11 September 2009

DEFINING THE PROBLEM




NATURE, SCOPE AND SEVERITY




Technology has exploded into our lives far too fast for some of us to really stop and to consider all of the positive and negative implications. But no group is more underserviced than the Small-to-Mid-Size Business (SMB) market. This book is aimed to discuss this market, its vulnerabilities, the IT support resources currently in place and what more is needed to fix the problem. Also Included in this discussion are procedures, processes and tools the reader may choose to use in order to understand the nature, scope and severity of the concerns raised herein.
The problem of security in small business is well-known. In fact, the US Congress has even taken up the cause though no one is clear what effectiveness the federal government can or will have on the issue of IT security for small businesses until owners and their IT support resources become more informed and conscientious. All of the security weaknesses documented here are well known to the criminal community. Most require little actual technical skill. In fact, one can find step-by-step tutorials on the popular YouTube.com video website explaining and demonstrating various break-in methods.



The author is an experienced IT consultant in the Round Rock, Texas area specializing in providing the SMB community with quality, enterprise-level IT solutions both as an employee and employer. It has been the result of his experiences in the field and while supervising others that prompted this discussion. No one group of people are above taking responsibility for some part of this problem. Whether it has been resistance from business owners, lack of skill on the part of technicians or incomplete business models adopted by IT service providers, everyone involved has to some extent contributed to the problems which threaten the most valuable segment of the American economy—i.e. the small to mid-size business.





Every effort is made to present this topic objectively and comprehensively so as to properly represent the interests and positions of all involved. No one will be well served from this work if this standard is not well maintained by the author. That said, it is clear from initial drafts and discussions about this work that some business owners and IT professionals may be offended by what is stated below. However, as with all families, our SMB community must face hard and uncomfortable truths if it is to survive the political and economic pressures faced in this 21st century.



A discussion of this type is tailored to the SMB market because for years similar discussions at the enterprise level have not effectively reached the SMB market. While many in the SMB IT services industry have known about the concerns raised here, most have failed to properly implement corrective actions as they face competing business interests, identified below. Others have ignored the threat of poor security out of ignorance or lack of technical skill. Still more persons who have an interest in IT security for the SMB market have discounted any need for improvement as they feel the small business does not hold sufficient value to attract meaningful criminal activity.



The author disagrees on all counts.



The nature of the security threat against small business is greater than that facing the large enterprise. Large corporations and conglomerates have dedicated IT staff with a budget to address any valid concern. Within these corporate IT departments are persons dedicated and trained to maintain the security of the network and its information. While there are many strategies they may use, most boil down to three key elements depicted in the following figure:



Compared to the large enterprise, no IT security strategy is in place for most small businesses. For few those who do monitor their network, this resource is limited to detecting device errors or other operational problems; forensics is limited to data recovery when hard drives crash; and feedback into existing process is irrelevant since most often no written IT policies exist. Without such an IT security mechanism in place, the small business is left unprotected from any intrusion. The only protection then remains a perception that the small business has no value for criminal attack. Unfortunately this perception is not shared by the professional criminal community. Only business owners, IT professionals and a few petty crooks hold the limited view that small business is not a ripe target for crime. The small business community is in fact an attractive target for the computer criminal. Without intrusion detection, the criminal has little to risk. The fear of apprehension and the consequences of his/her actions are almost non-existent in many cases. In fact, because any evidence may go unnoticed, the targeted small business is likely to never notice that an attack has taken place—making it a potential target for subsequent attacks over time, potentially destroying the reputation and health of the business.


The small business world has been changed more by the past twenty years of technical innovation than any other business category. With the explosion of the internet, small business can now compete globally with larger organizations. Credit card processing is performed quickly and efficiently over the internet, through both websites and point-of-sale terminals, on shared lines with other data processing tasks. This creates the same temptation for the criminal community that attracts the stereotypical Hollywood ‘hacker’ to attack a monolithic mega corporation. Though the small business may not have the balance sheet of a large conglomerate, many do in fact pass through thousands of dollars per day in credit and debit card transactions, electronic funds transfers (ETF) as well as personal information about their customers. This is the same type of information we often hear a larger organization admit was lost through a stolen laptop, back tapes or other intrusions. Unfortunately small business cannot sustain such multi-million dollar losses much less the impact on their reputations. It is only because we as a society have no real means of effectively measuring the impact of these attacks on small business than avoids any negative commercial impact.


