First we must look at some of the various types of problems. We all know and read about the "Script kiddies" the unskilled children that test their computer skills by attacking your system with software they have purchased from more skilled programmers. They may run random attacks on your system using password cracking software so that they can steal some files or cause some type of denial of service. One big advantage we have over this type of attack is that they rely on others for their information and the chances of them causing a major loss are very slim.

The second type of hacker that we need to concern ourselves with is the type that sent out the "I Love You" Virus. These are more skilled individuals that have a bit more resources and are substantially more dangerous. We have found that most of these people get caught because the motivation for their crime is to prove they are smarter than you and your IT team are. Notoriety is their motivation, they must talk to their online and personal friends to tell them all about the attack to gain status. This leaves them open to being found out. They are dangerous and can cost us millions. One study that was conducted last years puts the cost of this type of attack at over 400 million dollars US.

This brings us to the real problem, Economic-Cyber-Terrorist. These are the professionals, they don’t do it for the glory, the notoriety, or the laughs and kicks. They do it for the money and in almost all cases you will never know that it has happened. They don’t have to prove that they are good, they know they are. They may have several motivations from pure greed to the understanding that the economy controls the world and also their religions. You may be dealing with Intelligence Agencies, Governments, Militaries, Large Corporations or Political Groups. One thing that you can be sure of is that if there is a way to hurt your company one of them will find it.

The more modern and technical we become the more vulnerable we are to these attacks. The National Security Agency recently stated that there is the possibility of large scale attacks on critical infrastructure such as food supplies, power grids, air traffic control, financial systems. They admit to attacks on the Pentagon Computers as well as the jamming of 911 systems and overwhelming military emails. The FBI is now using the Polygraph on there employees with access to their information systems.

As critical as attacks are on our governments, the real problems come from the covert attacks on our businesses. The times that your Information Systems are compromised and you never find out about it. How much does it cost your company if the power grid goes down and your are without power for the day. A good hacker can do this and make it look like a normal computer problem and not an attack. When the traffic lights are reprogrammed so that there are more "Red" lights in front of one coffee shop than the competitors down the street forcing the traffic to stop in front of their shop.

The other side of this problem is the Terrorist that wants to kill large numbers of people without being caught. The computer has given him the ability to detonate bombs, start fires and cause havoc with out even being on the same continent. When a person feels that his identity is secure they are much quicker to cause harm to others as their fear of being found out is diminished. We will be discussing more of these techniques today.

Then you have the Governments that have geared up there intelligence staffs to make attacks on friendly and unfriendly governments and industry in an attempt to bring more business to there country or to destroy or damage competition in other countries.

One of the other problems we in the security industry are bringing on ourselves. When a company goes out and hires a hacker to work on their system or brings one in to speak at meeting such as this we hurt ourselves.

We would not think of dropping charges against a bomber and giving him a job in our business so why would you hire a known hacker. Do you think that just because you give him a job he is going to stop his criminal behavior? When we hire one of these people and it goes on the front page of the newspaper talking about the outrageous salary that he will receive, we are sending a message to all the young "Script Kiddies" to keep hacking and practicing because they can get the big job also.

Another problem for your company is the liability problem your company will experience when the known hacker is practicing his trade from your offices and you find yourself liable for their actions. A business in Atlanta lost the use of their system when they were pulled from the host server because of an employee that was stalking someone from their offices. The cost of printing alone can be substantial if you have to change all of your web or email addresses not to mention the law suits.

We are all vulnerable to hundreds of different types of attacks. The up side is that you can prevent most of them with out spending your pension plan.

A recent University study shows that it takes an average of 34 hours for your IT people to locate what a hacker did once you realize that your system has been hacked. This will cost you anywhere from $2,000 to $20,000 for each attack. This is truly a case where prevention pays. It will be much more cost effective for you to hire a good IT security person than to take the loss after a hit.

We can establish testing procedures and Firewalls to stop most of the Script Kiddies and inexperienced hackers. To stop the professional will require some education of your employees. Most of the attacks your company suffers will be from disgruntled current or past employees or contractors. Steps can be taken to limit this type of vulnerability. I would recommend that a good system of checks and balances be established and be sure that everyone in the company knows that your IT team is monitoring activity. I also recommend that you have a check and balance system for your IT team. Depending on the size of your business and the amount of loss that is possible should determine your budget for your program. You don’t want to spend more preventing the loss than what the loss could be.

We have found that in most cases the IT Manager answers to someone so far down the chain of command that he is not listened to or funded properly. I would recommend that your IT manger report to the CEO or the President of the company. This will prevent someone with no IT skills from diminishing the problem before it reaches a level of management that can initiate the changes that would be necessary to correct the problems.

We hope that by the end of this presentation that you will realize how big this problem can become if not managed properly from the onset but also temper that reaction with a logical solution.

We are in the process of having checklist and guides printed if you do not receive one email us and one will be forwarded to you.

If you have any questions you may reach me at usgmi@worldnet.att.net or at 770-621-0023.

Thank you for your time.

Keith Flannigan, CIS, CCT