Contents

Security: from firewalls to hackers

Security: from firewalls to hackers"I think that there is a world market for maybe five computers"

Thomas Watson, IBM, 1943

"Because there's so much email passing through a server, [the Melissa virus] is basically taking down the servers"

Srivats Sampath, Network Associates, 1999

When Thomas Watson made his oft-quoted statement in 1943 he couldn’t have been more wrong about how widespread the use of, and reliance on, computers would become.

Today it would be hard to image any business operating without computers in some manner; whether they are used for calculation, word processing, data processing, filtering and retrieval, or communication. Of course this dependence on computers and data storage has inevitably lead to a situation of vulnerability. Most businesses would suffer a major disruption of their activities if their computers, data or infrastructure were compromised. Such an event, of course, is all too common but the most likely catastrophe to strike your system is not going to be something like fire or flood. The more usual source would be a deliberate attack of some sort, possibly from the Internet.

The National Computing Centre (NCC) estimates that the total amount of money lost in 1998 in the UK as a direct result of computer security breaches was in the region of £1 billion. A Department for Trade and Industry survey in the UK revealed that 90 per cent of the companies questioned had experienced a serious security breach in the previous 12 months. Earlier this year many of the world’s largest corporations — including giants Microsoft, Intel and Lucent —had to close down their email systems because of infestations by the Melissa virus.

In addition to threats from the Internet, there is also the threat posed by inside agents. In the US, for example, 43 per cent of reported malicious acts were made by employees, an increase of 14 per cent on the previous year. Computer and data security have become major industries as more and

more corporate and IT managers realise the need for protection of their systems. Any form of successful data protection has to find the right balance between security and liberty: it has to find a balance between successfully protecting a system while still allowing the people who use the system every day to get on with their work without too many impediments.

Threats to security

The most widely known threat to a computer system is the hacker. Although feared, in the majority of cases the hacker is a non-malicious entity. Most hacking is carried out for the ‘thrill of the chase’: as a sport or an intellectual challenge. In many ways a hacker looks at a security system in the same way that a mountaineer looks at a formidable mountain — it’s a challenge to be overcome.

While the majority of hackers are only in it for the sport, there is a minority who will conduct their hacking with the intent of causing as much damage as they can. The damage inflicted might take the form of destroying files or even locking out legitimate users. Whether or not a particular hack had malicious origins, the real trouble caused by the hacker is the disruption that follows in the aftermath of the security breach: the time and money that will be spent checking the extent of the breach and putting procedures and systems in place in order to prevent a recurrence.

In addition to this disruption at the time of the hack, the loss of credibility must also be considered. When news of the hack becomes public, there is likely to be some affect on the company. Indeed, if the institution or corporation that was hacked relies on any aspect of security to win or to keep business, then it is likely that stringent measures will be taken to prevent the hack from becoming public knowledge. If the outside world were to know, the resulting loss of business might be considerable.

One case that was widely publicised took place in 1994 when Citibank’s cash management system was tapped into by a 34-year old Russian and his accomplices. The group managed to transfer $10 million out of the bank into other bank accounts around the world. The direct loss to the bank was, of course, the value of the money transferred out. The loss of consequential business, however, has been estimated as being as high as some billions of dollars.

Other common threats to computer security occur when data is being shared across an external, public network. With the increased reliance on the Internet as part of system networks, there are scores of ways in which a hacker can make a system powerless.

A hacker could, for example, take advantage of weaknesses in the operating system to gain access to the network and lock users out. Or the hacker could make the host computer reboot, or could use up system resources so that the system is effectively reduced to operating at a walking pace. For a company relying on the computer network for its day-to-day business as an intranet, or for e-commerce, this denial of service is as serious as a fire or a power cut.

In today’s competitive business environment, speed of reaction — to technological developments and changes in consumer preference — is crucial to long-term survival. Time previously spent in gathering, synthesising, reformatting and distributing information in a leisurely way can no longer be afforded.

Fortunately, knowledge management software on an intranet platform can be used to speed up such processes. Some businesses estimate that 80 per cent of the information that their employees use is available only on local hard drives or in network folders, or even locked in the minds of the workers themselves. One KM technique that can help save time and money is to ensure that employees have common access to data and are able to reuse historical data.

On the other hand, nothing has been gained if work takes longer either because the security system is slack and hackers have disrupted the network, or because accessing the information stored has become laborious because of the precautions put in place by over-zealous security management.

Effective knowledge sharing relies on ease of use. Users will be put off any system if it is troublesome to access, or if it is unreliable and frequently breaks down. Ease encourages creativity — and users should be applying their brain power to their work, not being distracted by the need to solve IT problems.

Data security

When you pool your information in a set of accessible databases, the need for data security, as opposed to computer security, becomes paramount. Data security is also a major concern of governments.