Given the nature, scope and severity of this problem, as briefly describe above, the author has determined that the plethora of how-to-hack/how-to-patch literature is inadequate to find a long term solution. Thus, we must first look at how this problem has been allowed to persist for this long when larger businesses have already begun implementing remedial measures. We will look at many angles of the current situation, the IT support resources available to a small business and the competing business interests which currently prevent any long-term solution. From this initial discussion, the reader is expected to walk away with many new ideas. Owners are expected to be armed with more information to scrutinize the IT personnel they trust as advisors. IT providers are hoped to begin thinking of new models of IT service which will better serve their clientele and mitigate the competing business interests.



COMPETING BUSINESS INTERESTS




Small business IT often consists of a client-vendor relationship. Too small to maintain a full-time IT staff, many in the SMB community outsource their IT needs to outside consulting firms. These IT service providers operate either under a “break-fix” model or as a “Managed Services Provider” (MSP). While both models do have their pros and cons, neither model has completely addressed the competing business interests which counter the best interests of the small businesses and their customer base.


Many business owners prefer the ‘break-fix’ IT service model because the short-term impact of pay-as-you go thinking often allows the business to save money. However, as a break-fix provider, an IT services firm is only contacted by the small business when something so obvious breaks as to impact the operation of the business or inconvenience its employees. No monitoring or periodic maintenance schedule exists since the business in this case seeks to minimize its short-term costs at a risk of high-cost failure over time. ‘Break-fix’ fails to ensure that the IT professional (whose job security comes from a high call volume) is economically linked to the long-term growth and success of the client business. In fact, the ‘break-fix’ model is a disincentivizes this need.


Many frustrated IT service providers have moved to a “managed services” business model in order to escape the ‘break-fix’ impasse . This model offers a flat rate or semi-flat rate fee for such services as are required to meet a written “Service Level Agreement” (SLA). Operating under a ‘managed services agreement,’ the MSP only realizes profitability when the client small business is operating properly over a period of time requiring no extraordinary intervention. But not all MSPs are created equal, as many small business owners have learned through nightmare experiences. An MSP may have underbid his agreements in order to grow, for example, narrowing the margins so thin that routine maintenance is neglected or even altogether avoided. Some MSPs intentionally offer vague Service Level Agreements so as to avoid any contractual agreement to specific, measurable performance levels. Such SLAs leave the client business paying a hefty monthly fee with no real teeth to enforce an equal effort in return. Further, most MSPs specifically limit their agreements to implicitly or explicitly absolve them of any liability arising from data loss, down time or security failures. Insofar as the SLA lacks measurable performance levels, response times or accountability for malpractice, the MSP will have created a competing business interest that reduces the MSP’s overall effectiveness.


ELEMENTS OF A QUALITY SERVICE-LEVEL AGREEMENT




The strength of an MSP against competing business interests is measured by the quality of the SLA. Strong SLAs effectively embed the IT service provider as a virtual and integrated part of the small business with aligned profit-oriented goals. These solid SLAs hold the IT services provider to the same standards as their large corporate counterparts and reduce the temptation to dodge proactive maintenance efforts in pursuit of their own profitability and growth. Every small business owner is strongly encouraged to scrutinize his/her existing managed services contracts and to ensure the agreement clearly covers at least the following elements—


  • PROBLEM REPORTING MECHANISMS


    This is the process whereby the small business will report problems to the IT service provider. The SLA should clearly identify who should be contacted during business hours and any after-hours, on-call support personnel. Reporting mechanisms should be redundant and consist of at least three means of contacting the IT service provider. For example, an SLA might specify that the client is to use an MSP-provided ticketing system, email, phone or a web-based form.


  • RESPONSE TIMEFRAMES


    SLAs should always provide a response timeframe. Following a service request, failure or other notification, the IT services provider should be professional enough to specify a clear response timeline. This might be severity-based. For example, critical tickets might receive a call-back within fifteen minutes after hours and a ten minute response time during business hours, while normal-priority calls might receive a four-hour callback during business hours and a next-business day follow-up after hours. Whatever the SLA provides, it must be clear and precise so as to ensure meaningful accountability.


  • ESCALATION PATHS


    When things go wrong (and they will from time to time), there should be an “escalation path.” This escalation path should include the context of any escalations—for example, an SLA should differentiate billing escalations from technical escalations so as to help route the matter to the proper person with the minimal effort and time. One of the best SLAs the author has ever seen actually tied compensation of the IT services firm to the number of escalations. Though complex, it created both an incentive for the IT services firm to keep complaints low while also creating a disincentive to continue servicing clients who were costly and complained to often.


  • MAINTENANCE SCHEDULES


    No SLA should ever be considered as acceptable to a business owner unless there is a measurable, documented maintenance schedule and procedures. Absent such a schedule and procedures, there is no guarantee that the MSP will not continue to earn his fat checks simply hoping the eventual catastrophe will not occur on his/her watch.


