Subscribe

Battening down the hatches

Information security is inherently complex, but is fast becoming a business distinguisher and even a matter of basic survival. Achieving security goals is possible even without big budgets.
Ivo Vegter
By Ivo Vegter, Contributor
Johannesburg, 19 Feb 2001

It is hard to remain cool and cynical when researching computer security issues. The overwhelming impression is that the dangers are common, and the financial risks immense.

At the same time, one deplores the hype and hysteria that surrounds many security-related reports and problems. Security consultants conjure up evil bogeymen in cyber-space, and many high-profile incidents at closer inspection prove to be the least of a company`s real security worries.

Where does one begin?

Valuing information and assessing the risk

It is well-nigh impossible to lock down everything the way companies used to when all they needed was a safe and a watchful security guard. Physical security is still important, but as Horst Kuchelmeister, a security expert at Avaya, formerly the Enterprise Networks Group of Lucent Technologies, points out, today companies need to combine firewalls, anti-virus software, enhanced user authentication, access control, encryption, threat assessment, logging, reporting, alerting, single sign-on, and certification - to name only the most important elements of an information security strategy.

It isn`t possible to eliminate risk, but it certainly can be managed.

Frank Rizzo, security expert, KPMG

And they still won`t be 100% secure. The best place to begin is to establish what your corporate information is worth. The more it`s worth - to you, to competitors, to anyone else - the better it needs to be protected.

In auditing corporate information for valuation purposes, one needs to consider a number of issues.

How much of your organisation`s intellectual property does the information represent? Securing data that anyone can obtain elsewhere is pretty pointless. But guarding against the loss of, for example, business process and procedure documentation compiled at exorbitant cost by a team of consultants is rather more important.

How much of your current and future revenue is influenced by the information? Your sales leads database needs to be accessible to your sales staff - perhaps even while they`re on the road. But can you afford to lose it? Worse, can you afford it if a competitor were to get hold of it?

How private is the information? There are documented cases of disgruntled employees who obtained a full payroll list and published it online. High-profile cases of credit card number theft and publication are well known. Can you afford the consequences of such a glaring breach of privacy?

Frank Rizzo, a security expert at consulting house KMPG, says security risks are not limited to financial damage. Dented credibility, reputation and corporate image have to be considered too.

In addition, one must consider the potential risk to human life and limb. Damage caused by failure or attack on a company`s network has the potential to result in much more than dented pride. Examples abound of industrial accidents - some costing lives - caused by damage sustained as a direct result of systems failure or attack.

"It isn`t possible to eliminate risk," Rizzo says. "But it certainly can be - and has to be - managed."

Prioritising the importance of data is especially important for small and medium-sized companies that may not be able to afford the highest levels of information security.

"The minimum needed nowadays," says Kuchelmeister, "is a firewall, anti-virus and intrusion detection. Not company-wide intrusion detection, because it gets expensive to protect every desktop, but at least on the important machines like the Web server, and the firewall management server."

A list of threats as long as your arm

The range of associated threats and risks is immense, and many of them seldom even enter the discussion when one mentions information security.

Everyone has heard of Web site vandalism. Distributed denial-of-service attacks have hit the headlines so often that they`re no longer big news anymore. But how many companies consider the information stored on their voice-mail systems in their security strategy?

A report from security consultancy @stake, publisher of the L0phtcrack "security auditing" software, warns of the dangers:

"Voice-mail systems and answering machines are an important part of the corporate information flow. However, they are frequently left unprotected and are overlooked when performing security assessments. Access to these systems may yield valuable information and may assist attackers to further their attacks on the company`s computer infrastructure."

It goes on to detail various ways in which voice-mail systems can be compromised, and even offers software tools to do so.

Since 1983, the concept of war-dialling has been known to security firms as a serious concern, yet few companies protect against it. War-dialling is a procedure whereby attackers have a computer dialling a given set of telephone numbers. If the number is answered by a modem, the number is logged for further penetration attempts. Many dial-up modem banks and dial-up Internet users are unprotected against such dial-in attacks, and war-dialling also reveals backdoors into seemingly secure systems.

Roelof Temmingh, technical director at Sensepost, says Web site vandalism is often petty. "However, if someone gets onto the site, and changes, for example, a news story, to say that the MD has resigned, this could cause major financial damage. The share price might go down, and the attacker could exploit this to fraudulently make a lot of money."

