Staff key to stealing your data

IT security expert Laura Chappell has some tricks up her sleeve when it comes to auditing a company's security systems.

The US-based consultant sometimes arranges a fake meeting at the target company just to see if they will leave her alone in a room with a live jackpoint into their system.

If they're silly enough to do so, she can have a device hooked up to their network and trawling for sensitive information within minutes.

The tools of her trade - password-cracking, scanning and key-logging software - are stored in a pair of USB drive earrings and she also has an iPod Nano programmed to search out and copy all documents containing the words "confidential," "signature" or "agreement" from any PC it is connected to.

"A lot of this is to show people what they're up against," says Chappell, who visited New Zealand last week for a whistle-stop round of corporate training.

Corporate staff remain naive, she says, when it comes to all aspects of IT security - from allowing unknown potential hackers through their office doors to downloading viruses and spyware onto their networks.

There is also a naivety and lack of understanding that the most serious attacks on a company's IT networks and databases can be carried out by staff from within the organisation.

"We're seeing that some of the really big jobs that the [US] Department of Justice is prosecuting are inside jobs. Everything from emails that leak confidential information, to a user that sits inside a company and accesses a website that downloads a bot to their system that then key-logs everything they type, to an inside employee who tries to sell confidential information about the business."

So what does Chappell suggest businesses do to mitigate the dangers of IT attacks and espionage?

She recommends starting with a full security audit of the business's network. That should be followed up with a risk analysis, to determine what parts of the network are the most important to protect.

Those important parts will probably include the company's databases, holding vital and sensitive customer and product information, everything from client credit card details to confidential contracts.

"Focus in on those instead of trying to secure everything in one shot," Chappell suggests.

The next phase is carrying out a "penetration test" or "vulnerability test" on those identified areas of the network to ensure they really are secure.

"So it's a whole process you go through from a risk analysis - to define what's important - to doing a full audit to find out what you really have," she says.

"Most companies have no idea what they really have, hardware and software-wise. Then you go through and lock it down and go through and test the locks."

Chappell believes it is only a matter of time before a major company is ruined as a result of an IT security breach.

She says New Zealand and US business bosses share an ambivalent attitude over security; they know it is an issue, but are convinced it is going to hit another company, not their own.

The difference between the two countries, Chappell says, is that in the US, a series of high-profile cyber-crimes and a clampdown on corporate governance means that regulatory commissions are compelling CEOs to certify that their systems are secure and are being monitored. Reporting of security breaches, such as the theft of customer data, is also mandatory in the US.

"We don't have that type of regulation here in New Zealand," says Darryl Grauman, principle consultant at IT services company Axon.

"If a laptop here gets stolen and it contains a client database or some confidential client information, there's no requirement on us that we have to disclose that to the rest of the client base - that their information is sitting out in the wild somewhere."

He agrees with Chappell that the attitude of New Zealand businesses to IT security is that they know there is a potential issue but are prepared to accept the risk because it hasn't seriously afflicted any companies here yet.

"Skimming [of ATM card information] was a great example. We didn't know about it and we didn't start to protect against it until it really hit us," Grauman says.

Chappell says the increase in sophistication around IT scams and breaches means there is a strong demand for IT security professionals working in the areas of forensics, auditing, recognisance and investigation.

"We're very short on forensic investigators in the States and we're seeing a huge rise in the need for that," she says.