State of the eNation - the evolution of eCrime
by Sali Earls
The increasingly low cost of computer hardware and
the proliferation of broadband has opened up the opportunities presented by the internet and ecommerce to everyone. But while businesses,
both small and large, and home users are embracing technology to enable them to progress, so are those who are out to con, cheat and steal from us.
According to research by security firm Sophos, 1 in every 44 emails sent in 2005 contained a virus, and overall there was a 48 increase in malware threats over the previous year; while statistics from SoftScan have shown that 85 of emails in 2005 were classed as spam.
While many thought that spam would be a thing of the past by now, they had underestimated the methods and motivations of those behind it. Are spam and viruses written by students in their bedrooms? Not anymore. The motivation for malware is money, and those behind it are now more likely to be involved in serious and organised crime, than simply doing it for kicks.
If this is so, and malware writers are out for financial gain, surely big companies will be their target? As large enterprises have become increasingly competent at dealing with IT security problems, so the weaker links in the chain are being targeted. Since SMEs do not have the same level of security expertise as a large enterprise and lack the funds to invest in this area they are now most at risk.
But while the greatest threat is perceived to be external, research from McAfee has shown that the threat from within is higher than
believed. The key findings of the report show
- 24 of those questioned use their company
laptop at home to connect to the internet, dramatically increasing the chances of infection of the device and potentially the corporate network
- 21 let family and friends use their company laptops or PCs to access the internet
- 62 admit they have a very limited knowledge about IT security
- 51 connect their own devices or gadgets to their work PC and a quarter of these do so everyday
- Around 60 admit to storing personal content on their work PC while one in ten admit to downloading content at work that they should not
A study by web security company ScanSafe of 1,500 UK office workers in 2005 revealed some startling facts, and supports the opinion about the threat from within. Over a third of those asked had used the internet at work to buy gifts for Christmas, but 60 percent weren’t at all concerned about the potential security risks, stating that it was the responsibility of their employer to ensure adequate security policies were in place.
Ed Gibson, Chief Security Advisor at Microsoft UK said, "Small companies often assume that they are ’too little’ to attract interest from criminals, but that is simply not the case. Micro businesses, defined as businesses with nine or less employees, and sole traders constitute around 95 percent of the UK’s 4.3 million businesses. That is the potential cyber criminals see, not individual businesses,"
"Furthermore, a popular tactic used by cyber criminals is to ’hijack’ unprotected PCs to use in attacks on other companies. That puts a duty on everyone that has a PC connected to the internet to ensure it’s suitably protected. As the backbone of the UK economy, micro businesses must play their part in addressing online criminal behaviour."
No doubt, we’ve all experienced spam. An unsolicited email from someone wanting you, as a trusted friend, to help them remove millions of dollars from a Nigerian bank account; maybe an offer of potent herbal drugs to improve your sex life; or perhaps an email to inform you that you’ve won the Dutch lottery.
According to Spamhaus, a not for profit organisation that tracks this problem, most spammers send out anything from 1 million to 100
million spam emails each day to email addresses harvested from the internet and insecure mail servers. Of these millions of addresses, spammers do not know which ones are working, that is until you
send the spammer an email a response to "remove me". By sending an opt-out request, you are confirming to the spammer that your email address is active, and that your ISP or company does
not have appropriate levels of spam protection. You are also proving yourself to be an ideal candidate for further spam, and your live email address will be sold onto other spammers for a premium. The
advice from Spamhaus is simple, "Never opt-out of lists you did not opt-in to in the first place."
As the motives behind malware have evolved, so has the malware itself. Spam has opened the way for Phishing attacks, where an email is sent claiming to be from a bank, online payment provider, online auction site, or ISP to request that you "update" or "validate" your account information, often threatening account closure if you do not respond. When clicked, the email link takes you to an official looking site, identical to the real one, and will request that you enter your account details and password. Having done this in good faith, you have in fact given the spammers the tools with which to empty your account to fund their crimes. In 2005, over 23 million was lost in the UK alone to Phishing scams, double the amount of the previous year.
While spam is a well known threat, and people are now more aware of Phishing thanks to media coverage, a hazard that is increasing in influence is that of spyware. These malicious programmes are developed with the sole purpose of intercepting or taking partial control of a computer without the user’s knowledge or consent, to monitor the activities of the user, or sabotage the computer’s operation for third party benefit. During 2005, spyware became one of the biggest security threats to computers running Microsoft Windows, and security software company Webroot identified more than 400,000 websites that hosted spyware.
Unlike spam, spyware generally needs to be installed by the computer’s user. The spyware authors know that no-one would install malicious software on their machine knowingly, so they position the software to deceive users by attaching it to desirable software, or by tricking users to do something that installs the software without their knowledge.
Microsoft Internet Explorer is designed to prevent websites initiating unwanted downloads, so the spyware authors get around this by designing pop ups to appear like Windows dialogue boxes with messages such as "Would you like to optimise your internet access?", or more brazenly " Your computer may be infected - would you like to install an update?" The dialogue boxes contain "Yes" and "No " buttons, but regardless on which button is clicked, the download is begins and the spyware is installed on the user’s machine.