  • PERFORMANCE REPORTING SCHEDULES / PROCESSES


    Periodically a business owner should receive a clear, concise state-of-the-world briefing from the IT services provider. The SLA should establish up-front who, when, where and how such briefing will take place and the elements to be covered in these briefings. Business owners and IT providers should, in accordance with a solid SLA, use these briefings to set goals and review progress toward previously established objectives.


  • VENDOR MANAGEMENT PROCESSES


    The SLA should specify who manages IT-related vendors in the relationship. Many reputable IT services companies attempt to manage vendors on behalf of the client—which the author feels is the best possible option in almost every case—but where the SLA lacks a good definition of this relationship, the vendor may not observe the practice or other conflicts could arise.


  • IT POLICY/PROCEDURE DEVELOPMENT


    Each small business owner is strongly encouraged to consult with an attorney to identify any legal requirements or regulations requiring written IT policies in his/her industry. Nonetheless, every business should have at least an IT policy and procedure for the basics: privacy policy, computer use policy, new-hire employee user account creation policy, employee termination of access policy, etc. The SLA for a managed services contract should provide for the creation, maintenance and enforcement of these policies. In fact, every MSP should—though few do—have standardized template policies which will help the SMB community better cope with this need.


  • DISASTER PLANNING


    Most of us have seen the billboards from the government that warn how only 25% of all small businesses who face a disaster will survive. The SLA should ensure each small business is in that 25% by providing for a written disaster plan that properly assigns the responsibilities for each involved person in both the IT services company and the small business.


  • ASSET MANAGEMENT


    Most small businesses face theft problems. Computer equipment is one category of theft most overlook. Software is stolen more frequently than any other asset in a small business. Many service providers unethically use the custody of software installation media to hold a client hostage and prevent them from moving to a new IT services provider. Unlike the large companies, small business has practically no asset management in place. This impacts security as well, since it is the heart of intrusion detection (as we will discuss later).


  • INTRUSION DETECTION & MONITORING


    The SLA should always require an automated monitoring solution be implemented by the MSP. This monitoring system should use SNMP, ICMP and other monitoring technologies to conduct constant surveillance of the small business network to ensure services are operating within expected parameters. This monitoring solution should also ensure that any new devices added to the network are quickly identified, assessed and either allowed or disabled before they can cause damage.


While the managed services model is the better of the options available to small businesses, the success of the MSP to implement managed services in line with the needs of the SMB community is measured in terms of its SLA. In complete SLAs are not likely to create lasting long-term relationships which are mutually beneficial to all parties. Thus, managed services needs to be redefines with a standardized definition of the SLA. Much as IT professionals have standardized the framework for networking and other technologies, a framework for the SLA is sorely needed.


One must also remember that the MSP is often a small business as well. Accordingly, the MSB is under significant pressure to realize a profit (if not simply to break even). This impacts the likelihood of the MSP to pursue detailed and strong SLAs which expose the MSP to liability and increased cost. The need for a convergence in the MSP market is high. Since most MSPs would prefer to remain independent—which is a common reason to enter the market—it is clear than the MSP community must create some other underlying model in order to attain the minimum economy of scale to allow a proper business model to emerge. This model must include the following elements to succeed—





Much as any professional group (including doctors, lawyers and psychologists) these business standards will lead to a better work product, continued trust by the community, sound business practices and better protection of the small business from the criminals who would exploit the weaknesses the current disorganized approach has created.


CHARACTERISTICS OF A QUALITY IT SERVICES PROVIDER


Business owners should not expect government regulation to fix the problems. As an entrepreneur, the small business owner must gather his own information and evaluate potential IT services vendors to ensure a proper fit. Below are four factors to consider in choosing an IT services company:


  • WRITTEN PROCEDURES


    IT services vendors should be able to approach a client with written procedures and policies that state how they ensure their services meet the standard reasonably expected by the community.


  • CONTINUING EDUCATION


    At a minimum, the IT services provider should have standards for their employee’s continuing education, whether or not this includes internal training or expects individual initiative. Good continuing education might include in-house training to ensure all personnel in the IT services company are familiar with the solutions deployed at each client’s location. For example, a client that endorses a product or vendor, such as the ZyXel line of networking products should also ensure that their technical staff are trained in the use and deployment of these devices in accordance with internal standards. This ultimately makes the IT services firm more efficient and reliable and keeps the client’s costs low.


