Security: from firewalls to hackers
"I think that there is a world market for maybe five computers"
Thomas Watson, IBM, 1943
"Because there's so much email passing through
a server, [the Melissa virus] is basically taking down the servers"
Srivats Sampath, Network Associates, 1999
When Thomas Watson made his oft-quoted statement in 1943 he couldnt
have been more wrong about how widespread the use of, and reliance on, computers
would become.
Today it would be hard to image any business operating without computers
in some manner; whether they are used for calculation, word processing,
data processing, filtering and retrieval, or communication. Of course this
dependence on computers and data storage has inevitably lead to a situation
of vulnerability. Most businesses would suffer a major disruption of their
activities if their computers, data or infrastructure were compromised.
Such an event, of course, is all too common but the most likely catastrophe
to strike your system is not going to be something like fire or flood. The
more usual source would be a deliberate attack of some sort, possibly from
the Internet.
The National Computing Centre (NCC) estimates that the total amount of
money lost in 1998 in the UK as a direct result of computer security breaches
was in the region of £1 billion. A Department for Trade and Industry
survey in the UK revealed that 90 per cent of the companies questioned had
experienced a serious security breach in the previous 12 months. Earlier
this year many of the worlds largest corporations including
giants Microsoft, Intel and Lucent had to close down their email systems
because of infestations by the Melissa virus.
In addition to threats from the Internet, there is also the threat posed
by inside agents. In the US, for example, 43 per cent of reported malicious
acts were made by employees, an increase of 14 per cent on the previous
year. Computer and data security have become major industries as more and
more corporate and IT managers realise the need for protection of their
systems. Any form of successful data protection has to find the right balance
between security and liberty: it has to find a balance between successfully
protecting a system while still allowing the people who use the system every
day to get on with their work without too many impediments.
Threats to security
The most widely known threat to a computer system is the hacker. Although
feared, in the majority of cases the hacker is a non-malicious entity. Most
hacking is carried out for the thrill of the chase: as a sport
or an intellectual challenge. In many ways a hacker looks at a security
system in the same way that a mountaineer looks at a formidable mountain
its a challenge to be overcome.
While the majority of hackers are only in it for the sport, there is
a minority who will conduct their hacking with the intent of causing as
much damage as they can. The damage inflicted might take the form of destroying
files or even locking out legitimate users. Whether or not a particular
hack had malicious origins, the real trouble caused by the hacker is the
disruption that follows in the aftermath of the security breach: the time
and money that will be spent checking the extent of the breach and putting
procedures and systems in place in order to prevent a recurrence.
In addition to this disruption at the time of the hack, the loss of credibility
must also be considered. When news of the hack becomes public, there is
likely to be some affect on the company. Indeed, if the institution or corporation
that was hacked relies on any aspect of security to win or to keep business,
then it is likely that stringent measures will be taken to prevent the hack
from becoming public knowledge. If the outside world were to know, the resulting
loss of business might be considerable.
One case that was widely publicised took place in 1994 when Citibanks
cash management system was tapped into by a 34-year old Russian and his
accomplices. The group managed to transfer $10 million out of the bank into
other bank accounts around the world. The direct loss to the bank was, of
course, the value of the money transferred out. The loss of consequential
business, however, has been estimated as being as high as some billions
of dollars.
Other common threats to computer security occur when data is being shared
across an external, public network. With the increased reliance on the Internet
as part of system networks, there are scores of ways in which a hacker can
make a system powerless.
A hacker could, for example, take advantage of weaknesses in the operating
system to gain access to the network and lock users out. Or the hacker could
make the host computer reboot, or could use up system resources so that
the system is effectively reduced to operating at a walking pace. For a
company relying on the computer network for its day-to-day business as an
intranet, or for e-commerce, this denial of service is as serious as a fire
or a power cut.
In todays competitive business environment, speed of reaction
to technological developments and changes in consumer preference
is crucial to long-term survival. Time previously spent in gathering, synthesising,
reformatting and distributing information in a leisurely way can no longer
be afforded.
Fortunately, knowledge management software on an intranet platform can
be used to speed up such processes. Some businesses estimate that 80 per
cent of the information that their employees use is available only on local
hard drives or in network folders, or even locked in the minds of the workers
themselves. One KM technique that can help save time and money is to ensure
that employees have common access to data and are able to reuse historical
data.
On the other hand, nothing has been gained if work takes longer either
because the security system is slack and hackers have disrupted the network,
or because accessing the information stored has become laborious because
of the precautions put in place by over-zealous security management.
Effective knowledge sharing relies on ease of use. Users will be put
off any system if it is troublesome to access, or if it is unreliable and
frequently breaks down. Ease encourages creativity and users should
be applying their brain power to their work, not being distracted by the
need to solve IT problems.
Data security
When you pool your information in a set of accessible databases, the
need for data security, as opposed to computer security, becomes paramount.
Data security is also a major concern of governments.
