©2003 IDC
#3577
5
And even with the best of intentions, IT departments do not always upgrade all their
systems with the latest security patches, sent out by application, antivirus, and
operating systems companies when they discover flaws that allow outside
penetration. The hacker community knows about these flaws and cruises the Internet,
looking for systems that lack the updates.
Once inside the network via a vulnerable client node, a hacker with malevolent intent
has all the privileges accorded the legitimate user of that client: access to files,
programs, system resources, and, potentially, other users' PCs. And if the hacker is
sufficiently sophisticated, he may be able to grant himself privileged status and get at
the most sensitive areas of the network, turning computer after computer into a
captive resource. From this position, he can destroy or alter files, corrupt programs,
erase nonvolatile storage devices, and co-opt system resources to carry on further
mayhem.
Thus, even if other security measures — such as physical access control, firewalls,
network security, software security, database encryption, and server-level intrusion
detection — have been instituted, the client node may represent a weak point in the
corporation's armor. Improved authentication on all nodes would help mitigate this
situation. No network is safer than its least-secure node. A full security perimeter
necessarily involves a solid defense at the client level.
T H E A D V E N T O F E C O M M E R C E A N D T H E R I S E I N T H E
V A L U E O F D A T A
Why should client security matter more now than it has in the past? Until recently, few
organizations had a need for systematic data security. Banks and other financial
institutions had to ensure end-to-end security for storing and moving money around
over wires. Certain government agencies could only operate in an impregnable data
fortress. But the volume of valuable data being stored and transmitted by most firms
was relatively low. All that is being changed by the advent of electronic commerce.
A tremendous amount of value is already flowing through the Internet. And far more is
coming. IDC estimates that the value of Internet commerce was $50 billion in 1999,
and this figure will grow by several orders of magnitude to $1.7 trillion worldwide in
2003 (see Figure 1).
This value takes many forms. For individuals, the stakes range from credit card
number loss to identity theft. But for corporations and governments, the value of the
intellectual property inside the computer can be astronomical and, as in the Microsoft
case, sometimes incalculable. However large the threat is to individuals, it is far
greater to corporations. In the corporate world, there are a host of values to be lost —
money, first and foremost. Fraudulent actions can be enormous, in the tens of millions
of dollars in a single transaction. Value is also represented by nonfinancial assets,
such as intellectual property, business plans, and strategic documents. Pilferage of
corporate secrets could lead to a loss of competitive advantage, potentially
condemning a firm to death by slow strangulation.
Once inside the
network via a
vulnerable client
node, a hacker with
malevolent intent
has all the privileges
accorded the
legitimate user of that
client: access to files,
programs, system
resources, and,
potentially, other
users' PCs.