The case file
When your company stands to lose an expensive lawsuit or a lucrative contract, the cost of not securing your data comes into focus.
Neal sits in his spartan office above the El Segundo data centre. He wants to talk about the cases they're investigating to shed light on the problemâ€"and his groupâ€"but he doesn't want to fuel corporate paranoia about bad publicity. So he agrees to talk without mentioning clients' names.
Neal admits that much of the cybercrime involves teenagers: "It's true, we get busy from Friday after school to Monday morning." But he says it's the sheer volume of hacking and criminal activity that is more shocking. "I knew that this was being underreported when I was at the FBI," he says. "But I didn't realise by how much until I came here."
It isn't all about teen geeks. Neal's first case at Exodus centred on a European client in a lawsuit with a competitor. In court one day the competitors showed up with a thick stack of e-mail messages from Exodus's client that they claimed had been mailed to them anonymously. In truth the competitor had hired a hacker to break into Exodus's client's network and steal its e-mail database. The hacker-for-hire, whom Neal interviewed later, ultimately came forward because he felt underpaid for his services.
Before he left the FBI, Neal worked a case in which a high-level executive was fired. While negotiating his severance package the executive broke into his former employer's server and viewed every document related to his termination. "At the negotiations this guy knew everything," Neal says, "and they couldn't figure it out."
This past spring, a high-tech client in California was in the running for a large contract that promised to make or break its business. Company executives detected something suspicious on their networks and contacted Exodus. Neal's group ran forensic tests on the client's servers to find that its primary competitor for the contract had broken into the network to steal trade secrets. "On that one," Neal says, sounding relieved, "we are working with the FBI."
On Guard
Why don't companies have better security? Because it's not easyâ€"and it's expensive. A strategy for protecting your company from the security pros at Exodus.
- Define what's important.
You can't secure every machine, because it's too expensive. Pinpoint your most important assetsâ€"information you don't want anyone else to have. - Guard it heavily.
You must have actively managed firewall and intrusion detection systems. Check www.securityfocus.com for a useful list of security tools, some of which are free. - Develop a policy and enforce it.
The most basic security policy that Charles Neal encourages is requiring strong passwords for network access (at least eight charactersâ€"and no words): "There are programs that can find a word in a few minutes." You'll find prewritten security policies at www.baselinesoft.com. - Keep your security current.
"Apply new patches!" barks Bill Swallow. If your tech guys are overburdened, hire somebody else to do it.
A good story. Preaching to deaf ears in Australia though. Its going to take a massive attack which brings down a high profile company before people in Australia take security even remotely seriously.