The NYT has an article today about the rise in online extortion, where someone contacts a business with threats to disrupt the business via online activities unless a payment is made: The Rise of the Digital Thugs - New York Times.

EARLY last year, the corporate stalker made his move. He sent more than a dozen menacing e-mail messages to Daniel I. Videtto, the president of MicroPatent, a patent and trademarking firm, threatening to derail its operations unless he was paid $17 million.

What happened to MicroPatent is happening to other companies. Law enforcement authorities and computer security specialists warn that new breeds of white-collar criminals are on the prowl: corporate stalkers who are either computer-savvy extortionists, looking to shake down companies for large bribes, or malicious competitors who are trying to gain an upper hand in the marketplace.

One point the article blithely skims over is the role of the victim's approach to managing information technology may make it susceptible to such attacks. Now, in no way am I blaming the victim here, I don't know all the circumstances, and what the criminal did was illegal, however if you don't manage your I/T well and don't approach it as a critical business asset, you do make your organization susceptible to compromise and attacks. In this case the company had grown quickly through acquistions and (allegedly) not been careful with the remnants of the acquiree's networks. The extortionist managed to use one of these networks to gain access to the company's internal business systems, and that was the ballgame.

At a former employer, we had many discussions and arguments over the years in the 1990s over how to integrate (and some times segregate) the many internal networks, let alone the process to integrate the networks of an acquistion. In one meeting of the internal ICC, the lead I/T guy from a recent acquisition surprised and upset the rest of the ICC crew by declaring that he would not open his network up to the company-wide network but would instead firewall it off and only open select ports and specific systems. The reason he gave was surprising but understandable: no one could give him a precise accounting of who was on the internal company-wide network. In as much as it upset many people, it also started several other groups on the same track: since the company had not funded any sort of company-wide management of the internal network, and each of these guys was responsible for their small segment, they decided to ratchet down the connections to the rest of the intranet. I suspect that, for awhile, it helped control damage from some of the widespread worms, though not necessarily prevent it.