Johannesburg, 19 Feb 2001
Most known security risks can be addressed. A security policy that does not take into account the possibility of cracking passwords is vulnerable to internal and external attack.
It is possible to create "uncrackable" passwords - if one is aware of the character set typically used by password crackers, and uses, for example, extended ASCII characters (obtained by using Alt-numeric codes) in all passwords. A security policy should also dictate mandatory and frequent password changes. At the same time, says Kuchelmeister, if a company gives its employees 10 different passwords, chances are that they`ll be written down under the keyboard and in the top drawer - defeating the point entirely. Single sign-on and strict user authentication should form part of a security solution.
A security policy should have strict rules and controls over modems on a network. Any employee can install and use a modem nowadays - it`s as easy as plugging it in and dialling.
Content filtering is a bone of contention, and many security consultants disagree over the extent to which it should be used.
Holton believes that blanket content filtering is appropriate for companies. He considers content filtering not only a tool for intrusion detection, but also believes that companies can protect themselves from potentially damaging racist, sexist and otherwise offensive communication. He goes so far as to suggest that people who don`t explicitly need them, should be banned from receiving .gif or .jpg attachments.
Most other security experts feel this is going too far. Kuchelmeister`s experience in this regard is not unique, and many others point out that over-zealous content blocking can do more harm than good. Should one block messages containing the phrase "I love you" for fear of virus infection when a message like "I love your proposal and would like to buy a million of those widgets nobody else has been buying" could get lost in the process?
Several organisations are proposing standards for security practices. These will certify a company`s security status much like the ISO9000 series does for other business processes.
Says Sensepost`s Temmingh: "Implemented properly, standards like BS 7799 can significantly further a company`s IT security objectives, but we`d caution that this is not the only available security standard today. It is important for an organisation embarking on the long and hard (and expensive) route to certification to understand what the envisaged security standard will offer them and their business partners in the long run."
Encryption - boon or bane?
A contentious issue in the security field is that of encryption.
Harrison: "Encryption is definitely on the rise. There isn`t an Internet Web site today that does any serious amount of business that isn`t 128-bit SSL protected. On the Internet it`s the norm. Internally, file and data encryption and secure e-mailing haven`t taken off, predominantly because there are holes in a lot of the theories. Companies are hesitant in rolling out certificates because they`re not sure it`s stored in a secure repository like a smart card. You have to go the whole route, with fully trusted users, to be secure enough, but at the same time encryption needs to be cheap and cost-effective."
Brent Robinson, director, Helpfile Data Recovery
Robinson isn`t a believer: "It`s always a debatable point, because you can break it. We`ve had 128-bit encryption that we`ve cracked at Helpfile during a recovery. And that`s supposed to be the security the banks use to do their transactions. They`ve all got statistics of taking 40 million years of 300 000 of the fastest computers in the world and things like that, but then you get a university student who uses a 486 and takes two days to break it."
He asserts that the real problem is allowing access to data to people who shouldn`t have access. "A router can be the ultimate firewall. You can completely block off your internal network from the external network. And that`s unpenetrable. And it can also be the perfect gateway. I wouldn`t say encryption is the way to go. It will just slow your performance down. I think you should just have a better network design. People shouldn`t get at your data in the first place. They shouldn`t have a chance to break that encryption."
Other objections are that encryption is restrictive, and places an undue burden on IT management. Worse, it can conflict with anti-virus tools and intrusion detection scanners. Harrison believes that a correctly managed encryption implementation is not only workable - if you choose the right partners and standards-based products - but can be a business enabler because of the higher level of trust and privacy customers and business partners can be assured of.
Share