I rarely make a bet, but if you asked me if I'd bet my bottom dollar on a firm employing a hacker to assess their security risk, I'd only accept on the basis that they would not. Hiring a hacker to assess the security risk of an organisation is something that fewer than 64 per cent of ISO's are willing to consider. That's hardly surprising when the risks are analysed alongside the statistics; viruses and hackers cost businesses worldwide somewhere in the region of $1.5 trillion. That said, organisations that are unwilling to hire a hacker face one increasing problem; hiring a hacker is not always a conscious decision.
So let's begin by setting the scene. A hacker is by definition a slang term. Adopted feverously by the media after the release of the movie War Games in the early 1980s; it refers to those who invade, destroy, steal or modify data or programs on someone else's computer. Hackers gain access to computer systems or networks that they are otherwise unauthorised to access. These malicious hackers may be skilled (elite) or unskilled (script-kiddies) and have many different motivations.
The elite are a handful. They are typically very technically adept and create most of the attacks and tools used for electronic crime. As the inventors within the hacking scene, they are the group responsible for the tools that access others' systems; be they web, database or other servers. Concealing their tracks, they look to break cryptographic systems such as passwords, Pay TV, DVD encryption, wireless network security, telephony, in fact almost all the elements underlying modern telecommunications and computer systems.
The unskilled - the script kiddies, typically point and shoot with the tools produced by the elite. Whether malicious or not, this army of the semi-knowledgeable are responsible for countless incursions in data systems, web-site defacements and system outages.
A hacker's motivations lead to further categorisations, which may relate to the skilled or unskilled. For example, 'hactivists' with political, moral or anarchistic drives, cyber terrorists, organised crime groups, those involved in corporate and industrial espionage and even government intelligence agencies. While the flaws may have been discovered and the tools produced through a drive of curiosity, frequently the results of that work are used nefariously by the original authors and others with malicious intent.
Determining the actual cost to business from hacking is difficult as interpretations of data and definitions vary enormously. But, from the amount of surveys conducted many now believe that the worldwide cost lies around $1.5 trillion.
Although the figures published range vastly, the message from all of them is universal: hacking is on the rise and so too is its impact. Regrettably, this increase is unlikely to go away as more people gain access to the internet. With the wealth of information instantly available, users have become technologically savvy and are immediately presented with feasible opportunities to acquire money, power and fame instantaneously. Predictably, for some the temptation proves too much to resist and they begin hacking. But organisations are getting better at monitoring their systems for attacks, and consequentially are getting better at noticing problems.
Establishing how many users turn to hacking again is not easy. According to Dr Peter Tippett, chief technologist at security specialist Trusecure, there are about a million script kiddies and the elite hacker community numbers around 11 thousand. Still many crimes go undetected; a commonly held view in the information security community is that only about one tenth of all the crimes committed against, and using corporate computer systems, go undetected. And, if they are detected, they may not be reported. In fact, surveys indicate that only about 10 per cent are, as organisations fear that the potential for negative publicity is too great to warrant the risk of diminished business.
Unfortunately, the situation is likely to remain the same, as currently there are no incentives for organisations to report an incident, although the US and UK governments are trying to encourage more to participate. Exasperated by the expediency of this though, some organisations have decided to take the matter into their own hands.
In November 2003, Microsoft created a $5 million fund to provide rewards for information leading to the arrest of those responsible for the viruses and worms that are causing them damages in reputation and revenues. Working with the FBI, the U.S. Secret Service and Interpol, they have offered a bounty of $250,000 to help them capture the perpetrators of the SoBig virus and Blaster worm.
Jane Frankland is commercial director of Corsaire.