The UK government is on the point of finalising its Data Protection Act, which should become law later this year. One of the main recommendations of the Act is that businesses should establish a security plan, in the same way that they would currently have a heath and safety plan. The plan would detail why that particular business needs security, what levels of protection are appropriate for the various aspects of the computer and data infrastructures and accesses, what steps to take in the event of a security breach, and so on.

The need for the security measures to be appropriate is every bit as important as the need for any measures at all. Fitting iron doors to a bank vault may be appropriate, but fitting the same doors to a crumbling shack would be pointless. Network administrators should not be misled into thinking that security measures equate only to hardware and passwords. The very act of communicating increases the risk of a security breach.

For example, as the Internet is being used more and more for communication, there is a need to be sure that any data you have received from a colleague, customer or vendor has indeed come from that source without modification en-route. Such modifications are termed ‘data diddling’. Similarly when you are sending data from one point to another you want to be sure that only the intended recipients get the information. If the information is confidential it could contain the sort of knowledge that could be used by competitors.

There are other less obvious ways in which information can be used to breach security. For example, the knowledge of a simple fact — such as Mr Jones of company ABC broke his leg — can be used in a conversation with untrained personnel to lead them into a false sense of security that they are talking to a friendly agent. Extracting information from untrained and unsuspecting staff is known as social engineering.

Andrew Hockey of Axent Technologies comments: "On one occasion I was paying a visit to a well-known UK bank to discuss computer

security. In order to demonstrate to the management that there was more to security than steel doors and firewalls, I phoned ten people in the bank at random. I told them that I was working on the computer network and I needed to check that accesses had not been modified by the work in progress.

"I asked each of the ten employees to give me their user name and password. Seven of the ten gave me their passwords without questioning my authority.

"They assumed that, just because I had a plausible story, then I had the right to the information. This is exactly what is meant by having security plans and appropriate levels of security. There is no point in installing the most sophisticated firewall system in the world if hackers can use simple social engineering techniques to get their hands on passwords."

Password protection

The use of passwords is not without problems. Some users have four or five passwords for their daily business, all of which are changed regularly. And people, being people, will forget their new password. If the changing of passwords coincides with a holiday weekend, you can be sure that the number of people who forget the new one increases dramatically. On the Tuesday morning there will be a flood of requests to reset the password because the new ones have been forgotten.

The need to verify each request to reset the password takes time and, in effect, means that there has to be a dedicated group of staff who do the checking and resetting. For example, it has been reported that telecoms operator BT has a UK department with 20 staff employed solely to perform the necessary checks and reset passwords for an estimated 100,000 users on their network. A similar proportion of support staff will exist in other large organisations. This and the general inconvenience of passwords is prompting industry experts to come up with an alternative security measure.

Possible alternatives include biometrics and smartcards, or a combination of the two. The use of biometrics has been hampered until recently by the cost of implementation. However the use of these techniques in large-scale public sector projects has enabled the costs to be reduced. The currently favoured technique is fingerprint authentication. Fingerprints are unique and the matching process is fast. Nor can they be reproduced, so civil liberties are protected. None of the other alternative techniques currently available (including voice recognition, hand geometry, iris or retina scans and facial recognition) offer all these advantages.

Firewalls

The main hardware weapon in the fight for network security is the firewall. In its simplest form, a firewall is a computer, or system of computers, that provide communications security for information coming into or going out from a server. It controls access to information between a company’s intranet and the Internet (or extranet) both by permitting information to flow to and from the intranet and by acting as a blocking gateway to information coming in from the outside. It is designed to prevent damage to the network.

At the same time as providing real security, a firewall acts as a security blanket for management by convincing them that it is safe to connect the company’s network and data to the outside world. It can also be a convenient place to store public information about corporate products and services, news items, software downloads, updates and bug fixes.

A firewall does not, however, provide immunity to all possible attacks on a system. Its effectiveness depends on how well it is set up and how well it is administered. It is also limited in what it can protect against. For example, it cannot protect against:

• Attacks that don’t pass through the firewall. This may seem an obvious statement but if internal users have access to direct dial modems, for example, they could connect to the Internet directly, bypassing the firewall entirely and open the network to attacks from the outside world. Similarly viruses can enter an organisation by being hand-carried on diskettes.

• Data-driven attacks. These are attacks that are hidden in email or other approved information that passes through the firewall. An example is the Melissa virus that entered several major organisations networks hidden in Word documents.

• Internal attacks. An internal attack can come in one of many forms. For example the attack could be deliberate (sabotage, damage or theft of data by an employee) or accidental (negligence or naïvety).

