There's a special place in heaven for people who try to tally up the losses from cybercrime.
They're generally trying to pry information about something that's not really well defined from sources that don't really want to talk about it. And, arguably, the best computer crimes are so deftly executed that they are never discovered at all.
So it's worth celebrating when we get any kind of credible data about this problem. It's even better when that data is Canada-specific, and when we have not one, but two studies to compare. They're even available for you to read.
IT security breaches are costing publicly traded Canadian companies an average loss of more than $637,000 annually, say researchers from the Rotman School of Business at the University of Toronto and Vancouver-based Telus Corp.
They reached this conclusion by running focus groups, then sending letters and emails to several hundred security professionals across Canada. They limited participation to organizations with 100 or more employees, perhaps because that's the happy hunting ground for Telus Security Solutions, which gets mentioned in media releases on the study.
Predictably, viruses and malware (software that has evil code embedded in it) led the list, with 62 per cent of respondents reporting them. Phishing attacks, (those "we need to confirm your account" messages) were reported by 27 per cent. These numbers are roughly comparable to U.S. figures reported in the Computer Security Institute's 2007 survey.
What is surprising is the data on employees who go bad.
The Rotman/Telus report notes that about one in six Canadian respondents reported a breach relating to employee abuse, whereas the number was closer to three out of five according to U.S. respondents, "suggesting that an insider-related breach was slightly more than three times as likely to occur in an American organization."
Well, you could see it that way, or you might perhaps attribute the difference to Canadian firms being more lax in detecting and acting on insider-information abuse. Having been involved in investigating several Canadian cases of employees stealing corporate data, I can assure you that it does happen here.
The second study, commissioned by the Canadian Association of Police Boards (CAPB), concludes that while cyber incidents have risen significantly since 2001, and the increase and the patterns are similar in Canada and in the U.S., that only a small percentage of incidents are actually reported.
This raises the critically important question of "whom do you call?" when you spot a cybercrime.
Your local police force may not have the expertise or the time to dig deeply into the problem. Law-enforcement officials report piles of PDAs and cellphones waiting to be properly analysed for evidence.
It took a high-profile media announcement by the Visa folks to get someone to delve into what appeared to be a gaping security hole with airport check-in kiosks at Toronto's Pearson International Airport.
As well, the TJX (Winners in Canada) case uncovered last year involved months of illegal data interception before it was stopped.
CAPB chair Ian Wilms says that the criminals have all the advantages. "We are struggling to keep up and every day we fall further behind," he says.
He adds that the pool of victims grows larger every day while the pool of perpetrators also gets larger, younger and more sophisticated. "This is a new era for police, fighting a new type of criminal."
One of the key recommendations of the CAPB report is a dedicated Canadian centre where law enforcement and various agencies can work together to combat cybercrime. There are several Canadian initiatives of this nature on the drawing board, and there's probably enough cybercrime to keep all of them busy.
Wilms is supporting the Global Centre for Securing Cyberspace, which already publishes a free email newsletter listing upcoming security events and describing newly hatched vulnerabilities.
The July 2008 cover story, Flaw Could Allow Hackers to Take Over the Internet, explains the concept of "cache poisoning.”
This is a hole that corporate security administrators definitely need to plug.
Cache poisoning involves tracking the domain name server (DNS) computers that control Internet addresses. For example, if you're relying on a "poisoned" DNS, typing www.royalbank.com might take you to some hacker domain in Russia.
Keeping up with the bad guys is a challenge and some computer security researchers think the proposed new Canadian copyright act will tie their hands. Section 41.1 of Bill C-61 would make it illegal to possess "technological measures" that could be used to circumvent copyright.
Many researchers feel that studying these tricks should be legal as long as you don't misuse them. If you agree, there's an online petition you can sign.
As for the latest and greatest computer security threats, San Diego-based Websense, Inc. has just issued a disturbing report covering the first two quarters of 2008. It points the finger at some of the world's most trusted websites.
Websense researchers found that "60 per cent of the top 100 most popular websites either hosted malicious content or contained a masked redirect to lure unsuspecting victims from legitimate sites to malicious sites.”
These included well-known "social-networking or search sites such as search engines."
So, by making an innocent query, you might be exposing your computer to a nasty infection. Of course, it's a full-time job for people at Facebook and Google to keep you safe, but this report seems to say that the bad guys are getting ahead of the good guys more often than we would like.
The Websense report also confirms what we all suspected, that the URL is no longer an accurate representation of the source content from the webpage. So don't trust that bar on the top of your browser any more. The implication for companies, says Websense, is that organizations that enable their employees to view Web 2.0 technologies such as iGoogle Web portals or social-networking sites, wikis, and blogs, need real-time web-security protection to protect their employees and their essential information. You may have guessed that Websense sells just such a product.
Cybercrime has become a big business for both the attackers and the protectors. It's fast-moving, intellectually challenging and the stakes are high. This is why more and more bright young people are considering a career in some aspect of computer security. It's a good thing, because we're going to need each and every one of them if we're going to trust our computers in the future.
(Tom Keenan is a professor at the University of Calgary and an expert on technology and its social implications. He can be reached at keenan@businessedge.ca)