  • DOCUMENTATION AND REPORTING STANDARDS


    Many small business owners become attached to specific technicians who they feel know and understand the client’s network better than anyone else. When this technician leaves the IT services company, clients are often frustrated by the need to ‘train’ someone new. The wasted time and resources are often due to poor documentation and cross training. A quality IT services firm should have standards for reporting issues and documenting all work performed, including processes to ensure employee compliance. This eases any transitions that occur over time and provides a redundant, interchangeable pool of technical skill for the client.


  • CLIENT HAND-OFF PROCEDURES


    Documentation and reporting are critical during continued support of a client. But when a dissatisfied client wants to move on and change IT services companies, the importance of good documentation becomes more critical. A reputable IT services company may never lose a client, but those firms will almost always have the integrity to publish a procedures for client hand-off if the need were to arise. This should be a mandatory criteria for any business owner evaluating IT service companies. Without the hand-off procedures, the client company is risking expensive transition fees in the future.

    Recently, for example, the author was assigned to a project where the former IT services company claimed to have no more documentation than an 8-inch stack of hand written notes for a network that spanned several locations with several hundred computers, switches, servers, routers and other devices. In fact, most of the passwords were not provided during the hand-off phase. Instead, the out-going IT services group refused to cooperate unless they received $4,000 per week in service fees to figure out the passwords and document the network. This is in addition to the years of hourly fees charged to the client and the poor service which caused their replacement. The author was left with no other choice than to reverse engineer the network while struggling to repair broken services. The cost of this failure exceeded $100,000 in services. Had the client demanded a service-level agreement with a documented hand-off process this would not have been such a costly affair.


EAT YOUR OWN DOG FOOD!




NOTE:While writing this paragraph the author has not lost the significance of his statements. Many readers who are MSP employers or employees would probably cringe at this suggestion being made to business owners. Yet this transparency allows a since of embarrassment to drive us all as professionals to improve our operations and clean house from time to time.

Some years ago while at lunch with a friend, the author noticed the friend always asked a waiter or waitress what he/she liked on the menu. Without fail, this friend has never failed to order the suggested meal. When asked why this was so, the friend replied “If they eat it and they know what the kitchen looks like, I guess it won’t kill me either.” The same is true of any industry, including car repair, groceries or even information technology. A smart customer always wants to know if the vendor uses his/her own services and products, or better put “Do you eat your own dog food?”


Small business owners should know the services and products they are purchasing are backed by the personal and professional beliefs of the vendor and its employees. But in car repair, eating one’s own “dog food” is pretty much just a self-endorsement. In Information Technology it can directly affect the security of client operations. If an IT services company is compromised, then the passwords, IP addresses and other information critical to the security of its client networks is vulnerable. This fact makes the IT services company a more attractive target than the typical small business, increasing the value of sound IT security practices.


Often within an IT services company, senior management understands these arguments and seeks to implement acceptable standards. But a fear that enforcement of written standards will cause employees to leave the company—creating a loss of institutional knowledge and valuable talent—eventually leads well-intentioned managers and owners to turn a blind-eye to what they know is a bad practice. As a result, many staff level employees will possess access and permissions within the IT services company that exceed their practical need. Local administrator, domain administrator or other rights are not restricted, allowing a disgruntled employee to potentially victimize the company or its clients. More commonly, this excessive permission level creates the potential for employee error to affect business operations.


The author remembers many situations where this was the case. In one situation, a senior engineer used the company’s internal mail server to process a client’s emails while their server was under repair. Later, when the client’s server was put back into operation, the engineer failed to restore the previous state of the internal mail server. This caused invoices sent to the client for their monthly fees to be held at the IT provider’s mail server rather than proceeding on to the client for payment. After several missed payments, the IT provider discontinued services because billing personnel was not aware that the invoice emails were not being received. In another situation a technician needed to test a wireless router suspected of being defective. He connected the device to the corporate network because it was conveniently located at his desk. However, the wireless device had no encryption or other security enabled and publicly broadcast sensitive network traffic in the clear. During the a week-long test, the technician had exposed the his employer’s information to anyone with a laptop in range of the signal. It wasn’t until a coworker was at lunch at a nearby restaurant that the problem was identified and resolved. In neither case were best practices followed by IT personnel, who used a secure production server/network for purposes that should have been limited to a designated, isolated server/network which the IT provider did have at the time. In another more severe case, this same type of failure caused one IT consulting firm to incur a costly virus cleanup when a technician connected a client’s computer to the designated “service center” network before conducting a thorough virus scan of the system. As a result, the other computers on this isolated network were infected—many of which were at their final stages of repair and managed to be deployed to sites before the problem was realized.