Kuchelmeister relates a case at a large German pharmaceutical company secured by his company: "They had a firewall, intrusion detection, everything. They found out that some of the employees accessed Web pages that contained sport or sexual things. So the company added a content filter, a URL blocker, to their security system to prevent these employees from accessing these Web pages. One of the employees got around it by installing a modem on the internal network, just to have access again. By installing this modem, he created a big security hole."

This highlights two threats. One is that a modem on an internal network bypasses the corporate security policy implemented at significant expense. The other is that trying to exert excessive control over employees - however well intentioned - can backfire spectacularly - an issue that will be addressed in some more detail below.

Yet another potential security risk is the use of sniffers and password crackers.

Grayford Holton, of Holton & Associates, a security consultancy, points out that it takes no expertise to employ these tools nowadays. Applications to take the technical mystery out of sniffing and password cracking are freely downloadable from the Internet, and can be operated by anyone in an organisation.

Cracking the administrator password for a typical Windows NT network can take anything between 15 minutes and three days, according to Kuchelmeister. Once someone has access to the password, corporate information is at obvious and considerable risk.

Industrial espionage is another spectre that concerns an increasing number of companies worldwide. While defence departments have been paranoid about this for decades, many corporates do not take adequate precautions in this regard.

Says Brent Robinson, director at Helpfile Data Recovery: "We`ve got a client who`s been hit six times by corporate sabotage - and it`s clear as day that it`s corporate sabotage - and it put that company on their knees when it happens. The attack was external: two competitors going at each other. And if you look at the industry they`re in, the other company has hired some very skilled people to do what they`re doing."

And whose fault is it? "That`s data loss due to a remote access," says Robinson. "It`s the responsibility of the company being hit: they`re opening their systems completely to the public. And there`s a lot of things you can do to prevent that."

A larger-scale example is provided by Kuchelmeister. Several years ago, a large German telecommunications company attempted to enter the Chinese market with a proposal. This was a new and very important market for the firm. According to Kuchelmeister, the proposal was sent to representatives in China by e-mail, unencrypted. "The French government sniffed the data, and a French company did the deal as a result, because they were able to offer a lower price."

The financial losses incurred can be astronomical - and can go completely unnoticed, especially when the systems in question aren`t sufficiently secured and monitored in the first place.

Beware of insiders and infiltrators

Distributed denial-of-service attacks can be very costly - especially to companies that engage in e-commerce online. Web site defacement can be very damaging to a company`s corporate image. Hacker attacks can be costly and embarrassing, as Microsoft recently discovered. But the single biggest cause of corporate information loss is due to activity by its own employees. The next most dangerous threat is Trojan horses.

[AUDIO]Internal threats to a network come in two main forms: ignorance, and malicious intent.

A recent study in the US, by the Computer Security Institute, jointly conducted with the Federal Bureau of Investigation, estimates the cost to a company of an outside hacker penetration at $56 000. That`s a lot of money, but pales into insignificance when compared with insider attacks, valued at an average of $2.7 million - and they happen more frequently.

"Some 80% of company fraud and malicious attacks happen internally," says Stuart Harrison, pre-sales tech consultant at RSA Security.

Robinson points out that many computers do not have private information stored on them. It is not easy for an external hacker to find valuable information. Insiders, however, know where everything is. For a sales person to take his employer`s leads list with him when he leaves the company is as simple as e-mailing a file to an external e-mail account, or burning a CD. It is equally easy for a disgruntled employee to publish HR records online.

"And then there`s human error," he says, explaining why people lose data. "Education is a major problem. Only about 2% of people using data - even in the IT industry - know how to manage their data properly."

Despite the clear need for protection against insiders, most security products focus on external attacks. Firewalls, access control, virus scanners, content scanners, even public key encryption are all largely designed to protect internal data from compromise by outsiders.

How should this disparity be addressed? Harrison offers some suggestions:

"It is possible to secure shared information. Everyone today logs on with a user name or password, and the industry needs to move away from it. There`s no validation and strong authentication, so you can`t tie people to events. There`s a big move towards automated auditing and tracking of who does what and how. Companies need to create a level of accountability for employees. Techniques like tokens, smart cards, biometric authentication - these aren`t yet pervasive, and haven`t been especially stable. But users must have a token, and a private pin, as they do with credit cards. And employees need to have this methodology drilled into them. There has to be a business policy in place to police security breaches. It`s not just about technology, it`s about business processes. You wouldn`t leave a signed cheque lying around. It`s the same with tokens."

