Connect with Confidence
But Prevention is the Best Prescription
The Internet provides connections from your company to the world...and from the world to your company network. Unlike the physical world, there are no "good neighborhoods" on the Internet, no safe havens and no places where a potential attacker cannot at least see your front door.
by Jim Weisser The virtual world has hackers (white hats), crackers (black hats) and "script kiddies" (young vandals) aplenty, along with millions of other people who are completely indifferent. Does this mean that your company is at risk connecting to the Internet? Certainly, but the rewards in almost all cases significantly outweigh the risks; there is no such thing as completely secure. The amount of security needed is a business decision, based upon informed judgment calls. Similar to hiring full time security guards, installing bars on the windows, or just ensuring that existing doors are locked, a security policy for your network is one piece of your overall security strategy. And a security policy, while the least sexy element of defending your corporate information, is actually the most critical. Additionally, a policy must be a living specification, and address technical threats, non-technical dangers, the kinds of access that will be permitted or denied, and detail the reasons behind those specifications. The first step in creating a security policy is to make some estimate of the level of risk. If your company is connected to the Internet 24 hours a day, everyone on the Internet has the potential to connect to your company network. Perhaps this doesn't seem like a big concern, but it should. Many smaller businesses believe that, since they are not a major company, they aren't likely targets. While the risk profile is smaller for a small- or medium-sized company, it certainly exists (see sidebar for more details). Most business needs tend to err on the side of caution when designing a security policy; after all, what is the business case for listening to streaming audio at the office? There may be a compelling business need to connect to a partner company, for electronic commerce, say, or data sharing. I strongly recommend that amendments to a security policy be documented, and require senior management approval. This should prevent trivial requests from punching holes in your corporate security implementation, while still allowing for amendments based on true need. After determining business needs, a company must evaluate how to deal with security on a comprehensive level. The second step in security implementation should be reasonably straightforward, depending on the size of the organization. Large companies will often have a team dedicated to security issues, and how they affect the entire organization. How they choose to audit, however, varies from company to company. Many companies believe that outside auditing is preferable to internal auditing, since internal audits can sometimes miss things that are obvious to an outsider. An outside audit team should look for things more than just external network attacks. In addition to Internet attempts, a good audit team (aka tiger team) will attempt to social engineer personnel, as well as do a physical walkthrough; after all, if someone can physically steal a server, the corporate data is still lost. Larger systems integrators provide services like this, along with some specialized security companies. Security implementation at medium-sized companies, while not having a team dedicated to security issues should include security responsibilities in the job description of the senior systems administrator. This administrator may not necessarily have to handle this on a day-to-day basis, but should be able to determine the needs of the corporation, along with developing a risk profile. A medium-sized corporation may decide to outsource security equipment installation, upkeep, and logging, to either a systems integrator or an ISP, but manageability should be of major concern. Many intrusions through firewalls occur due to user error, rather than software or hardware failure. Audits should be performed, for the reasons mentioned above, but often are not. Smaller companies are often in a much greater quandary, as they often do not have dedicated IT personnel. Rather, a small company will have one person who has a regular full-time job, along with being the computer guru. A company this size often does not believe it can afford security and can probably not handle installation of complicated firewall equipment. In this case, outsourcing the security to a third party is the most feasible solution. The third party should, of course, provide for a security policy that matches company needs, as mentioned above, along with providing regular logs and other maintenance as required. After implementing some sort of hardware/software security solution, there is one critical phase remaining: internal explanation and training. It is crucial to explain to employees (in a non-technical manner) why they can't use the cool new protocol X, and how it is a security concern. Teach them about social engineering (when a cracker calls, claiming to be someone in department X, needing a certain password). Passwords should never be given out on the phone to an unknown person, written on post-it notes on the front of a computer (where any visitor might see it), nor comprise common words, as password checking programs are built to use existing language dictionaries. A good password has a mixture of upper and lower case, along with a number and/or punctuation mark in it. Unfortunately, passwords like this are often hard to remember and often lead to the dreaded sticky note syndrome mentioned above. A good suggestion is to have users use the first letters of a phrase to create a password (e.g., if the phrase is "The quick, brown fox jumped over the lazy dogs," the password would be Tqbfjotld, which is not perfect, but certainly reasonably secure). Lastly, remember that internal security is an essential issue; trust your employees, but verify with extensive logging and backups. After all, if a worker can add to a file, he can also subtract from it, potentially destroying its value, and over 50% of data loss/data theft come from the inside. Require that someone, be it a specified systems administrator or the computer guru, practice restoring from backups on a weekly basis, to confirm that the backup works. Develop a policy for system administrator passwords, preferably storing them in a safe, as you would with other business-critical financial data (note that the passwords should be in a sealed envelope of some type). After all, what happens if the computer guru is hit by a truck? Connecting to the Internet is one of the best business decisions a company can make, as it has the potential to increase responsiveness to customers, improve overall business communication and otherwise streamline the ways of doing business. Like commerce or communication in any medium, however, there are risks to doing business that must be evaluated. With the Internet, you connect to the world, with all the benefits that brings...and the problems as well.
|
|
Regardless of the size of your business, there are three common kinds of network attack: denial-of-service, website vandalism, and infiltration/exploitation. Each of these attacks inflicts a different type of damage and requires different precautions. Denial-of-service attacks are the Internet equivalent of slashing tires or breaking windows. Usually performed by teenage vandals, known as "script kiddies," (due to both their age and relative lack of experience), these attacks require little skill. Defending against denial-of-service attacks requires keeping up-to-date with current security news, via organizations like CERT (http://www.cert.org/) or its Japanese cousin, JPCERT, (http://www.jpcert.or.jp). As a historical note, the "worm" that shut down the Internet in the late 1980s was a denial-of-service attack. More recent attacks include the "ping of death," which can crash the machine it is sent to, and the so-called "smurf" attacks, which use broadcast pings to amplify damage that they can cause. Website vandalism is one of the most embarrassing attacks that can happen to an organization, as a vandal can change the way your company's material appears to the world. This kind of attack requires quite a bit more knowledge than a standard denial-of-service attack, as the webserver must be compromised, most often via a program called a CGI which connects the webserver software to other software. If the CGI is not written in a secure manner, it is often possible to break into the webserver and change whatever website (or sites) may currently be running. Antionline (http://www.antionline.com) maintains a comprehensive list of sights that have been vandalized, along with the messages that have been left. The last kind of attack, an infiltration, is a much broader-based attack and there is no one way to defend against it. An infiltration can occur when an attacker gains access to machines on an internal network. This can happen in several ways, including through direct dial-in (via modem) and password cracking, seeing a password posted in the office, masquerading as a person in customer support and asking someone for their password (social engineering), or compromising a webserver and then springboarding to other, unprotected machines. Some potential remedies include good passwords (see article), not allowing modems on the desktop (centralized, secured remote/internet access), and educating employees on what kind of things not to do with their passwords. Encrypting files and e-mail is also a way to minimize damage; though the information is accessible, it won't necessarily be readable to all intruders. Unfortunately, due to US Government export regulations on encryption, it is difficult to use it efficiently throughout an enterprise. Providing virtual security is a critical component of connecting to the Internet. While the attacks above are not comprehensive, I believe that they clearly demonstrate a range of potential dangers. No system, real or virtual, is 100% secure, but it is impossible to make an informed decision without possessing some concept of what can occur.
|
| Jim is the international project manager with PSINet Japan, and has worked on the Routewaller security planning and response team (SPART). He can be reached at jimbud@jp.psi.net. |