The UK government is on the point of finalising its Data Protection Act,
which should become law later this year. One of the main recommendations
of the Act is that businesses should establish a security plan, in the same
way that they would currently have a heath and safety plan. The plan would
detail why that particular business needs security, what levels of protection
are appropriate for the various aspects of the computer and data infrastructures
and accesses, what steps to take in the event of a security breach, and
so on.
The need for the security measures to be appropriate is every bit as
important as the need for any measures at all. Fitting iron doors to a bank
vault may be appropriate, but fitting the same doors to a crumbling shack
would be pointless. Network administrators should not be misled into thinking
that security measures equate only to hardware and passwords. The very act
of communicating increases the risk of a security breach.
For example, as the Internet is being used more and more for communication,
there is a need to be sure that any data you have received from a colleague,
customer or vendor has indeed come from that source without modification
en-route. Such modifications are termed data diddling. Similarly
when you are sending data from one point to another you want to be sure
that only the intended recipients get the information. If the information
is confidential it could contain the sort of knowledge that could be used
by competitors.
There are other less obvious ways in which information can be used to
breach security. For example, the knowledge of a simple fact such
as Mr Jones of company ABC broke his leg can be used in a conversation
with untrained personnel to lead them into a false sense of security that
they are talking to a friendly agent. Extracting information from untrained
and unsuspecting staff is known as social engineering.
Andrew Hockey of Axent Technologies comments: "On one occasion I
was paying a visit to a well-known UK bank to discuss computer
security. In order to demonstrate to the management that there was more
to security than steel doors and firewalls, I phoned ten people in the bank
at random. I told them that I was working on the computer network and I
needed to check that accesses had not been modified by the work in progress.
"I asked each of the ten employees to give me their user name and
password. Seven of the ten gave me their passwords without questioning my
authority.
"They assumed that, just because I had a plausible story, then I
had the right to the information. This is exactly what is meant by having
security plans and appropriate levels of security. There is no point in
installing the most sophisticated firewall system in the world if hackers
can use simple social engineering techniques to get their hands on passwords."
Password protection
The use of passwords is not without problems. Some users have four or
five passwords for their daily business, all of which are changed regularly.
And people, being people, will forget their new password. If the changing
of passwords coincides with a holiday weekend, you can be sure that the
number of people who forget the new one increases dramatically. On the Tuesday
morning there will be a flood of requests to reset the password because
the new ones have been forgotten.
The need to verify each request to reset the password takes time and,
in effect, means that there has to be a dedicated group of staff who do
the checking and resetting. For example, it has been reported that telecoms
operator BT has a UK department with 20 staff employed solely to perform
the necessary checks and reset passwords for an estimated 100,000 users
on their network. A similar proportion of support staff will exist in other
large organisations. This and the general inconvenience of passwords is
prompting industry experts to come up with an alternative security measure.
Possible alternatives include biometrics and smartcards, or a combination
of the two. The use of biometrics has been hampered until recently by the
cost of implementation. However the use of these techniques in large-scale
public sector projects has enabled the costs to be reduced. The currently
favoured technique is fingerprint authentication. Fingerprints are unique
and the matching process is fast. Nor can they be reproduced, so civil liberties
are protected. None of the other alternative techniques currently available
(including voice recognition, hand geometry, iris or retina scans and facial
recognition) offer all these advantages.
Firewalls
The main hardware weapon in the fight for network security is the firewall.
In its simplest form, a firewall is a computer, or system of computers,
that provide communications security for information coming into or going
out from a server. It controls access to information between a companys
intranet and the Internet (or extranet) both by permitting information to
flow to and from the intranet and by acting as a blocking gateway to information
coming in from the outside. It is designed to prevent damage to the network.
At the same time as providing real security, a firewall acts as a security
blanket for management by convincing them that it is safe to connect the
companys network and data to the outside world. It can also be a convenient
place to store public information about corporate products and services,
news items, software downloads, updates and bug fixes.
A firewall does not, however, provide immunity to all possible attacks
on a system. Its effectiveness depends on how well it is set up and how
well it is administered. It is also limited in what it can protect against.
For example, it cannot protect against:
Attacks that dont pass through the firewall. This may seem
an obvious statement but if internal users have access to direct dial modems,
for example, they could connect to the Internet directly, bypassing the
firewall entirely and open the network to attacks from the outside world.
Similarly viruses can enter an organisation by being hand-carried on diskettes.
Data-driven attacks. These are attacks that are hidden in email
or other approved information that passes through the firewall. An example
is the Melissa virus that entered several major organisations networks hidden
in Word documents.
Internal attacks. An internal attack can come in one of many forms.
For example the attack could be deliberate (sabotage, damage or theft of
data by an employee) or accidental (negligence or naïvety).
