First they came for the video games, launching an attack in April that siphoned millions of users' personal information from Sony's PlayStation Network that shut it down for weeks.
Then they came for the banks in May, purging the names, account numbers and email addresses of 360,000 Citibank customers.
They came for the government organizations this month, attacking the U.S. Senate and the International Monetary Fund over the course of a single week.
The question is: Are hackers coming for your organization's system next? If they haven't already gained access, security experts say, there's no doubt they're trying.
"I've never been in a time where I got asked by a corporation's board of directors, 'Will we be next?' " said Kevin Richards, president of the Information Systems Security Association International, headquartered in Portland, Ore.
"There's certainly a fair amount of consternation and fear. This is something that's a very real economic issue, and organizations are struggling with that."
A recent study of security professionals by the Ponemon Institute in Michigan said 90 percent of professionals at large companies in the United States, Britain, France and Germany had seen at least one breach in the past year and that 59 percent had two or more, according to a New York Times report.
Eric Irvin, a Houston-based security analyst with Alert Logic Inc., says it's time to fight fire with fire when it comes to cyberattacks.
His theory is that security experts are held back from catching the bad guys by ethical obligations imposed by security certification organizations such as ISSA, in addition to being bound by laws and their own moral reservations.
He presented his idea under the provocative title, "Nice Guys Finish Last -- Why Doing the Right Thing Sucks," at the BSidesPittsburgh computer security conference held on the North Side on June 10.
"The strange juxtaposition of being in security is you're expected to be as talented and good as the bad guys, then you're expected to put one arm behind your back when you're fighting the bad guys," he said.
But there's good reason for setting standards of conduct, according to Mr. Richards.
He defended the security association's six-point code of ethics, which tells professionals to stay in compliance with the law, promote current best practices, maintain confidentiality, avoid conflicts of interest, avoid intentionally damaging an individual or company's reputation and to conduct duties with diligence and honesty.
"We would never say it's OK to break laws," he said. "That's talk of vigilantism, which has never worked in any construct. "
He added security experts should focus on containing the problem, collecting evidence and turning it over to law enforcement agents to push for prosecution.
Even if cybersecurity were as simple as hacking the hackers, Mr. Irvin noted that innocent bystanders would most likely take the hits because hackers use other people's systems to do their dirty work. He raised the example of a company he worked with that had malware attached to its system that was sending out private data.
"Our guys could easily take the malware, look inside of the code of it and figure out how to hack back into the criminal's network that started the attack.
"The problem is, more than likely that system wasn't even owned by the bad guy, it was another system he had compromised. If we connect into that system, that could be another company that's paying another company to look into their networks ... and we're just as bad as the bad guy in that case."
Marty Lindner, principal engineer for the Cert Program at Carnegie Mellon University, said catching hackers internationally was another roadblock.
U.S. law enforcement efforts to catch hackers outside the country are dependent on another country's relationship to the United States as well as its own laws regarding cybercrime. The arrest last week of a British teenager linked to the group Lulz Security -- which claimed responsibility for hacking the U.S. Senate and Arizona's Department of Public Safety -- was the result of a joint effort between the FBI and Scotland Yard. However, the attempt to prosecute could have hit a dead end if the source was in a country without clear cyberlaws.
The Cert Program, part of CMU's federally funded Sofware Engineering Institute, establishes and maintains communications among security experts who address major attacks.
"An attack coming from a place like Canada, the cooperation and laws are fairly convenient to get things accomplished," Mr. Lindner said. "But other countries don't have laws like we do, and it's not a crime. If it's not a crime, then there's nothing we can do about it."
Stewart Baker, former National Security Agency general counsel and partner at the law firm Steptoe & Johnson, said most cybercrimes are committed on compromised machines inside the United States but that many attacks come from China and some Eastern European countries.
He said the Council of Europe's Convention on Cybercrime -- which applies a single cyberlaw to all Council of Europe countries as well as the United States, Canada and other countries -- is the closest thing to a cohesive international law that exists today but that it is still far from enough.
"The problem is the law dates back to the '80s and only deals with a limited number of attacks and exploits. It's not a complete legal response," he said.
Beyond hacking the hackers or waiting for international laws to adapt to the changing times, security experts should encourage organizations to reinforce and update their current security methods, regularly monitor for suspicious activities and purge their systems and servers of unnecessary software applications, Mr. Richards said.
"When people enter my network, what applications and technologies am I expecting them to see? Is my network configured with that environment to allow only that kind of transaction? Start weaning out things you don't need," he said.
For instance, if a manufacturing company had a Web page allowing customers to make orders, there shouldn't be an application allowing users to like the company on Facebook on the same page.
But even the most comprehensive network security available today will see a hack at some point, said Karl Vokman, chief technology officer of Chicago-based information technology company SRV Network Inc.
"It doesn't matter that we're making our best effort," Mr. Volkman said. "It's like Fort Knox. Someone's going to break into it eventually."
First Published: July 1, 2011, 4:00 a.m.
