Horse Sense #59 

In this issue:
  • Trends
  • Computer Crime is Pervasive and Costly
  • Are you practicing healthy computing?
  • The most resourceful adversary we know of
Flat panel (LCD) monitor prices continue a slow decline.  It is now possible to purchase a low end 19” diagonal LCD monitor for under $350.  Monitor makers are differentiating their products with brighter displays, faster response times (good for fast movement, like games and videos), specialty uses (signage, TVs, touch screens), colors (black, silver, gray, white, cream, etc), and enhanced properties (control from a network, special mounting abilities, swiveling and image rotation, USB ports, speakers, anti-theft modifications).  However, computer prices have dropped so quickly that monitors now make up an even larger part of the typical total hardware purchase.
Small system builders, backed by Intel, are introducing highly modular portable systems.  Almost all of the major parts of the system are interchangeable and upgradeable, making repairs and parts sparing easy. These parts include the keyboard, LCD panel, hard drive, optical drive, memory, AC adapter, and battery.  Over 70% of the world’s portable shells are manufactured by three companies that are members of Intel’s program and over 36% of the portables manufactured today are manufactured by “white box” (smaller, less well-known) manufacturers.  Most of the major portable manufacturers won’t be using these designs, at least for the near future, because of their investment in proprietary technologies and their ability to charge for those technologies.  While it remains to be seen whether smaller system builders can make a success of these new designs, larger customers love them.  They can choose among a number of vendors, have a greater probability of their vendor being local to them, easily vary the characteristics of their notebooks depending on the tasks to be handled, and stock fewer, less expensive replacement parts.  Some governments are already specifying such equipment.  Currently, the largest single supplier of desktops, servers, and laptops is the “white box” builder.  There is a real possibility that Intel’s idea will work and your next portable will have their modular design.
In an effort to reduce cost, heat, and noise manufacturers are building more electrically efficient computers.  You can’t pack older blade or rack servers tightly together because of their heat output and massive power requirements.  You can’t build small and light portable computers with components that get too hot to function. On a macro level, energy consumption is very important as a single data center gobbles more power than 10,000 homes.  While the EPA’s voluntary Energy Star program has been very successful in increasing the power efficiency of monitors, lasers, and refrigerators, computers, especially servers, have been drawing more and more power.  Much of that power increase has been due to the processors they use.  High performance, modern AMD and Intel processors require so much power and cooling that they cannot be used in some areas because of safety and reliability concerns.  Processor manufacturers are now designing processors for breathtaking speed AND more reasonable power consumption.
To improve performance dramatically without a dramatic increase in heat, processor manufacturers are building dual core processors.  If you are running two processes that can be executed simultaneously, each processor can run one, effectively doubling your speed.  For example, antivirus, firewall, and other programs run in the background on your machine all the time.  They could run on one processor.  The other processor could run everything else, resulting in a dramatic speed increase in your applications as far as you are concerned.   By the end of this year, most desktops and servers will ship with two processors on a single chip.  Currently, dual core processors do not command a twofold price premium over the processors they replace.

Computer crime is pervasive and costly
If your business hasn’t been struck by computer crime within the past year, you’re among a very small and fortunate minority.  According to the 2002 CSI/FBI Crime and Security Survey, 90% of 503 security managers in a sampling of U.S. corporations, government agencies, financial institutions and universities reported breaches within a twelve month period. Eighty percent attributed financial losses to these violations.  Spam, phishing, and other financially motivated attacks are tools for organized crime and industrial espionage.  The 2002 study showed that of managers with incidents, 82% reported attacks by independent crackers (some were hired to do attacks, some did it on their own), 75% reported attacks by disgruntled employees, and 38% reported attacks by competitors.
The cost of repairing damage done by theft or fraud, hackers, viruses or sabotage ranged from $1,000 to $50 million. The average was more than $2 million among the respondents who noted specific costs. Theft of proprietary information accounted for 20% of the instances in which specific costs were submitted, but resulted in the greatest financial losses, $171 million of the $455 million reported.
By contrast, malicious code attacks, i.e., worms, viruses, etc., were the most common security problem. More than 80% of the organizations were victimized by code attacks, but these occurrences accounted for only 11% of the financial losses. Still, viruses can make headlines when they strike. Many people have bad memories of 2000’s Love Bug virus, which came with an estimated $8.75 billion price tag. Not surprisingly, the Internet is the most frequent entry for attack and more than twice as common as an internal attack, which ranked second.  Today’s statistics show a big shift towards financially motivated attacks and the losses are increasing dramatically.
If you are worried about an attack or fear that you have been breached, call us.  We even have friends in the FBI and Secret Service who can help you track down your perpetrators and bring them to justice.

Are you practicing healthy computing?
Some simple networking and security questions that scare many half to death:

(1) Do you have an employee manual?
(2) Do you have an acceptable use policy for your network in that manual or a separate document?
(3) Do you train your people to be safe on the Internet?  Do you train them to use their computing tools effectively?
(4) Do you have a LAN and WAN network diagram, a cabling diagram, an organization chart, and an information flow diagram (how information flows through the organization)?
(5) Do you have a disaster recovery plan?  Do you have a business continuity plan? (They are different)
(6) What is valuable on your network and how is it protected?
(7) What do outsiders see of your network?
(8) Do you monitor and manage both what comes into and out of your network?  How?
(9) Do you have written policies, procedures, and standards?  Does management encourage that they be followed consistently?  What are the consequences of NOT following them?
(10) Do you know what government regulations apply to your organization?  For example, fire, building, and electrical codes?  Security regulations like HIPAA or Sarbanes-Oxley?
(11) Do you know that your backup is working?  Have you tested it?  How fast can you get back in operation if you lose a notebook?
(12) When was the last time your network and security systems had a checkup?  Was it before or after your last doctor visit?  Even if you have around the clock on site technical help, when was the last time you looked to see if you were as “healthy” as you could be?

Call Iron Horse and we’ll help you if these questions make you nervous.

The most resourceful adversary we know of
To see a startling picture of a resourceful and relentless adversary we encountered and for more information on protecting yourself, click here:

©2007 Tony Stirk, Iron Horse