One advantage of having a firewall is that it centralises and standardises
the security management of a network. Without it the security relies on
the individual security settings of each host computer on the network. Firewalls
allow administrators to focus their efforts on one location. It also means
that, being a single point of access to the Internet, a firewall provides
an ideal point to impose an audit tool to monitor the traffic into and out
of the network. By laying down an audit trail by recording and analysing
the information which the monitoring provides a network administrator
can determine whether or not the system is vulnerable to attacks, how many
access attempts by unauthorised users were made, what steps need to be taken
to tighten up security and how the firewall configuration needs to be changed.
Two philosophies
Generally, firewalls are configurable and, when any firewall is installed,
it is important to ensure that it is configured by an expert to ensure the
correct level of protection from the outside world, while at the same time
allowing the maximum convenience of access to the outside world. Firewalls
are configured using one of two extreme philosophies you can either
allow users access to all facilities including unlimited Internet access
and then apply restrictions as the needs arise, or you can deny all Internet
services and then enable them as the justification arises.
Everything not permitted is denied
This is the pro-active approach recommended by most system administrators,
however it can limit the number of external services that are made available
to the Intranet users. Having said that, this is the scheme under which
Firewall market leaders Check Point operate with their Firewall-1 product.
Firewall-1 supports over 150 pre-defined applications, services and protocols
out of the box and features a scripting language to enable it to be extended
to new and custom applications as well. In this approach, all packets passing
between the intranet and Internet, in either direction, pass through either
a packet-filter router or a proxy server.
Routers are known as network-level firewalls. They make decisions on
the source, destination and ports of individual IP packages on the network.
They range from the simple ones which make basic decisions on each packet,
to more sophisticated ones that maintain internal information about the
state of connections passing through them. They route traffic directly through
them and so tend to be very fast and virtually transparent to the user.
Proxy servers are known as application-level firewalls that permit no
traffic to be routed directly between networks. They perform elaborate logging
and auditing of the traffic passing through them. Since the traffic at one
side effectively has to pass through an application to get to the other
side, application level firewalls can also be used as network address translators.
However, having the application in the way may also have an impact on the
network performance, depending on the age of the technology used in the
firewall. Older application level firewalls are far less transparent than
modern ones.
Everything not denied is permitted
This is a reactive approach whereby all services are permitted until
one is actually proved to be harmful, when
that service is blocked off. This approach tends to offer a wider range
of external services to the internal user, but at the expense of security.
In order for them to work, firewalls have to be part of a consistent
overall security plan, which should include measures for the export of data
from the databases on portable media (eg magnetic tape) and the access to
the Internet from local modems. In summary, firewalls do not replace security.
They are an integral part of security.
Encryption
Although it is commonplace to be connected to a public network, there
are still many people who are frightened by the prospect. Managers are rightly
concerned that data could fall out of the Web and into the wrong hands.
With many organisations using the Internet as part or their network (in
the form of a virtual public network, VPN) data and information security
is of growing concern.
One way of solving this problem is to use encryption under the protection
of a public key infrastructure (PKI). PKI covers the elements that make
up the environment where users can engage in their business with confidence
in three areas. First they can be sure that no-one can eavesdrop on their
communications (privacy); second, they can be confident that the message
really comes from who it says it does (authentication); and, third, they
can be assured that the author of a communication can never claim not to
have sent a message that he or she did send (non-repudiation).
The complete PKI system includes public and private keys (private keys
are kept secret by the owner, public keys are revealed to everyone), digital
certificates (for certifying the authenticity of the public key, for example),
as well as certification authorities, revocation lists, time stamping and
standards. In addition the PKI must provide clientserver software
that works automatically with the keys and certificates and which makes
the whole process transparent to the
user.
Public key encryptions can be very slow because, to be secure, they have
to use keys that are 1024 or 2048 bits long. Web servers can spend up to
90 per cent of their time generating keys. One solution is to off load the
encryption to a dedicated accelerator which can process the information
hundreds of times faster than a PC.
Conclusion
As the dependence on computers for communication and management of commercial
information increases, so does the need to ensure that both computers and
information remain secure. Securing a business from sources of malicious
or accidental threat is not a one-off, once-only task. Nor is it something
to be tackled in a haphazard manner. Companies who want to stay ahead of
the hacker need to take computer and data security seriously.
The first step is to develop a policy that records why there is a need
for security and what levels of security will be applied where and when,
and to whom. The policy should be clear on what training is required and
what to do in the event of a security breach.
Once the policy has been developed, it must be reviewed regularly. The
formulation of the policy will depend on circumstances at the time of the
formulation and must take into account the fact that circumstances
change. This means that the policy needs to be kept in line with the business
as it evolves or, ndeed, as security breaches are detected. It should then
be modified as appropriate. Only by developing policies, reviewing them,
modifying them and reviewing them again, will companies be able to gain
some level of assurance that their computers, networks and information are
securen
Contact the author at: freelance@madscotsman.freeserve.co.uk
Case Study: Check Point at Cap Gemini
Case Study: Unisys at Antigua Sprotswear
Case Study: Priority Data Group
Glossary
Ten Top Security Tips
|