These horror stories lead the business owner, no doubt, to ask how they can ensure their IT services company is not making these same mistakes. Honestly, there is no foolproof way of preventing all mistakes. But a business owner can limit the mistakes to which he/she is exposed by ensuring his/her IT services firm has written procedures, training programs and internal security systems (such as intrusion detection) in place for their operation. Yet this is more than a paper interview or listening to a sales pitch. Business owners should expect a tour of the vendor’s facilities. If seeing is believing, then a tour of a facility should allow the business owner to see for him/herself that the paper practices match the culture and environment of the vendor. Most vendors will invite prospective clients to tour their facilities. If a firm does not offer this, then ask. If the vendor declines or appears uncomfortable, one must ask “why?” Is it that the vendor is “too busy” or “too important” or is it that the vendor is ashamed of what the prospective client might see, hear or learn? Any reputable IT services firm should be proud and willing to give a client a tour of their business and access to review the non-sensitive internal procedures used to safe guard his/her data. After all, isn’t a small business client giving the same trust if not more to the IT services provider?


CRIMINAL MOTIVATIONS: FAST, HERE, NOW!




Up to this point we have focused our problem definition on the business interests involved and the reasons why our small business networks are vulnerable. These are things we can definitely address as a community of self-motivated and free persons aimed at pursuing success through hard facts, truth and responsibility. Yet there is some truth to the wisdom that to understand the opposition is to defeat them before the battle begins. That is our next discussion: the criminal. We will take a moment to briefly look at what motivates a criminal before stepping into the next chapter where we will apply this knowledge to the process of penetration testing.
Computer crime is defined as—


“Criminal activity directly related to the use of computers, specifically illegal trespass into the computer system or database of another, manipulation or theft of stored or on-line data, or sabotage of equipment and data.”
(Quoting American Heritage® Dictionary of the English Language, Fourth Edition, Updated 2009)

A computer crime may be carried out by an employee using internal resources or by an unknown person acting in concert with a group or as an individual. Most computer crimes involve employees, vendors or others trusted within the company. However, a rising number of crimes are the result of external threats. Simply vetting employees through background checks and personality profiles is not sufficient to protect any organization. When it comes to both internal and external threats, the problem requires procedural protections to ensure access is granted on a need basis and monitored for abuse. Many persons caught stealing from their employer, for instance, are caught only after they have become so casual in their crimes as to make a mistake leading to their detection. Most of these persons have no criminal record and are otherwise initially productive employees who have earned the trust of their employer.


Several years ago the author was dispatched on a service call to a business that needed to “restore their accounting records from backup.” This business was a pay-as-you-go, break-fix client who refused any idea of hosted solutions or managed services. Their computers had been scheduled for backup every night and required someone to change the tapes daily. Each morning the tapes were changed and that evening the owner would take the latest tape home, returning the next morning with a tape for the current day. But the person responsible for changing the tapes was also responsible for keeping the company’s financial records (and for the petty cash box). The Friday before the author was called to ‘restore a backup,’ the company had terminated the bookkeeper—suspecting she had stolen several hundred dollars from petty cash. What the company did not expect was that she had also cut the tape inside every backup tape (all seven of them). When she found out she was being terminated and had returned to her desk to collect her possessions, she deleted the QuickBooks file and shutdown the computer. As a result, the author had no backups to restore and was forced to refer the company to a data recovery service, which charged more than $2,000 in fees to recover the deleted QuickBooks file. That file fortunately helped prove the fraud in this case, but the company lost several days of productivity where they could not accurately invoice their customers or maintain their payroll.


This example demonstrates the most common threat to small businesses. The lack of internal security measures is significant, trust-based and subject to the abuse of others. In this case, the author had a serious heart-to-heart talk with the business owner to explain what any freshman accounting student is told—the same person should not be responsible for both the books and the petty cash. Moreover, the same person responsible for the books or other record maintenance should not be the person responsible for the backups. This is a procedural safeguard that should be in place for each business but one which is often neglected. Yet the same client in this example could have been exploited by external threats as well. No one will ever know whether or not most small business networks have been compromised. In the above case, the company rarely if ever changed passwords. Every password was a simple dictionary word taped to the monitor of the bookkeeper’s computer, easily visible from the front window. Regardless of the author’s recommendations, this has never changed to his knowledge. Accordingly any enterprising criminal with a laptop could theoretically compromise this company with the same results as the now-former trusted employee.


