Think Like a Crook

Computerworld - Six years ago, I learned what it's like to get my phones phreaked (phone hacked) and my e-mail sniffed while researching Kevin Mitnick's life on the lam for the book The Fugitive Game by Jonathan Littman. I'm no rocket scientist, but I figured this Internet crime thing was going to be big. I just didn't realize how big. Just look at the following statistics:
• Viruses were up 20% in 2000, meaning that as of the end of last year, a total of 53,000 viruses had been recorded thus far, according to the Computer Security Institute (CSI) and Network Associates.
• 186 respondents to an annual CSI/FBI computer crime survey reported that their aggregate corporate losses due to computer crime were up from $120 million in 1999 to $378 million last year.
• Internet-related fraud complaints to the Federal Trade Commission were up from 8,000 in 1998 to 23,000 last year (not including identity theft).
• Internet-related child pornography cases opened by the FBI quadrupled from 700 in 1998 to 2,800 last year.
• Bank and brokerage accounts belonging to Oprah Winfrey, Ross Perot, Steven Spielberg and several of the nation's top moneymakers were breached by a convicted swindler last month.
How did we get into such a spot? The medium that's so full of promise has gained a bad reputation among the very consumers businesses want to attract. Here's the answer: haste.
"The economics of the Internet are so powerful that to be competitive, everyone has been impelled to do some portion of their business over the Internet, whether e-mail or Web commerce or business-to-business transactions," says Shawn Hernan, vulnerability handling team leader at the CERT Coordination Center at Carnegie Mellon University in Pittsburgh. "So there's been this mad rush to get in on the ground floor without paying attention to all the details first - like security."
If the economy is any indication, that rush has passed. Take advantage of this slowdown to dust off your policies, evaluate what's working and what's not, and take inventory of your security architecture. Here are some tips to accomplish that:
1. Start by reassessing your level of risk, advises Mark Rasch, vice president of cyberlaw at Predictive Systems, an IT consulting company in New York.
"Even the Defense Department admits there are no electronic Fort Knoxes. So you have to take some risk. Just don't take overwhelming risks in your rush to beat the competition," adds Lloyd Reese, a consultant in northern Virginia.
2. Update your policy and technology so that