Security Corner


Japan plays network security catch-up

- by Neil van Wouw-

"Companies that have been hacked get it real quick," explains Jeff Moss, Director of Professional Services for Secure Computing. He is lamenting the fact that so many corporations do not yet clearly understand the need for a comprehensive network security policy. Moss and his colleagues were in Tokyo to give a seminar on network security together with their Tokyo Partner, Vertex Link.

Judging from the standing room-only crowd of over 350 professionals, there is certainly interest in the topic. The highlight of the day was a live demonstration of hacking into an NT server, showing just a couple of the many security weaknesses that are typical in a default configuration. Moss simulated an attack over the Internet and in minutes had modified a Web page on the server to show the site had been hacked. Next, Colin Smillie, technical director for Secure Computing Asia Pacific, simulated an attack from within, driving home the point that networks are even more vulnerable to attacks by disgruntled employees, short-term staff, and even guests.

Japan's security awareness

How does network security awareness in Japan compare to that in other countries? The news is not good. NTA Monitor Ltd., a British network security company, spent several months last year collecting data from over 65,000 servers directly connected to the net in 11 European countries and Japan. By simply querying name servers to see what e-mail server software and version they were running, the researchers were able to identify servers running software with known security holes. The results were astonishing. They found that 90% of Unix mail servers in Japan were running software with security holes that could easily be exploited to take over the server and launch further attacks against the network. This was much higher than the average of 42% for all 12 countries.

The incidence of attacks on networks worldwide is on the increase. With companies increasingly connected to the Internet, attacks can be launched from anywhere in the world, making detection harder and prosecution impractical. There is a proliferation of widely available software that can be downloaded off the Internet for free and used to attack networks, giving rise to the term "Script Kiddies" to describe cracker wannabes that download attack programs and break into networks without any real technical understanding of what they are doing. Many of these attack tools have been localized as well. There are even Japan-specific lists of common passwords to be used by popular password cracking software, such as L0phtCrack.

Of more concern though, is the increasing sophistication of organized groups that are breaking into networks for profit. Attacks of all kinds from theft of credit card information on e-commerce sites to industrial espionage are on the rise. The outlook is even bleaker when you realize that more than half of all security breaches are inside jobs. Networks need to be protected from the inside as well as the outside.

"Security problems are increasing faster than security professionals can solve them" states Moss. The simple fact is that not enough programmers are sufficiently aware of security issues to be able to write programs that have no security flaws. This is one of the reasons we see new software introducing the same security holes again and again as upgrades are made.

Firewalls: present but ineffective

Few companies have the resources to keep a team of trained security professionals on staff, so they have little choice but to look outside their organization for help. A security consultant will typically help by assessing the current network security and the risks facing it, assist with the development of a network security policy, and implement the policy. Choosing the right security consultant is essential. Horror stories abound of firewalls installed in a client's network, but then configured wrong. Smillie estimates that as few as 40% of firewalls are properly configured to be secure.

Assessment really boils down to answering two questions: What needs to be protected and what are the threats? Although these sound like easy questions, determining what needs to be protected is more difficult than you might think. Mission critical databases obviously need protection, but many companies are quick to overlook the e-mail server to name one example. Corporate e-mail may contain information on company secrets that in the wrong hands could have significant value. Although it is hard to put a precise economic value on such information, just knowing that a company is planning a new product or marketing campaign may be of huge value to a competitor.

Network security policy is key

The next step is to develop a network security policy. This requires support at the highest levels of the organization if there is to be any hope of enforcing it. A proper policy is key to effective network security. Moss noted that when they were asked to perform an intrusion test as part of an assessment, they were able to break into their clients' networks 100% of the time for customers who did not have an existing network security policy.

The policy should address issues such as what to do about passwords, and what are the rules for choosing passwords and changing them? Better yet, the policy might even dictate that only one-time passwords are allowed, requiring employees to carry a small device that can generate a password each time they want to log on to the network. This prevents passwords from being easy to guess, carelessly left laying around, or from being shared. Fixed passwords are one of the biggest nightmares for security professionals.

Detection

Since it is impossible to make a network 100% secure, the policy must also deal with intrusion detection, how to detect a break-in or even an attempted break-in. Often there are tell-tale signs that someone is looking for security flaws in a network. These can trigger alarms and notify network administrators before a break-in occurs.

When a breach of security actually happens, the company must have a clear plan of action. Whether the company places a higher priority on prosecuting intruders or just protecting the data will have implications on how the incident is handled. Prosecuting an intruder might mean that confidential log files and data will have to be shown and explained to numerous people during the course of a trial. The risks here may outweigh the benefits. Just admitting that a security breach occurred might reflect badly on the company and be used against it by competitors (see "Hacking the Hackers" in last month's CJ - Ed.).

Security audit

After developing and implementing a comprehensive network security policy, it might be a good idea to get another consultant to perform an audit. The purpose would be to validate the policy and its implementation, and from time to time assess how well the policy is being followed. Any policy will be completely useless if it is not actually being followed.

We can expect the security consulting industry in Japan to grow significantly as corporations start paying more attention to network security. Secure Computing will open an office in Japan in June which will likely become the new Asia Pacific regional office, replacing Sydney. This speaks to the size and importance of the Japanese IT market and the need for security solutions here.

On another front, some insurance companies in the US have started to insure networks against intrusions and loss of data. So far the policies are so restrictive as to make them virtually useless, but we can expect to see them improve over time as they get a handle on how to quantify the risk. Banks are already required to have security audits and these audits can affect the bank's credit rating. Dropping down one rank as a result of a sloppy security policy has an immediate bottom-line effect on the interest rates that a bank faces to borrow money. Perhaps we'll see standardized audits that result in security ratings for all corporations. The security rating could affect insurance premiums as well as which companies would be willing to work with the organization. This kind of economic incentive may be what is needed to finally get companies to give network security the attention it deserves.

Neil van Wouw is a Tokyo-based network consultant. Contact him at neil@vanten.com, or subscribe to his monthly VanTrends newsletter at http://www.vanten.com. .



Back to the table of contents