External computer crimes—i.e. those requiring unauthorized access through technological intrusion—are harder to detect and recover from than internal theft. Internal theft, vandalism, sabotage or abuse is more likely to result in apprehension of the criminal since statistically most law enforcement professionals are aware that most crimes are committed by someone known to the crime victim. Often the employee criminal becomes so casual in their crime that he/she gets sloppy and forgets to conceal or destroy evidence or their behavior escalates to need a larger pay-off. Perhaps the employee started stealing small amounts of money to make rent “just this month.” Later, that same employee may realize how easy it is to steal a small amount and conclude that making rent “isn’t enough.” Next month, perhaps this escalates into stealing enough to make rent and take the wife out for dinner. Mentally the criminal justifies this as a “deserved pay raise” for his hard work and devotion to the company. Some criminals might even promise themselves that they “will pay it back.” Nonetheless, this escalating pattern often continues until the criminal is caught. As the incremental and total amounts increase, the business becomes more likely to see the missing funds and start investigating. Even where books are cooked, suspicions will eventually arise when the company fails to perform at the same level as its real revenues should show. As suspicions grow, regardless of whether proof exists or charges are filed, the employee is soon terminated and the crime ends. But for the external criminal using technical means to steal the same money, it is more likely that management will suspect a thief but fire a legitimate, honest employee (or several) before outside sources—such as law enforcement or credit card fraud investigators—report suspected crimes beyond the employee pool. At that point, the external criminal has a better chance to evade capture.


Almost every small business with which the author has worked has always wondered “why do people do these things?” This is a legitimate question for a business owner who prides him/herself for a solid work ethic and devotion to reputable entrepreneurial success. Why do people commit computer crimes? In 2005, the author was working with a very talented IT professional who enjoyed digging into these discussions. He was spending most of his time researching viruses, worms, Trojans and other malicious software. His answer to this question was more a road to the truth. He told the author, “Follow the money and you will know why they do it.”
Every criminal has entered into a pattern of deviant thinking that leads the person to desire a ‘pay-off’ disproportionate to the effort he or she is willing to expend to realize the same without regard for the rights, welfare or feelings of other people involved. This is not a genetic defect; it is not an overnight event. The criminal pattern is an evolution of selfish thought which concludes that the actor has an entitlement to some feeling, possession, experience, benefit or other gain without either the effort to earn this reward or the potential conflicting rights of others. Computer criminals are, therefore, no different than any other category of criminal—including robbers, rapists, thieves, drug dealers or embezzlers. All demonstrate this core personality defect and equally the ability to choose to change the same.


Each computer criminal has a different motivation and relation to the target network owner/operator. Given this two dimensional break-down, we can classify computer criminals and their likely strategies. Much like the broad category of ‘sex offenders’ that includes everything from age-inappropriate sexual relationships and exhibitionism to forcible rape and child molestation, the category of ‘computer criminal’ must be distilled to understand the individual and the risk each poses to society. This can be done using a grid like that appearing below:



In the above figure we identify several categories of computer criminal. To simplify our discussion, we will reduce this number to four: Free-Loaders, Thieves, Vandals and Disgruntled employees. In making this reduction we observe that the majority of these criminal classifications lie in the “known persons” end of the affinity spectrum, which is consistent with crime statistics what show most computer criminals know their victims or victim networks (and thereby are not completely anonymous). The remainder bridge between “known persons” and “strangers.” This includes the fraudsters, thieves, con-artists and free-loaders who carry similar motivational traits as well as the group of “vandals” whose pure motive is power through destructive means.


Viewing these classifications by Affinity and “destructive tendencies” we notice another trend emerges that is critical to our analysis of network security: most computer criminals prefer anonymity over destructiveness.



Only vandals and disgruntled employees are likely to act destructively when attacking a network. They are pursuing a revenge fantasy aimed at satisfying some internal need to feel powerful over their target and society. The majority of these destructive crimes will be attributed to disgruntled employees. Their power motivation might stem from a desire to cause humiliation or financial loss to their employer, while the power motivation of the vandal is purely anti-social. The vandal will tend to be a less mature person who sees himself as victimized by a society which does not accept or understand him/her. In the case of these two classes of computer criminal, detection of an attack is almost immediate. These attacks generally are intended to shock, devastate and leave evidence pointing at the attacker who consciously or unconsciously desires to be caught and credited for his work.


The thieves, fraudsters, con-artists and free-loaders share a common belief that they deserve the right to reallocate and use the property and services of others without payment. They are all at heart thieves. But the free-loader is set aside in his own category because his is a unique group. The freeloader is a thief, granted. But the free-loader differs from the thief in that he does not intend take more than the internet access he cannot afford or chooses to steal. He does not intrude beyond the network perimeter. Morally and legally this may not matter. But from an IT security perspective, this is a large difference. The free-loader is in many cases relatively benign. It is the remaining group of thieves which create the largest concern. They are motivated by the wealth of an organization and their ability to steal that wealth for their own gain.


