To deal with hackers who break through office systems through the Internet it is important for information managers to understand their enemy well. If they have sound background knowledge about hackers, they might be prepared to deal with them in a much more effective method. Hackers are very educated often mostly university or high school students who try to break through systems for which they have no authorization. They deal poorly with people, have few friends and less relationships, but at the same time are very smart. Therefore they revert to computers because they know computers will not reject them. With bulletin board communication they can form social relationships but those are behind the screen, where hackers feel shielded. (Pfleeger, pp.12-13)
Hackers justify the crime of cracking through systems by stating that nobody gets hurt in this situation. Hacking can be done without having a conflict with any human. Hackers also usually work in groups, and when they do so they become more dangerous to office systems. By sharing information they manage to put together a solution that would allow them to break in a office system. The news media has labeled hackers as mere children who play pranks. (Pfleeger, p.13) Even Amy Wohl who is a noted information systems consultant states that ?the hacker risk is the smallest of the computer crime risks.? (Ray, p. 440)
Amy Wohl?s statement is incorrect because due to the hacking of automated office systems millions of dollars in damages have occurred. According to the American Society for Industrial Security (ASIS) the increase attacks by hackers through the Internet has jumped to 323% since 1992. Total losses to the U.S. industry are approximately $2 billion per month. Thus it is very essential for information managers to know about the different problems hackers can create for automated office systems through the Internet. (Anthes ?Hack Attack.?, p.81)
One of the main problems that hackers can cause is that they can break into office electronic mail (e-mail) messages. This can be especially dangerous for those office systems who use electronic mail as their main source of communication.. Electronic mail on the Internet is as confidential as a postcard. After the sender transmits the message, it travels from one network to another until it reaches its recipient. Therefore, hackers can easily break into electronic mail while it is traveling towards its destination. Further, when it reaches the recipient there will not be any evidence of tempering with the e-mail. (Rothfeder , p. 224-225) Another tool that hackers use is called a sniffer. A software which can be easily planted in an organizations system, works like a concellead recorder and captures e-mail messages as they are exchanged. (Behar, p.35) Hackers value e-mail because it contains valuable information. They can find anything from secret strategic plans to log-in passwords required to get into the office system. Once they have this vital information, hackers can have access and cause major damage to the office system. (Rothfeder, p. 225) One of the victims of e-mail hacking was Wind River Systems. A software company, Wind River Systems has a communication system where they exchange e-mail with customers on the Internet. By trying a few passwords on the office system, hackers were able to access the system of Wind River Systems in California and France. When a expensive bill for accessing the Internet came to Wind River Systems, they found that hackers had gotten in their communication system. Wind River Systems discovered that due to the intrusions hackers obtained programming codes which could have the potential to hurt future performance of the company. (Behar, p.33)
Penetrating electronic mail is just one way hackers intrude and destroy office systems. Banks who have established office system that provide online banking services to clients also face problems. One of the first Internet banks, Security First Network had to stop hackers from electronically breaking into account files in the first few months of its operations. In addition, Citibank?s office system was also hacked when a Russian hacker electronically transferred $11 million from New York to Finland, Israel, and California. These incidents leaves many banks in doubt whether they should have systems that are capable of providing customer service on the Internet. Instead, banks such as Chase Manhattan are collaborating with companies like Checkfree, Intuit, and Microsoft. The reason is that these companies offer private consumer banking networks that have powerful security schemes. Thus the cost of office automation would be justified because hackers will not find it easy to break into the banking networks protected by such firms as Microsoft. In contrast, other financial institutions such as Bank of America are willing to take the chance and implement their systems so that they are capable of providing better services to customers on the Internet. (Rothfeder, p. 229)
One more deadly tactic that hackers can employ against office systems is stop their connection to the respective Internet serviece provider (ISP) that host almost a thousand corporate web sites. This method is called denial of service whereby hackers interfere with the office system communication such that office systems cannot gain accesss to its ISP. When office systems communicate with their ISPs they use a three-way handshake process whereby they first send a signal, the ISP receives that signal, and then the ISP re-sends the signal to the office system so that a connection can be established. Hackers have found a way to disrupt this process by interfering with the last part of the three-way handshake. Instead of the signal going back to the office communication system the hacker directs it to another direction. Thus, the office communication system never connects to its ISP and therefore cannot obtain mail or connect to other web sites. The nature of this attack creates ineffectiveness for office systems who have implemented the Internet as part of their communication systems. There is no use for a communication system which cannot be used. Furthermore, if Hackers can?t break into the system they can make many services of the Internet unavailable to the office. violates one of the goals of information security. This presents a serious challenge to office automation specialist who must realize now that even if their communication systems are tamper proof hackers can still deny them external communication. (Cobb, pp. 37-38)
To combat the attacks of hackers, office automation specialist can employ a number of tactics that would ensure that their office systems remain safe. Certain guidelines and technologies can be applied by information managers when they are in the analysis and design phase of office automation.