[AUDIO]Kuchelmeister believes that externally, Trojan horses are by far the most dangerous. They`re hard to detect, and because they end up running on the internal network, they assume the trusted status normally reserved for employees and legitimate software. The firewall and other security products have no idea that they`re allowing an intruder to send information out of the network.

"If I would like today to get some information from some huge company, I`d really choose to use a Trojan horse," he says. "Or it depends - you need to see how much the development of a Trojan horse costs. You need some good programmers to develop it, so the Trojan horse is not known to the anti-virus scanner. Is it worth to invest, for example $40 000 to make a Trojan horse, or should one pay someone $10 000 to get the information? There are always people in the company; there`s always corruption. And the hacker needs to find the balance: what`s the cheaper and more effective way to get the information. I would say a Trojan horse is ideal for things like turning on a microphone and recording a whole session of a management meeting. It`s very dangerous."

A plethora of solutions

Most known security risks can be addressed. A security policy that does not take into account the possibility of cracking passwords is vulnerable to internal and external attack. It is possible to create "uncrackable" passwords - if one is aware of the character set typically used by password crackers, and uses, for example, extended ASCII characters (obtained by using Alt-numeric codes) in all passwords. A security policy should also dictate mandatory and frequent password changes. At the same time, says Kuchelmeister, if a company gives its employees 10 different passwords, chances are that they`ll be written down under the keyboard and in the top drawer - defeating the point entirely. Single sign-on and strict user authentication should form part of a security solution.

A security policy should have strict rules and controls over modems on a network. Any employee can install and use a modem nowadays - it`s as easy as plugging it in and dialling.

Content filtering is a bone of contention, and many security consultants disagree over the extent to which it should be used.

Holton believes that blanket content filtering is appropriate for companies. He considers content filtering not only a tool for intrusion detection, but also believes that companies can protect themselves from potentially damaging racist, sexist and otherwise offensive communication. He goes so far as to suggest that people who don`t explicitly need them, should be banned from receiving .gif or .jpg attachments.

Most other security experts feel this is going too far. Kuchelmeister`s experience in this regard is not unique, and many others point out that over-zealous content blocking can do more harm than good. Should one block messages containing the phrase "I love you" for fear of virus infection when a message like "I love your proposal and would like to buy a million of those widgets nobody else has been buying" could get lost in the process?

Several organisations are proposing standards for security practices. These will certify a company`s security status much like the ISO9000 series does for other business processes.

Says Sensepost`s Temmingh: "Implemented properly, standards like BS 7799 can significantly further a company`s IT security objectives, but we`d caution that this is not the only available security standard today. It is important for an organisation embarking on the long and hard (and expensive) route to certification to understand what the envisaged security standard will offer them and their business partners in the long run."

Encryption - boon or bane?

A contentious issue in the security field is that of encryption.

Harrison: "Encryption is definitely on the rise. There isn`t an Internet Web site today that does any serious amount of business that isn`t 128-bit SSL protected. On the Internet it`s the norm. Internally, file and data encryption and secure e-mailing haven`t taken off, predominantly because there are holes in a lot of the theories. Companies are hesitant in rolling out certificates because they`re not sure it`s stored in a secure repository like a smart card. You have to go the whole route, with fully trusted users, to be secure enough, but at the same time encryption needs to be cheap and cost-effective."

Robinson isn`t a believer: "It`s always a debatable point, because you can break it. We`ve had 128-bit encryption that we`ve cracked at Helpfile during a recovery. And that`s supposed to be the security the banks use to do their transactions. They`ve all got statistics of taking 40 million years of 300 000 of the fastest computers in the world and things like that, but then you get a university student who uses a 486 and takes two days to break it."

He asserts that the real problem is allowing access to data to people who shouldn`t have access. "A router can be the ultimate firewall. You can completely block off your internal network from the external network. And that`s unpenetrable. And it can also be the perfect gateway. I wouldn`t say encryption is the way to go. It will just slow your performance down. I think you should just have a better network design. People shouldn`t get at your data in the first place. They shouldn`t have a chance to break that encryption."

Other objections are that encryption is restrictive, and places an undue burden on IT management. Worse, it can conflict with anti-virus tools and intrusion detection scanners. Harrison believes that a correctly managed encryption implementation is not only workable - if you choose the right partners and standards-based products - but can be a business enabler because of the higher level of trust and privacy customers and business partners can be assured of.

