IT security – the poor cousin?

Hartmut Pohl
Hartmut Pohl

What is the greatest threat to security in the area of IT?

Pohl: The greatest danger quite clearly comes from insiders, that is, from a company’s own employees. Compared with this danger, attacks by hackers are generally relatively unimportant. I have looked into a whole series of cases, including some involving damages of up to a billion euros. In every single one of these cases of computer abuse, computer espionage, or computer sabotage, employees of the companies concerned were involved in the attack, or at least supplied the decisive, security-relevant information. The main protection companies have against insiders such as to ensure the stringent assignment of access authorizations, the logging of all system accesses or access attempts, and the regular evaluation of these logs.

Has the threat of espionage been exaggerated, or is it a real danger for companies?

Pohl: Unfortunately, the damage caused by computer espionage has not been exaggerated, it is huge. However, because there is no obligation to report cases of computer fraud and abuse, we do not have reliable statistics with which to estimate the extent this problem. All the people who discuss this topic are only familiar with their own cases, and these are not necessary the same ones that the German Federal Bureau of Investigation records and reveals.

However, the largest case of damage we investigated was caused by sabotage. On behalf of a competitor, an employee caused the company’s production control servers to go down. The sabotage was cleverly done, because the saboteur concentrated on just one server for a short time, and then moved on to another server. As a result, the attacks were not noticed for some time, and by then, huge damage had been done.

What role is the increasing interlinking of companies playing? What can we expect here in the future?

Pohl: The close links between suppliers’ and customers’ computers and servers means that a company’s level of security depends increasingly on its partners security. Therefore, faults in a single company often affect all its partners. This susceptibility and mutual dependency will increase in the future.

Which preventive measures should companies and private computer users take?

Pohl: Anti-virus programs with at least a daily update, access control with password management, and the regular evaluation of the log are needed, of course. In the firewalls, safety-conscious companies occasionally use three different products in series, too. Systems for intrusion detection or, preferably, intrusion protection are advisable. We have also been monitoring honeypot and honeynet installations. Companies can use these to discover what methods of attack are being used against them, and whether they are sufficiently protected.

Are there differences in risk awareness between Europe and the United States?

Pohl: Yes. In the United States, sensational cases of computer abuse are often published – together with a list of all the additional security measures now in place. In Germany, on the other hand, companies are very closed. They are afraid of losing the trust of their customers if word gets out about how insecure the company’s IT is or was.

In general, the employees and executive boards in the United States are more aware of security issues than those in Germany. In the United States, companies are more likely to ask themselves whether espionage might also be behind a theft or server downtime than in Germany.

Can we assume that e-mails are read by governments or secret services?

Pohl: The answer is quite definitely yes. Any kind of communication over the Internet, including land-line and cell phones, is fully monitored. Security-aware companies therefore only exchange valuable information in the high-security area on a personal level. Many message services evaluate the captured communication data and forward it the their national companies. This does not apply to the German counter-intelligence service, but the US, UK and French secret services are obliged to do so by law.

Should companies and private individuals make use of more encryption methods in e-mail correspondence?

Pohl: Valuable information must always be encrypted. However, it should be stored in encrypted form in the company in the first place, because then, the relatively frequent theft of computers, hard disks, and other storage media will not have serious consequences.

How prone to attack are wireless LANs?

Pohl: Many of the WLANs are and should be open. Only WLANs with access to valuable business data must be very highly protected. The products offer methods for protection which must be used, for example Wired Equivalent Privacy (WEP) for encryption, the checking of MAC addresses of the WLAN cards, and the choice of a suitable network name (SSID). However, these methods are not all that effective, and so the use of a virtual private network based on Ipsec is absolutely essential too. WLANs should not be used at all in highly sensitive areas.

What legislative measures would you like to see introduced in the near future?

Pohl: The abolition of state monitoring in accordance with the Telecommunications Act and the Telecommunications Monitoring Regulation. On the basis of these rulings, it is not just the Internet that is monitored or tapped, but also telephone conversation and, in particular, cell phones – that is to say, every kind of electronic communication.

What developments do you expect to see regarding spam, viruses, worms, and Trojan horses?

Pohl: As far as the spam problem goes, it is currently very difficult to predict what success the legislative and technical measures implemented to date will have.

In the case of damage caused by viruses and worms, I expect these attacks to become much quicker and more personalized. Flash worms and Warhol worms have been around for two years, and they will probably be used in future too. They can infect 85 percent of all Internet servers in the space of a few minutes, and once that has happened, there is no protection against them. And while these attacks scan the Internet servers in advance and unobserved, and create a list of servers that are susceptible to attack, when the attack actually takes place, only this list of addresses is worked through in sequence. As this can be done in the space of a few minutes, any counter-measures by virus software vendors will come too late; vendors need at least three hours from when a virus first occurs in order to determine the virus-typical characteristics (signature).
When it comes to attacks with a financial motive, fraudsters generally try to find out the computer users’ account and security information – and there are still many users who fall for this simple trick and reply to e-mails, giving the passwords and PIN numbers they were asked for! There will be a major increase in stalking too: here, an address or telephone number is provided in an e-mail asking the recipient to make a call or reply to the electronic post. I expect these types of attack to increase even more in future, right through to denial-of-service attacks.

How dependent is our modern society on information technology?

Pohl: Modern society’s dependence on information technology has already reached a very high level. For example, computers are used to control energy supply across the whole of Europe. If there was a lengthy power cut, our economic life would completely shut down. However, we are equally dependent on the health service with its supply of food and drinking water, on telecommunications, the banking, financial, and insurance system, the road system and public transport, and the government with its public services and the emergency services. If one of these “critical” infrastructures were to fail, all the others would suffer considerably as a result.

The situation is not all that different for companies. Midsize companies with up to 5,000 employees, in particular, do not take enough precautions in the area of IT. If production stops, it doesn’t matter whether this was caused by a partner’s extranet, a virus, or sabotage. Only preventive measures and an emergency concept with concrete measures can help: how can a company’s operations be maintained even if servers go down, or when the Internet cannot be accessed and communication with partners via the usual channels is not possible. Managers need to ask themselves these questions and install concrete solutions – before an attack takes place.
Prevention naturally costs money. However, we do not have reliable statistics in this area, but a good guideline is to allocate 5 to 10 percent of the IT budget for security. This is certainly justified if it means that the most critical processes are protected.