be used, for instance, to protect customer information
stored on tapes, so it can't be read if the tapes fall into the wrong
hands.
Strength in Numbers
Encryption has been a mainstay of mainframe computing for decades. But
today's challenge is how to extend it to every touchpoint on the
network. More than half of all corporate data doesn't reside on a
server, but on someone's PC, PDA, or cell phone. The economics of
protecting data with cryptography must be addressed to keep it
cost-effective, wherever that data lives.
The use of cryptography is one example of how we in the IT community
must also take more seriously the need for "security engineering" in
the design and development of our hardware and software systems. You
wouldn't want to add air bags to an automobile after you bought it,
but too often that's how the IT industry has treated security: as an
add-on. Enhanced security capabilities, including ease of use and
performance, must be a part of the mindset from the ground up.
As a recent report from the Center for Strategic & International
Studies stated, cyber crime "is the organized crime of the 21st
century." Yet, the bad guys are hardly the only ones to have figured
out that there's strength in numbers. By marshalling the collective
skills and expertise of individuals and organizations in both the
private and public sectors, we can equip the people, implement the
policies, and deploy the technologies that will help secure our
networked world.
Copyright 2006 Business Week Online.
Copyright 2006 NewsFactor Network.
NOTE: For more telecom/internet/networking/computer news from the
daily media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra/more-news.html . Hundreds of new
articles daily. And, discuss this and other topics in our forum at
http://telecom-digest.org/forum (or)
http://telecom-digest.org/chat/index.html
For more technical news and headlines, please go to:
http://telecom-digest.org/td-extra/technews.html
[TELECOM Digest Editor's Note: Just a couple of personal thoughts
about 'living in this neighborhood' as Mr. Horn referred to being
active on the Internet and dealing with the crime found here: He is
correct in saying 'not many people want to live here and deal with the
(cyber) crime. The cybercrime rate is getting much, much worse than it
used to be in the 1980-90's days -- what is often times referred to as
the 'golden age of Usenet'. Although I personally look at Usenet very
rarely, I still notice how much of the spam/scam which gets plugged up
here in my inbox each day originally came addressed to a 'mailbox'
intended to distribute messages to the world via Usenet. And if
'comp-dcom-telecom@moderators.whatever' gets two to three hundred of
these things for me to toss out each day, I cannot help but wonder
what the various _unmoderated_ newsgroups look like. It must be pretty
horrible. Does anyone these days bother with unmoderated newsgroups
any longer? I know it is quite rare that any of the web-based
discussion groups allow for open posting any longer. They nearly
always use at the minimum some form of challenge system and require
users to be registered with the webmaster or group leader.I guess
lots of users are beginning to grow weary of it all, eh? PAT]
Paul Horn (businessweek@telecom-digest.org)