Johannesburg, 20 Feb 2001
The range of associated threats and risks is immense, and many of them seldom even enter the discussion when one mentions information security.
Everyone has heard of Web site vandalism. Distributed denial-of-service attacks have hit the headlines so often that they`re no longer big news anymore. But how many companies consider the information stored on their voice-mail systems in their security strategy?
A report from security consultancy @stake, publisher of the L0phtcrack "security auditing" software, warns of the dangers:
"Voice-mail systems and answering machines are an important part of the corporate information flow. However, they are frequently left unprotected and are overlooked when performing security assessments. Access to these systems may yield valuable information and may assist attackers to further their attacks on the company`s computer infrastructure."
It goes on to detail various ways in which voice-mail systems can be compromised, and even offers software tools to do so.
Since 1983, the concept of war-dialling has been known to security firms as a serious concern, yet few companies protect against it. War-dialling is a procedure whereby attackers have a computer dialling a given set of telephone numbers. If the number is answered by a modem, the number is logged for further penetration attempts. Many dial-up modem banks and dial-up Internet users are unprotected against such dial-in attacks, and war-dialling also reveals backdoors into seemingly secure systems.
Roelof Temmingh, technical director at Sensepost, says Web site vandalism is often petty. "However, if someone gets onto the site, and changes, for example, a news story, to say that the MD has resigned, this could cause major financial damage. The share price might go down, and the attacker could exploit this to fraudulently make a lot of money."
Kuchelmeister relates a case at a large German pharmaceutical company secured by his company: "They had a firewall, intrusion detection, everything. They found out that some of the employees accessed Web pages that contained sport or sexual things. So the company added a content filter, a URL blocker, to their security system to prevent these employees from accessing these Web pages. One of the employees got around it by installing a modem on the internal network, just to have access again. By installing this modem, he created a big security hole."
This highlights two threats. One is that a modem on an internal network bypasses the corporate security policy implemented at significant expense. The other is that trying to exert excessive control over employees - however well intentioned - can backfire spectacularly - an issue that will be addressed in some more detail below.
Yet another potential security risk is the use of sniffers and password crackers.
Grayford Holton, of Holton & Associates, a security consultancy, points out that it takes no expertise to employ these tools nowadays. Applications to take the technical mystery out of sniffing and password cracking are freely downloadable from the Internet, and can be operated by anyone in an organisation.
Cracking the administrator password for a typical Windows NT network can take anything between 15 minutes and three days, according to Kuchelmeister. Once someone has access to the password, corporate information is at obvious and considerable risk.
Industrial espionage is another spectre that concerns an increasing number of companies worldwide. While defence departments have been paranoid about this for decades, many corporates do not take adequate precautions in this regard.
Says Brent Robinson, director at Helpfile Data Recovery: "We`ve got a client who`s been hit six times by corporate sabotage - and it`s clear as day that it`s corporate sabotage - and it put that company on their knees when it happens. The attack was external: two competitors going at each other. And if you look at the industry they`re in, the other company has hired some very skilled people to do what they`re doing."
And whose fault is it? "That`s data loss due to a remote access," says Robinson. "It`s the responsibility of the company being hit: they`re opening their systems completely to the public. And there`s a lot of things you can do to prevent that."
A larger-scale example is provided by Kuchelmeister. Several years ago, a large German telecommunications company attempted to enter the Chinese market with a proposal. This was a new and very important market for the firm. According to Kuchelmeister, the proposal was sent to representatives in China by e-mail, unencrypted. "The French government sniffed the data, and a French company did the deal as a result, because they were able to offer a lower price."
The financial losses incurred can be astronomical - and can go completely unnoticed, especially when the systems in question aren`t sufficiently secured and monitored in the first place.
Share