Defending The Net

Maybe the time has come for a neighborhood crime watch for the Internet? University of Michigan School of Information professor Jeffrey MacKie-Mason, PhD and graduate student Rick Wash think so. The pair are designing a "social firewall" that would let home computer users help each other with safe surfing. MacKie-Mason, director of U-M's Socio-Technical Infrastructure for Electronic Transactions (STIET) research program, likens the concept to community-submitted Amazon book reviews. "Some home computer users are sophisticated, and if their information is collected and summarized, it might help unsophisticated users … to set up good firewall rules," he explains. He imagines the tool, if successful, could be added to existing firewall systems that people use to protect their computers.

With the building of our first computer --the monster-sized ENIAC-- in 1943 for $500,000 (about $3.5 million in today's dollars), a new communication path was forged. And it's long been apparent that the real power of computing lies in the ability to connect with other computers. As technology giant Sun Microsystems, Inc.  articulates in its vision statement: "The network is the computer."

Along with good data shooting through the networks, however, info-cooties like spam, viruses, and malware can corrupt home and business computers, triggering information leaks and lost productivity. Thus, the worldwide market for network security software has grown from $8.3 billion in 2006 to a forecasted $13.5 billion-plus industry by 2011, according to Gartner, Inc. research analysts.

PC, Interrupted

Security starts at home; MacKie-Mason cites the increasingly powerful, unprotected home machines that are unwitting partners in crime – often because the owners have clicked on links that download hidden programs.

Warning: clicks can kill!

Reasonable estimates in the last two years suggest that web-delivered robots or spambots are using hundreds of thousands of home PCs to send over half of the spam in the USA and to propagate viruses and denial of service attacks, which can shut down busy websites such as Yahoo or eBay, he explains.

Business machine infections also have a big bang. "Typically and historically the threats have been generic, kind of blasted to everyone that had the same vulnerability on their networks – vulnerability in an operating system or in an application," Greg Guidice, president, CEO, and co-founder of Royal Oak-based network security company RazorThreat says.

Now specific companies are targeted, often by organized crime groups seeking to profit from the black market for personal information such as banking records and social security and driver's license numbers. Guidice goes on to explain that "the CIO of [IT security solutions provider] McAfee said the whole cyber crime market as a business itself has surpassed the illegal drug trade business in terms of the amount of revenue that's generated from cyber crime."

And these crimes are immense. Last year, major retailer TJX Companies, Inc. disclosed that nearly 46 million customer credit and debit card account numbers were unlawfully obtained from its records.

"When we move to new ways of doing old things, a typical and very natural social mistake is not to pay attention to recreating the infrastructure to support these activities that took hundreds of years to develop," says MacKie-Mason. The TJX incident illustrates that as the typical retail transaction has evolved from cash payments to the transmission of credit and debit card data via wireless devices, security measures can lag behind efficiency.

Guidice estimates the breach has cost TJX $5 billion to investigate and fix systems, address the legal and public relations ramifications, and notify those affected. He also figures that targeted companies can lose up to 7% of their customers and up to 4% of market value. "It's not about IT, it's general business risk. When you look at what's happened in these large organizations that have been breached, it affects the whole entity – the shareholders, employees, customers, the whole food chain," he states.

But it's not only bandits that are chinking the armor; Virginia Rezmierski, PhD, a professor in the School of Information at the University of Michigan and national speaker on security issues, says that often poorly trained personnel are the unwitting culprits. Her 2006 National Science Foundation-funded study, "Computer Incident Factor Analysis and Categorization", found over 430 security incidents at 36 colleges and universities and 20 corporations. Rezmierski recommends increased training and more explicit procedures for IT staff, the use of auditors to monitor IT policies, and analysis of security logs as some good defenses.

Additionally, a host of regulatory compliance requirements, from Payment Card Industry standards for businesses with a high volume of credit or debit card payments to the Sarbanes-Oxley Act for publicly traded companies, has heightened the demand for network security tools, says Sandy Kronenberg, president and co-founder of Netarx, a Farmington Hills-based computer network solutions provider. But system monitoring can be overwhelming for any mid-to-large sized organization; with "one firewall and the logs that would output from that, you're talking a million lines of information on a daily basis, and it's just impossible to comb through that regularly," he claims.

Battling the bots and data mining

To make for more expedient data analysis, RazorThreat --named Emerging Technology Company of 2007 by both Automation Alley and IT security magazine SC-- launched the Threat Analysis Console, which analyzes information allowed to cross the barriers of security equipment on the market.

"Our product is fundamentally based on 'from a security perspective or information perspective, who's allowed to talk to whom?' And that can be a person, network, business, division, or application," Guidice explains. The company's customer base consists of Fortune 500 retailers and financial services firms, insurers and health care providers, and military and civilian branches of the federal government.

With the accelerating business and government propensity to aggregate reams of personal data, Rezmierski sees the desire to mix disparate information sets together as problematic for network security. The implications for this are frightening. For instance, the Real I.D. Act of 2005 requires that everyone have a government-issued ID or an enhanced driver's license. "It's been pushed into the states to pull this off through enhanced driver's licenses, which is the perfect example of mixing these databases in ways that shouldn't be done. If it's ID you're trying to establish, that's an identification and authentication function, and has nothing to do with your authorization to drive a vehicle," she contends. "Just because we can connect all of these various databases, everybody is enamored by the idea of doing it, but it means you're opening a bigger target for malicious behavior and your exposure is huge. So it's the exact opposite direction of what good security management should be."

As technological capability and the desire to access ever more information online grows apace –take Internet search leader Google's recent creation of a new online health record repository– so too will the network security industry, which Kronenberg says is still a "nascent" space.

"You'd be shocked how many [companies with over 1,500 employees] there are that don’t have dedicated security professionals. … Now there's the visibility of those things like TJX, but at the end of the day it very often just doesn't create budgets unless there's actually been a breach or some sort of problem that's occurred with the organization – very little proactive, and a whole lot of reactive."