Enough already! Get to the point

If there`s one thing that should be clear by now it`s that security is far from being a simple issue. A corporate security policy should start by appointing a trusted champion (to abuse a much-abused term) for the effort. All trust-relations in a security policy are implicitly inherited. So if the responsibility for security is left to an employee, the first question that must be asked is how that employee can be guaranteed to be trustworthy.

Despite this obvious chink in the security armour of companies, only 2% of South African companies have a director-level dedicated information security officer, according to the most recently available BMI-TechKnowledge figures. Most leave security to the IT department. From a corporate governance point of view, this is very worrying indeed: it shows that most companies aren`t taking due responsibility for the protection of their most valuable asset and competitive advantage in the modern economy - information.

[AUDIO]Kuchelmeister points out a key consideration: security does not consist of standalone products. A firewall does not make companies secure. Neither does a firewall and anti-virus and intrusion detection. One needs an integrated, high-level approach to security.

Avaya, Kuchelmeister`s employer, is a good example. It creates virtual private network (VPN) security and firewall management products. Yet, it sells consulting services, and actively recruits partners to offer a tightly integrated solution.

"Once you have a whole solution it`s very, very easy to beat the competition," he explains. "They`re only trying to sell their product, while I talk also about intrusion detection, for example. It`s not our product, but it`s a part of our solution, so the customer understands that we understood security, and then they`ll buy our part of the security solution - which is VPN security and firewalls."

[AUDIO]He describes the lifecycles of information security as starting with risk assessment and information valuation. This will determine the overall security strategy, as defined in a documented security policy. A network audit based on the security policy will show where the security holes are, and what forms of protection are required to address these.

"Thus far," says Kuchelmeister, "we`ve talked about the high-level business case, and not individual products."

Once security requirements have been determined, a roadmap must be designed. "You can`t install security within a month," he says.

It is only at this stage that decisions on actual products and implementation can occur.

The next step is to train and educate users. The simplest issues sometimes compromise a security policy: passwords are written down; Trojan horses received as executable attachments to e-mail are opened; confidential information is unwittingly given to untrusted external parties.

Decisions about hiring competent security staff, or outsourcing IT security also need to be made at this point. Monitoring tools can now be implemented to analyse log files, for example, and to continually check that security levels are maintained according to the security policy. Recovery plans need to be put in place.

Once this process is complete, the information infrastructure is secure. But since any network is likely to evolve and change rapidly, the process starts again.

But if there`s one lesson that companies should take to heart, it is that information security is a full-time job.

Can you afford it?

The usual concern is one of cost. Can companies afford the security infrastructures they need?

For large organisations, this is a moot point. Can they afford not to secure their most valuable corporate asset? They have the resources to partner with a high-level consulting firm or a network security company to cover all the bases and put shareholder concerns to rest.

But what about the thousands of small and medium companies out there? Many of them can`t even afford a full-time network administrator, let alone a security officer. Can they afford security?

Again, the question should be "Can they afford not to secure their information."

Robinson suggests that the business risk may be comparatively greater for small companies. Big companies can often absorb a financial hit that would put small companies out of business. "The SME market requires solutions. And it`s actually probably more important. There are solutions that are available out there that are not sold, because they may not be quite as profitable. I think consultation fees for security should come down: everybody needs it. There are solutions out there which an SME company can afford - that will make them completely secure."

Security is complex and expensive, but...there`s a lot the small and medium business can do.

Stuart Harisson, pre-sales tech consultant, RSA Security

Says Harrison: "There is a lot of freeware and shareware available on the market. There are a lot of people who are taking security toolkits and developing some pretty nifty applications and software. A lot of the big software vendors incorporate products from RSA and other security features. There`s a lot that companies can do. Pick the technology that you think can run with a relative amount of safety. Security is complex and expensive, but there is a growth plan too. So it can scale up, and there`s a lot the small and medium business can do. Attend security workshops: knowledge is very valuable, and can really give them strong building blocks to build a secure architecture."

The bottom line is that security is essential for any company that relies on information. It is not a simple process. It is not something that can be achieved by simply installing a security product or two. But despite the inherent complexity and the need for a high-level, holistic approach, achieving information security goals is possible even for smaller companies without big budgets.

Share