Once installed, spyware can contact its host server
and report back on whatever it has been designed to do, be it usage patterns in order to display a plethora of pop up adverts for dubious products
and services, or relay passwords and confidential information. This is known as spyware "calling home", and is the process at the heart of the financial gains to be made by the spyware industry, but the
first the computer user knows of the spyware is the pop ups and a diminished system performance.
According to a recent report from web security company ScanSafe, the rate of spyware continues apace, with an increase of 265 percent over the four months from August to November 2005.
Research into malware has shown the forecast for the rest of 2006 and beyond continues in the same vein. Graham Cluley, Senior Technology Consultant at Sophos, commented, "We’re facing more of the same, I’m afraid. New malware will be designed to steal information, and more computers will be exploited to spam others. There is a growing commercialism of malware for profit."
So why are these threats increasing? Put simply, there’s money in malware. The combined might of 4.08 million micro businesses and sole traders provides rich pickings for those who seek an opportunity to cheat and steal, and the door is very much left open by managers who think "it won’t happen to me", and staff who flout security. The fact is, it can happen to you, and without due care and attention, it most probably will.
Tony Neate of the Serious Organised Crime Agency, and a representative of the Government’s "Get Safe Online" campaign, said, "It is essential that SMEs approach security issues with a similar, diligent approach as they would in protecting themselves and their home PCs from online threats. Compared with home users, businesses have greater reason to pay attention to IT security and need to approach this in a systematic way,"
"The fundamental step in protecting your business
should be to develop a security plan. Through implementing a security plan for your business, you can reduce the risk of online threats which face
SMEs today. A security plan for an SME should include an understanding of legal obligations, the risks of corporate identity theft, a concise and effective training program for staff, and co-ordinated and
prioritised IT security,"
Neate continues, "One of the core elements small businesses can put into practice is key training programmes for employees, which can act as a main line of defence against online threats in business. It is important to remember that even the best anti-virus programme will not be useful if the employees in the business do not know how the efficiently utilise it. Effective and consistent training not only reduces the risks of security problems, but also increases employees IT proficiency, which can encourage them to use better security at home as well."
Lee Sharrocks, Consumer and Small Business Director at Symantec, agrees, "To keep their data secure and their systems up and running, small businesses should ensure that they are protected by regularly updated anti-virus and firewall software, that their systems are regularly patched to reduce the vulnerabilities that could be exploited and that they have a security policy in place, clearly outlining recommended use of the internet, highlighting company expectations and best practices, such as not downloading attachments, or giving out sensitive information via the internet, to employees."
Forewarned is certainly forearmed, and for companies of all sizes, especially small businesses who do not have dedicated IT staff, it is important to keep abreast of security threats by subscribing to alerts from reputable security companies. Ensure that critical systems are backed up regularly, and anti-virus and anti-spyware software is kept up to date, and use online resources like Get Safe Online which has tips to help you protect yourself and your business.
Ed Gibson of Microsoft recommends that small businesses use the following checklist:
- Protect your desktops and laptops - If
you are serious about security, there are three things you must do: keep your software up to date; protect against viruses; set up a firewall
- Keep your data safe - Implementing a regular backup procedure is a simple way to safeguard critical business data. Setting permissions and using encryption will also help
- Use the internet safely - Unscrupulous websites, as well as pop-ups and animations, can be dangerous. Set rules about internet usage to protect your business and your employees
- Protect your network - Remote access to your network may be a business necessity, but it is also a security risk you need to closely monitor. Use strong passwords and be especially
cautious about wireless networks
- Protect your servers - Your servers are your network’s command centre. If they become compromised, your entire network is at risk. To protect your business, protect your servers
- Secure your line of business applications - Make sure that software critical to your business operations is fully secure around the clock. Internal and external vulnerabilities can lead to lost
productivity, or worse
- Manage desktops and laptops from the server - Without stringent administrative procedures in place, the security measures you take to safeguard your business may be unintentionally jeopardised by users
The fundamental point here is that if you are prepared to accept that there are significant risks to your business, then you are one step nearer protecting yourself and your business from these threats. By taking a few sensible precautions, we can minimise the risk to ourselves and our business, and over time these can become as natural as the other safety measures we take everyday without thinking.
The internet should be an enabler - it brings people together, and allows small businesses to compete on an international stage - but in order to use it effectively, we have to understand the environment, and take responsibility for our actions and our safety.
Send a comment about this article to editor@itwales.com.
Useful links:
ITWales is not responsible for the content of external websites, and does not endorse the products or services offered.
Information & Education
ECrime WalesDetails of the recent summit supported by the Welsh Assembly Government, local police and businesses, with links to the agreed manifesto and action plan to combat ecrime in Wales.
www.wda.co.uk/ecrime
Get Safe Online
A site sponsored by government and leading businesses working together to provide a free, public service to help individuals and businesses protect against internet threats.
www.getsafeonline.org
Software
BopSpam
Award winning anti-spam product from Swansea based NetBop Technologies.
www.bopspam.co.uk/
Windows Defender
Free anti-spyware software from Microsoft.
www.microsoft.com/athome/security/spyware/software/default.mspx
Ad-Aware
Anti-spyware software with editions available for home users, small business and enterprise.
www.lavasoft.de/default.shtml.en
Spyware Blaster
Freeware anti-spyware product available for personal and educational use.
www.javacoolsoftware.com/spywareblaster.html
