The simple act of reporting hackers to authorities is one of the most effective weapons businesses can use to fight cyber criminals, but it is also one of the most rarely used.
"Companies are naturally resistant to tell the world they have been victims of fraud, they are afraid people will laugh at them," Pottengal Mukundan, director of the International Chamber of Commerce's commercial crime services said Wednesday.
Of course, it's not just that companies are worried that other companies will laugh, but also the negative effect such an admission can have on customer relations and stock prices, Mukundan said here at InfowarCon 2000. Reticence to report security breaches has an affect.
"In the absence of actual meaningful information coming from corporations, it is difficult to stop the crime," he said.
Various studies recently have found that 90 percent of respondents detected computer security breaches in 1999. Surveys have been done recently by the Computer Security Institute and the US Federal Bureau of Investigation's computer intrusion squad with large companies and US government agencies forming the bulk of respondents. Of those who were surveyed, 74 percent report financial losses because of security breaches, Mukundan said.
A similar survey conducted in the UK on behalf of the Department of Trade and Industry showed that 60 percent of respondents suffered a breach of computer security in the last two years, he added.
"It appears to be a rising problem, but how do we know if these figures mean anything," Mukundan said.
The way things are now, the "good guys" are keeping information to themselves, while the "bad guys" are freely sharing information with each other.
"It is important for these companies to portray a good image, so the good guys end up keeping the information to themselves," Mukundan said. "The baddies, on the other hand, are out there freely sharing information with each other on the Web."
Ready-made kits for creating Trojan horses or viruses are available to anybody on the Internet, opening companies to a whole new threat.
Take the recent "ILOVEYOU" worm that jammed e-mail servers. "The software was not sophisticated, but what the authors lacked in technical expertise, they made up for in guile. It brought the e-mail systems of some governments to a halt," he said.
But the most interesting thing about the worm was that it depended on unprepared humans to run it, he said. "There is no reason for people sitting in an office to open an e-mail which is clearly suspicious, and definitely not work related," he addedThe human angle in Internet security is perhaps most often ignored, Mukundan said.
"Take the physical office building, for example, there is very little use in spending millions on software security if you don't have decent security on the premises," he said.
Human error in security matters seems to be a larger problem as well, with government laptops containing classified information stolen in London, and former US Central Intelligence Agency Director John Deutch was stripped of security top clearance when it was revealed that he stored classified documents on his unsecured home computer, which he used to send and receive e-mail and to access the Internet.
"The Internet is fundamentally insecure," Mukundan said. "Internal networks should be physically removed from the Web, and it makes sense to run static Web sites from a CD-ROM instead of a server."
Software filters are useful as well, he added. "But there is no point in having this system if the IT manager is too busy to actually look at the logs."
Equally important is the adoption of international laws related to cyber crimes, so that criminals don't slip through the gaps in the legal system, Mukundan said.
"Also, there is still a feeling that people who commit online crimes are not as bad as their physical counterparts," he said. "This needs to be changed as well."