by Scott Laliberte

As more real estate business activity moves to the Internet, the security of electronically transmitted and stored data is becoming of greater concern. Companies in every industry are struggling to create secure systems that keep their assets safe while still operating efficiently.

According to the Computer Security Institute’s (CSI) 2001 Computer Crime Survey, 91 percent of the organizations surveyed reported a computer security breach in the past year. The CERT Coordination Center reported 21,756 security incidents in 2000, more than double the 9,859 incidents the previous year. In the CSI survey, 186 organizations were able to quantify damages of more than $377 million resulting from the security incidents.

Who is performing these costly attacks? The threat comes from many different sources, both internal and external. According to the CSI survey, 49 percent of the respondents suffered attacks from internal sources. Internal attacks can result from intentional or unintentional acts from disgruntled employees, persons seeking financial gain or overly curious employees. External hackers vary in skill and motive but all pose a threat to the security of a company’s information systems.

To break into systems and obtain unauthorized access, hackers exploit the numerous holes and vulnerabilities in today’s information systems. Many of these holes are the result of programming glitches, misconfiguration or human error. Every day several vulnerabilities in various programs and hardware devices are published on the Internet. From the time the hole is posted online to the time your organization fixes the problem, hackers have a window of opportunity to exploit the weakness and gain access to your systems.

There are hundreds of tools and web sites readily available to help hackers break into systems. From a simple search on the Internet you would be able to find port scanners, password crackers, war dialers and numerous other hacker tools. While the use of these tools is usually illegal, the hackers do not care. The fact that it is difficult for a company or the authorities to catch a hacker contributes to their willingness to risk engaging in this illegal activity.

While there are a number of specific fixes to help address each individual security hole that hackers exploit, they are often just addressing the symptoms of a larger problem. If a system administrator patches a particular vulnerability before a hacker exploits it he has avoided one hole. However, if the organization does not have an established policy and procedure to identify and patch vulnerabilities on a regular basis, it will waste time and resources inefficiently responding to various threats in a haphazard way.

This points to the need for an enterprise security framework featuring policies and procedures, technical solutions and architecture, managed deployment, and monitoring and maintenance. The policies set the tone and help shape the technical solutions designed to help enforce them. The organization must then manage the deployment of the technical solutions in order to achieve the desired effect. Finally, continuous monitoring and maintenance will help prevent new holes from opening and enable a real estate company to respond rapidly to new threats.

Scott Laliberte is a manager in Andersen’s Technology Risk Consulting group and is the co-author of the recently published Internet security book HACK I.T. (Addison-Wesley Professional, February 2002).