Cracking the code

By Jeremy Scott-Joynt
BBC News business reporter

Intrusions can come from anywhere - including the office next door

On the face of it, watching lines of code scroll down the monitor is a tedious pursuit.

Not this time. Each line reveals a dirty secret, a hole in my target's defences thanks to a mistake by the gatekeepers of the network I want to penetrate.

A few clicks and the software I have at my disposal, all of it freely available for download, has burrowed its way in, past two or three layers of protection, and established a thread leading back out.

I can do anything I want now: steal confidential information, damage networks and - most insidious of all - install tiny programs to tell me what my target machines are doing, every minute of every day.

Hands on

Thank goodness the target network is a dummy one, set up for training purposes; and that that the five people sitting next to me are, in fact, the good guys.

One might well ask why they need to know how to crack open the systems they are meant to be protecting.

"You need your IT people to be armed with as much knowledge as possible to keep up with the bad guys," says Alan Phillips, managing director of 7Safe, which provides the training.

No-one thinks twice about having people to auditing the accounts, and we're essentially just the same Alan Phillips, 7Safe

"If you don't have a hands-on understanding of how it's done, you're not equipped to stop it."

This kind of penetration, or "pen" testing, is now mainstream in the IT world. It forms an integral part of the discipline of information security - which also includes vetting IT staff, setting up policies on passwords and making sure data is backed up safely.

In other words, it's an audit.

"If I call it that, it does sound boring," says Mr Phillips. "But that's what it is. No-one thinks twice about having people to auditing the accounts, and we're essentially just the same."

There is even a British standard, BS7799, for which organisations can apply, to demonstrate they're taking the issue seriously.

Learning curve

Not that the message has entirely sunk in yet.

The National Hi-Tech Crime Unit (NHTCU), the UK's specialists in law enforcement online, surveyed businesses earlier this year to discover their experiences of computer crime.

It estimated that £2.4bn in damage was caused every year to firms with more than 1,000 employees.

"Industry experience suggests that penetration tests always lead to findings... that would permit a hacker to enter a system Financial Services Authority

Even so, more than a third had never carried out a computer security audit, and more than half of IT staff in large companies had no formal security qualifications.

Know your enemy

Amid all the headlines about phishing, viruses, trojans and other computer-borne risks, this could seem somewhat complacent.

The warning signs have been there for a long time, and industry regulators are worried about the potential for computer crime to cause trouble.

The Financial Services Authority (FSA), for example, surveyed the financial institutions it oversees in 2004.

It called for pen tests to become much more routine to protect the ultra-sensitive information firms held about their customers.

"Industry experience suggests," the report said, "that penetration tests always lead to findings such as the discovery of old, unpatched software or dangerous services running on web servers that would permit a hacker to enter a system."

With modern penetration techniques, it may only take one such loophole to give an unfriendly intruder access to sensitive information.

How, not who

Which is precisely why pen testing courses are springing up all over the country.

As a result, more and more IT staff are becoming aware of the tools and techniques required to probe a network and then penetrate it.

Sumitomo suffered an insider attack

Larger organisations can afford to have staff trained in this kind of activity.

For smaller firms, there are plenty of external contractors who can test their systems for them.

Outside consultancies can also come into their own if the worst does happen - but not just to track down the perpetrator.

"Often we're asked to come in, not so much to look at the 'who' but the 'how'," says Simon Janes, international operations manager for forensic computing consultants Ibas.

"We're needed to work out how a network was compromised, so we can stop it happening again."

Open door

It's obviously in the interest of the computer security issue to get the message out about the kind of threat that faces organisations, both in the UK and elsewhere.

But the risk, whether from insider or intruder, is real.

The NHTCU, in its survey, found that almost nine out of 10 large firms in the UK had experienced some kind of computer-related security incident each year.

It could be as obvious as a virus, hitting the network thanks to an e-mail opened by a careless employee.

Or it could be an insider installing sniffer software on your systems, as happened to Japanese bank Sumitomo in 2004 as part of a fraud which almost netted its perpetrators £200m.

Either way, the figures may be a wake-up call for those firms which aren't yet auditing their systems as they would audit their books.

Because someone sitting at a computer somewhere - in the next office, down the road or on the other side of the world - could be looking at your systems right now. And smiling.