Enemy is often within Beach firm works to protect businesses from cyber crime and terrorism By Carol Lichti

His business, Able Information Security in Virginia Beach, guards the computer and Internet systems of clients.... A small company with only a handful of employees, Able has a network of 85 engineers and specialists it can call in for projects. The firm, which also has offices in McLean and Richmond, is one of the few in Hampton Roads that deals only in information technology security.

Since Sept. 11, citizens, businesses and government officials have taken a new look at the country’s vulnerabilities and started to realize that cyber attacks could mean serious business.

“Before, we would be sitting across from people who would respectfully make a comment about the likelihood of something like that happening to them,” LeGrand said. “Now what we are seeing is a distinct, undeniable change in the sense of urgency by CIOs and IT managers.”

The Internet is a great connector, making the hacker in Russia or Pakistan as close as the person in the next room. Cyber attacks can come through malicious computer programs called viruses or worms such as Code Red and Nimda that spread from machine to machine deleting programs and information.

When hackers gain control of many computers and flood a company’s system with information to shut it down, the company has been hit by a denial of service attack. Another threat is unauthorized intrusion in which hackers are able to enter the system by uncovering passwords to steal information such as credit card numbers and proprietary information. Or hackers might change what is on a Web site to send the public false or harmful information.

LeGrand is working with officials with the state and the Federal Bureau of Investigation to help educate and inform the IT community. He organized a security summit for IT officers earlier this month at the Clarion Hotel on Bonney Road in Virginia Beach.

“Two of the hijackers in the terrorist attack stayed there last year,” LeGrand said. “They walked the same halls that we walked. I asked those who were there if they knew who was walking the halls of their networks.”

While LeGrand’s motives for harsh warnings might be driven by his company’s bottom line, his business was growing even before the terrorist attacks.

“Before Sept. 11, we were growing revenue-wise substantially,” LeGrand said. “We have a long lead time in business. We will expect to see the impact of Sept. 11 in the spring.”

But others echo his concerns and even paint a more serious picture.

“Cyber crime may be quickly becoming the forerunner of cyber terrorism,” said Harris N. Miller, president of the Information Technology Association of America, at a cyber defense conference in Washington, D.C., in October. “Terrorists may soon be using our critical information infrastructure against us.”

Cyber terrorism are cyber attacks that endanger life or could inflict bodily harm such as hacking into the controls of a nuclear power plant or a facility that handles hazardous materials.

While terrorists haven’t yet used cyber attacks as a weapon, cyber crime appears to be on the rise. A computer security survey of 500 companies taken earlier this year by the Computer Security Institute and the FBI showed that 85 percent experienced intrusions of their systems and 64 percent suffered financial losses that totaled more than $377 million.

Worse yet are statistics that show that 98 percent of all hacking attempts go undetected, LeGrand said. And of the 2 percent that are detected, more than 90 percent go unreported to law enforcement agencies.

“Companies fear that officers will seize their computers and shut down their business,” LeGrand said. “They also worry that the incidents will be publicized in the press.”

To help share information, the FBI is working with private industry on a program called InfraGard in which local FBI officials meet with IT professionals. Chapters have formed in Norfolk and Richmond, where a meeting is planned next month.

Information exchanged is confidential, which means the businesses won’t risk publicity about cyber attacks they’ve encountered, but law enforcement officials will be aware of the attacks and will be able to provide the IT professionals with important information.

IT managers can apply to join the local InfraGard chapter by calling a local coordinator. In Norfolk, call 455-0100 and in Richmond, call (804) 261-1044 for information. The program also has a Web site at www.infragard.net.

Members can join as secure or none-secure members. None-secure members complete a one-page application for access to meetings and information. Secure members go through a more rigorous application process and background check to eliminate any hackers and to make sure those receiving sensitive information about competitors won’t use it against them.

The enemy is often within. More than 80 percent of hacking occurs through authorized users, LeGrand said.

“They are either greedy, disgruntled or curious employees or business partners,” LeGrand said.

Or they may have a more vicious intent.

“Malicious insiders are the greatest threat to our critical national infrastructures,” according to a report written since the attacks by the Institute for Security Technology Studies at Dartmouth College. The insiders are armed with privileged access to specialized systems that can cause great harm.

“The tragedy of Sept. 11 illustrates that terrorists live and operate within the United States, obtaining specialized skills with deadly intentions,” the report said.

Businesses need to have internal safeguards, said Bob Cohen, senior vice president of the Information Technology Association of America. Many err by not having the right policies in place.

“They need to maintain cyber hygiene by making employees be careful with passwords and developing processes or methodology for the company on how often to change passwords,” Cohen said. The cost of good security can be less than what a company would pay an entry-level engineer a year, he said.

The Gartner Group, a technology analysis firm, reported this year that U.S. companies are spending 0.4 percent of their revenues on network security. That number is expected to rise in 10 years to 4 percent. Projections before Sept. 11 were that the cyber security industry would reach $300 million by 2005 and $2 billion in 2007.

Government may help spur the industry. The ITAA has proposed $10 billion in federal spending, grants and loans to boost cyber security at the federal, state and local government levels. The proposal includes $500 million for universities for information security training and $4 billion in loans to small and medium-sized businesses for increased cyber security.

For LeGrand, Able Information Security, which he started with his partner Steve Odinetz in 1996, has been growing.

“Our revenue will be five times this year as last year and next year, I think it will be eight times that,” he said.

The company plans to expand next year, adding a West Coast office and another in the South.

Able’s clients are varied, with 25 percent in government, 30 percent financial, 20 percent medical and the rest in general businesses. The company provides security by assessing a business’ system to find weaknesses and judge effectiveness. Technology tools such as firewalls, intrusion detection software, antivirus programs and internal security measures are available.

The company also has a security operations center with a secure Web access so that companies that use the service can check to see if attack attempts have been made. The center monitors the companies’ systems round the clock checking for repeat users who might be patiently trying to break in.

Alarms go off if an attack appears eminent and the company is alerted.

But LeGrand admits that no system is perfect.

“Our mission is to mitigate the risk,” he said. “We can’t eliminate it, but we can mitigate it.”