One advantage of having a firewall is that it centralises and standardises the security management of a network. Without it the security relies on the individual security settings of each host computer on the network. Firewalls allow administrators to focus their efforts on one location. It also means that, being a single point of access to the Internet, a firewall provides an ideal point to impose an audit tool to monitor the traffic into and out of the network. By laying down an audit trail — by recording and analysing the information which the monitoring provides — a network administrator can determine whether or not the system is vulnerable to attacks, how many access attempts by unauthorised users were made, what steps need to be taken to tighten up security and how the firewall configuration needs to be changed.

Two philosophies

Generally, firewalls are configurable and, when any firewall is installed, it is important to ensure that it is configured by an expert to ensure the correct level of protection from the outside world, while at the same time allowing the maximum convenience of access to the outside world. Firewalls are configured using one of two extreme philosophies — you can either allow users access to all facilities including unlimited Internet access and then apply restrictions as the needs arise, or you can deny all Internet services and then enable them as the justification arises.

• Everything not permitted is denied

This is the pro-active approach recommended by most system administrators, however it can limit the number of external services that are made available to the Intranet users. Having said that, this is the scheme under which Firewall market leaders Check Point operate with their Firewall-1 product. Firewall-1 supports over 150 pre-defined applications, services and protocols out of the box and features a scripting language to enable it to be extended to new and custom applications as well. In this approach, all packets passing between the intranet and Internet, in either direction, pass through either a packet-filter router or a proxy server.

Routers are known as network-level firewalls. They make decisions on the source, destination and ports of individual IP packages on the network. They range from the simple ones which make basic decisions on each packet, to more sophisticated ones that maintain internal information about the state of connections passing through them. They route traffic directly through them and so tend to be very fast and virtually transparent to the user.

Proxy servers are known as application-level firewalls that permit no traffic to be routed directly between networks. They perform elaborate logging and auditing of the traffic passing through them. Since the traffic at one side effectively has to pass through an application to get to the other side, application level firewalls can also be used as network address translators. However, having the application in the way may also have an impact on the network performance, depending on the age of the technology used in the firewall. Older application level firewalls are far less transparent than modern ones.

• Everything not denied is permitted

This is a reactive approach whereby all services are permitted until one is actually proved to be harmful, when

that service is blocked off. This approach tends to offer a wider range of external services to the internal user, but at the expense of security.

In order for them to work, firewalls have to be part of a consistent overall security plan, which should include measures for the export of data from the databases on portable media (eg magnetic tape) and the access to the Internet from local modems. In summary, firewalls do not replace security. They are an integral part of security.

Encryption

Although it is commonplace to be connected to a public network, there are still many people who are frightened by the prospect. Managers are rightly concerned that data could fall out of the Web and into the wrong hands. With many organisations using the Internet as part or their network (in the form of a virtual public network, VPN) data and information security is of growing concern.

One way of solving this problem is to use encryption under the protection of a public key infrastructure (PKI). PKI covers the elements that make up the environment where users can engage in their business with confidence in three areas. First they can be sure that no-one can eavesdrop on their communications (privacy); second, they can be confident that the message really comes from who it says it does (authentication); and, third, they can be assured that the author of a communication can never claim not to have sent a message that he or she did send (non-repudiation).

The complete PKI system includes public and private keys (private keys are kept secret by the owner, public keys are revealed to everyone), digital certificates (for certifying the authenticity of the public key, for example), as well as certification authorities, revocation lists, time stamping and standards. In addition the PKI must provide client–server software that works automatically with the keys and certificates and which makes the whole process transparent to the
user.

Public key encryptions can be very slow because, to be secure, they have to use keys that are 1024 or 2048 bits long. Web servers can spend up to 90 per cent of their time generating keys. One solution is to off load the encryption to a dedicated accelerator which can process the information hundreds of times faster than a PC.

Conclusion

As the dependence on computers for communication and management of commercial information increases, so does the need to ensure that both computers and information remain secure. Securing a business from sources of malicious or accidental threat is not a one-off, once-only task. Nor is it something to be tackled in a haphazard manner. Companies who want to stay ahead of the hacker need to take computer and data security seriously.

The first step is to develop a policy that records why there is a need for security and what levels of security will be applied where and when, and to whom. The policy should be clear on what training is required and what to do in the event of a security breach.

Once the policy has been developed, it must be reviewed regularly. The formulation of the policy will depend on circumstances at the time of the formulation — and must take into account the fact that circumstances change. This means that the policy needs to be kept in line with the business as it evolves or, ndeed, as security breaches are detected. It should then be modified as appropriate. Only by developing policies, reviewing them, modifying them and reviewing them again, will companies be able to gain some level of assurance that their computers, networks and information are securen

Contact the author at: freelance@madscotsman.freeserve.co.uk

Case Study: Check Point at Cap Gemini

Case Study: Unisys at Antigua Sprotswear

Case Study: Priority Data Group

Glossary

Ten Top Security Tips

 © 1999 Learned Information Europe Ltd