When a criminal commits a crime, almost all experience a certain pattern of challenge and satisfaction that escalates as the crime progresses. Take for instance the free-loader: Psychologically this person experiences a false sense of superiority over others because of his/her technological expertise as he/she cracks a wireless encryption key. Physically the criminal will feel a rush at first but this will become less and less as he/she cracks more networks over time. In fact, almost all other categories of advanced computer criminal are initially freeloaders whose behavior patterns have escalated from cracking network encryption keys to more serious offenses. During the commission of the crime, the attacker will rationalize his behavior. For the freeloader this rationalization is that he/she is only using ‘spare’ bandwidth. He/she is not hurting anyone. Most commonly the excuse will include a statement that “If they didn’t want me using their network, they would use better encryption.” The reward for a free-loader is the free use of the internet, which represents a relatively small pay-off to a criminal seeking to embezzle thousands of dollars. Accordingly, this group possesses the strongest desire to achieve their goal through the least effort possible. Since they are accessing a secured network without the owner’s consent, they are considered computer criminals, though if an unsecured network were available, the freeloader would most likely use that network instead. However, offering free wireless as a deterrent to the freeloader is not an effective long-term answer, though it is a common practice. Those who choose this route must incur the additional costs of equipment and labor. Yet they will not have deterred the other more malicious criminals. Many in IT do not consider the free-loader to be more than an annoying pest unfortunately. The freeloader, however, has demonstrated that he/she prefers paying for nothing—and that may include his/her software, music, etc. This creates a potential danger for the small business owner whose network is used to download copyrighted materials, since the network will appear as the source of the download rather than the culprit. Further, the freeloader’s pirated software might include miscellaneous Trojans for other malicious software. Without antivirus in many cases, the freeloader becomes an unknowing vector for computer viruses that may infect the target company’s network.
Like the freeloader, the vandal too experiences a feeling of superiority over his victim that psychologically resembles rape. This person is often emotionally immature and does not see anything wrong with demonstrating his/her perceived omnipotence by destroying the work, or property of others. Like a common vandal, the computer vandal will intentionally leave visible evidence of his/her attack as a means of ‘bragging’ and claiming responsibility. This group of criminal will most likely not be deterred by free public wireless as in the case of a freeloader since his objective and the source of his “high” are the destruction of things considered valuable and/or ‘out of the reach of others.’ As the vandal’s behavior cycle escalates the value of the targets he/she selects will also increase until either the person stops altogether or crosses over into the thief category. Vandals tend to target organizations they feel have wronged them, such as employers, girlfriends, wives, former associates and vendors. That is not to say that the vandal will not attack a stranger’s system, since the high is less personal but no less capable of proving his perceived superiority.


Vandals and freeloaders are less sophisticated than most thieves. This excludes the embezzler who is often less sophisticated and has the skills to attack only a network to which he already has access. Instead, the more sophisticated thief tends to prize his anonymity. The embezzler is often closely associated with the business’s bookkeeping or financial system or those transactions which he targets. The thief on the other hand goes to great pains to never directly interact with the target network and to create disinformation incriminating other parties. Access to the network is a source of high for the thief, much like the vandal or free-loader. But this is simply a means to the greater end. Further, this person will make every effort to avoid leaving evidence of his/her intrusion, unlike the vandal. A thief engages in his behavior like a businessman. The longer he/she can maintain undetected, unrestricted access to and control over the target network, the higher the perceived return on investment he/she will realize. Once inside the network, this category of criminal seeks to exploit the target network either to—



  • Obtain/destroy information for his/her personal gain.

  • Conceal his/her identify for illegal or shameful online activities.

  • Leach off of expensive network resources, including theft of license keys


For example, a criminal may penetrate a business network to obtain proprietary internal information, contact lists, email addresses, account information, passwords, usernames or other information for sale to a competitor or other third party. A criminal may also seek to gain remote access to credit card transactions and sell the information about the target business’ customers to third parties or to make illegal purchases online. Finally the thief may also use the target network as a means of covering his other illegal practices. For example, the author found one story where a computer criminal had compromised a wireless network in order to upload thousands of credit card numbers stolen from yet another network to a web server on the internet. The criminal did not knowing that the web server he uploaded the information to was in fact being monitored by law enforcement, who quickly apprehended the site operators. He was only apprehended when he later returned to upload additional information. Meanwhile, law enforcement was mislead to believe the seller of the stolen credit card information was someone within the target organization and had started investigating the business. Later, the company would be exonerated, but even then, the damage to the business’ reputation had been done.


