The Problem

According to Financial Times (April 1997), a network is hacked into every 20 seconds. Using techniques such as eavesdropping, phone system tampering, and IP spoofing, an increasingly sophisticated cadre of hackers is gaining access to corporate assets. The targets of these attacks, according to the Computer Security Institute of San Francisco, CA which sponsors a research survey with the FBI every year, are most likely to be financial and medical institutions. This means that financial transactions, medical records, and credit histories — information of the most personal and confidential nature — are at risk.

And what about the actual monetary costs of these attacks? According to "Trends in Intellectual Property Laws," a study from the American Society for Industrial Security (ASIS), the losses from intellectual property theft for US-based companies worldwide are estimated to be $24 billion annually. Computer hacking was ranked second as a means of acquiring this information. Extortion alone has cost companies, mostly financial institutions, over $600 million in the last three years, and possibly much more due to the reluctance to report such cases, according to the Sunday Times of London.

According to the Computer Security Institute, losses from 249 organizations surveyed totalled $100 million, for an average loss of $402,000. These are just the costs of actual theft. The research and forensics costs in systems, personnel, effort, and lost time and productivity are often not accounted for in the loss estimates.

Despite the particular vulnerability of firms in the medical and financial industry, no corporate network is immune from attack, misuse or intrusion. An understanding of typical attacker behavior and intent helps to understand what a corporate network needs to identify and protect against becoming a target.