To begin with, information managers must maintain guidelines that minimize risk when using the Internet. These guidelines can be in the form of rules for employee Internet usage. The main intent of these guidelines is to limit the use of Internet for business purposes only. Most employees use the Internet for personal reasons such as when they surf sex and pornographic material on the Internet. This not only creates security leaks for the office system, but also makes Olson?s Theory a strong phenomena in the office environment. Employees are less productive in their work which results in soft dollar loses for the company. Nonetheless, controlling employee use of the Internet is nonproductive. The solution is to educate employees about the proper use of the Internet, explain them the disadvantage that occur if the Internet is used improperly, yet at the same time accept the fact that employees will still look at web sites that are not business related. Nevertheless, it is wise to develop detailed Internet polices in terms of usage so that employees know the consequences of wrong abuse. (Wagner, p.55) According to Barry Weiss, a partner at Gordon & Glickson, a Chicago law firm that specializes in information technology legal issues, for the Internet to be used as a effective tool for communication companies need ?to define policies and procedures to avoid risk.? (Wagner, p.58) Another method in which companies can protect their office systems from hackers is by asking employees to develop and maintain smart passwords. Employees should not write down their passwords and leave them near a computer. They should create password which relate to people closely related to them. Also they should not share their password with anyone and near should they store their passwords in the computer. Passwords become hard to crack by hackers when they have both upper case and lower case letters as well as digits and special characters. Further, the should be long and should be able to keyed in quickly so one can follow when typing on the keyboard. (Icove, pp.135-136)
Having strict guidelines is one solution to minimize hacker intrusions. Employing technologies is another solution to accomplish the same goal. One specific technology to implment in the office network is called firewall. This tool combines the technology of hardware and software and functions by protecting the office network when it is connected to the Internet. A firewall analyzes data and accepts only the data that is approved by the information manger. The firewall collects all users in one area and views whether they are performing an approved activity such as sending electronic mail to clients. Since all the activity has to pass and be approved through one checkpoint this tool is useful for controlling data and keeping logs of the user?s activity. Adding a firewall in the office system can be done in two ways. It can be purchased as a package from a vendor or it can be built. Logically it is cheaper to build a firewall, a good choice for those information mangers who are operating on a strict budget. (Anderson, pp. 106, 108) When buying a firewall from vendors it can get very confusing since there are a lot of varieties and costs that each vendor offers. There are more than 40 vendors in the market who offer new releases in less than a year. However, this trend is also changing. The National Computer Security Association (NCSA) has developed a program which will make it easier for information managers to select a firewall from numerous packages. It will do that by establishing performance standard needed for an effective firewall. Based on this criteria it will test and certify those firewall packages which meet its criteria. The certification concentrates on security threats that are high to a automated office systems. This includes how often the hackers attack the firewall, how easily they can penetrate the firewall and how much damage they cause once they penetrate the firewall. Naturally, the lower the frequency in these criteria the more chance for the firewall package being passed. Besides certifying firewall the NCSA will also collaborate with vendors to create standard language for firewall and publish more documentation so information managers have a chance to make a better decision when they are thinking to implement firewall in their office systems. (Anthes, ?Firewall chaos.? P.51) A firewall is not the ultimate solution because it can?t keep out viruses or traffic that goes to the internal network though another connection, however ?it is still the most effective was to protect a network that?s connected to the Internet? (Anderson, p.106)
Another method to protect data is the use of encryption technology. This comes especially useful when data is sent through external communication systems where there are great chances for it to be intercepted by hackers. Electronic mail can greatly benefit from this technology. Encryption is a software program which creates a key with two divisions. One is the public key and one is the private key. The public key is given to those with whom communication is usually conducted. After writing the electronic mail the message is encrypted with the recipients public key. Due to encryption there is a digital lock placed on the message, so even if a hacker intercepts the mail while it is traveling to the recipient, the contents of the message are unobtainable. Upon receiving the message the recipient uses the software to verify that the recipients public key was used to encrypt the mail. After the confirmation the software decrypts the encrypted message using the private key of the recipient. (Rothfeder, pp. 224-225) Moreover, two high tech companies have teamed up to develop a hardware based encryption technology. This is specially targeted to make electronic commerce more safer to carry out over the Internet. Separating the encryption functions from the processor and handling them through another hardware piece will make it much harder for hackers to intercept office data and also free up much processing power required to encrypt large important business documents. Multiple applications can use this encryption peripheral to make their data safe. If hackers attempt to break into the hardware encryption device the data will be immediately deleted and thus would be useless for the hackers. (Vijayan, p.45)
Lastly, corporations can out-source their security needs to special computer security firms who specialize against hacker intrusion. One such company is Pilot Network Services. Pilot?s client hook their office system networks to the company?s service centers around the country. This way Pilot is able to supply supervised Internet access. The system is run by a team of electronic specialist who monitor it on a 24 hour basis. Happy clients such as Twentieth Century Fox value Pilot?s services because they get around 30 intrusions daily which they are able to block. Sometimes Pilot?s engineer?s let the hackers in a office communication system to observe and learn about their activities so they can be more knowledgeable on how hackers attack. (Behar, p.36) Other forces that corporations can out-source to protect their office systems are called tiger teams. These tiger teams hack their clients computer to point out weaknesses in the communication system. This way the weaknesses can be corrected and the system protected. Tiger teams usually attack their client?s system through the Internet, but also warn that potential hazards can occur through other channels such as operating systems. (Doolittle, p.89)
In the current computing environment it is essential to have a security plan for those companies who use the Internet as their main source of communication. If a plan does not exist the damages can mean failure for a company. Consequently, it is essential for information managers to employ the solutions presented in this paper when they are automating their office system.
Anthes, Gary H. ?Firewall chaos.? Computer World, February 1996: p. 51.
Anthes, Gary H. ?Hack Attack.? Computer World, April 1996: p. 81.
Behar, Richard. ?Who?s Reading your e-mail?? Fortune, February 1997: pp. 29-36.
Doolittle, Sean. ?Special Forces On Call? PC Today, May 1996: pp.89-91.
Rothfeder, Jeffery. ?No Privacy on the Net.? PC World, February 1997: pp.223-229.
Vijayan, Jaikumar. ?Making the Web a safer place.? Computer World, April 1996: p. 45.
Wagner, Mitch. ?Firms spell out appropriate use of Internet for employees.? Computer World, February 1996: pp.55,58.