There is a common denominator in these classes of criminal that extends to all criminal activity. Persons ranging from the petty thief to the white collar embezzler all operate on a set of thinking errors which lead them to believe that they can create a fa├žade of success through a series of acts that lead to a significant pay-off without an appropriate investment of time and effort. Any small business owner can speak for the extreme amount of effort required to build a profitable business operation. Years of painful (often expensive) lessons may or may not culminate in success. Yet, the business owner works hard, pursues a goal and hopefully realizes the dream that started his/her venture. Unlike these entrepreneurs, the criminal wants the same reward but without the investment of time and effort. Criminals of all classes and kinds are people who believe in the get-rich-quick scheme that crosses the boundary between legal and illegal. To do this, they rationalize their acts through a series of self-statements to create a justification for what they are doing which is outside the scope of this discussion. It is sufficient for these purposes to stop and acknowledge that all criminals want a pay-off with a minimal amount of effort.


THE ROAD AHEAD



The process of solving problems starts with a definition of the problem according to its nature, scope and severity. If we responsibly define the problem as a failure to adapt the our circumstances and overcome the challenges, then the criminal becomes largely irrelevant. The nature of the problem becomes the lack of a proper IT support model, service level agreement and expectations to confront the criminal element in our environment. The scope and severity of our problem becomes a question of perspective. We can look at this from the perspective of a single business owner, as an IT provider or as a member of the society to which we belong. From these three perspectives we will see three different scopes. As a business owner we will define the scope as parts of our network (wired and wireless, server and workstation), but as parts of our organization overall we will see the procedural scope and the technical scope. We will find that the problem has thoroughly saturated the business with risk and liability. Meanwhile as an IT provider we see not only our internal risks and mishaps but the risks those mishaps represent to our clients and their own individual vulnerabilities as a whole. The risk each represents to the IT provider is significant in terms of reputation and income. Yet as a member of our society, we find that the problem has a greater scope. As customer’s of small businesses we ourselves find that it is our personal, financial and medical information which is at risk. We see the potential for economic loss that comes with failing businesses and a national security interest to ensure that a foreign power cannot use our dependence on technology as a weapon against us.


In the foregoing pages we have discussed the causes of our current situation. Yet this is only a starting point for a larger discussion of the exact problem—that is the exact weaknesses that could be exploited by a criminal for fun, feelings of power or malicious ends. In doing so, we will arm the business owner with the information and tools needed to have a meaningful conversation with his IT advisors. We will also provide the IT professionals serving the small business community with the information and procedures needed to conduct penetration tests on client networks as well as recommendations to secure those networks and ensure that every small business has the opportunity to compete effectively in the marketplace.


It is critical that both the business owner and IT professional have clear and effective understandings of the technologies implemented within any business. Owners must have open channels with IT staff and know what questions to ask. IT personnel must be held accountable and given meaningful measurable goals. Absent these factors, the small business is likely to realize his/her business has received mere paper promises in lieu of true IT support. The author remembers one business who received such a paper promise. The company’s line-of-business software developer had corrupted the CRM database. The vendor explained that the problem was not serious if they could restore the database from a backup tape. The business owner called her ‘computer guy’ but could not reach him. Two days later, after having been unable to use the CRM database to pursue new sales leads, the owner gave up on the ‘computer guy’ and called the author’s employer requesting a technician be dispatched to her office to restore the backup. A technician was dispatched to the site, but after a few moments he called the author and asked how he should handle the situation. The technician explained to the author how he had arrived onsite and found the CRM was hosted on a peer-to-peer workgroup running Windows XP Home Edition. The system which was acting as a ‘server’ for the CRM had been fitted with a backup tape drive but no backup software appeared to have ever been installed. For four years the business owner had diligently performed a written backup procedure where she rotated through a set of carefully marked and cared-for daily, weekly and monthly tapes. During that four-year period she had always believed she was protecting her business and customer information. But in the face of an emergency, she found that no data had ever been backed up. Her CRM database was lost unless the vendor could repair it or extract the information. When the author agreed with the technician that there was nothing really more that could be done about the non-existent backup than to move forward, the technician explained that he hadn’t called about that. He had called because he wanted to know what to do about the client, since he had never had one cry on him before. This is the type of ‘paper promise’ IT situation the author would rather never again see or hear retold. Every business owner should be afforded the courtesy of regular proof that the services an IT consultant delivers is not a paper promise. This includes all aspects of the technology implementation from backups to network security.


At present, there are many paper promises and few solutions.

No comments:

Post a Comment

Be civil, Do not violate the law and do not abuse the rights of others. As I once learned from reading Mark Twain, we all have the right to freedom of speech and the good sense not to use it unless we are willing to take responsibility for our words.