August 21, 2000

Printer ready

How Secure Are You?

By Susan Breidenbach

More on security:

It's Time To Clamp Down (7/10/00) Tele.com Security Leaks (6/26/00) Computer Reseller News Maximum Security (6/12/00)

Send Us Your Feedback

n this customer-centric world of instant access and continuous connections, E-business initiatives that outpace security considerations are heading for disaster.

While IT managers spent huge amounts of time and resources to thwart the threat of year 2000 problems, information security breaches in the Internet economy are an even bigger threat. And unlike the millennium rollover bug, security is not a one-time, easy-to-identify issue. It's a process that must be continually refined using audits, access-rights revisions, new tools, and changes to how data is stored. That may be why so many businesses put security on the back burner until a crisis flares up. It's time to go beyond awareness and take action. Protection from security breaches requires investment in technology, services, and personnel as well as adjustments in corporate culture--now.

"You have to constantly assess what's valuable in your company and determine who needs to use it and how it should be secured," says Tim Belcher, chief technology officer for RIPtech Inc., an application service provider that offers outsourced security services to hundreds of service providers, utilities, financial services, and health-care companies. "If you put a Web server or remote client on the Internet, it will get scanned by a hacker's probe at least once a day--even if you're a low-profile company."

Managers say security is high on their to-do list. According to InformationWeek Research's Global Information Security Survey conducted in June, nearly three-quarters of 4,900 respondents regard security as a top priority, up from 56% two years ago. Those in banking, health care, finance, and telecommunications rate information security as the highest business priority, with retailers a little less concerned. In every sector, security is in-creasingly being viewed as a key business driver.

"I see increased awareness and motivation among our own non-IT executives and board members," says Alan Wright, senior VP and CFO of Consumers Energy, a power utility subsidiary of $24 billion diversified multinational energy company CMS Energy Corp. in Dearborn, Mich. "When the 'Love Bug' brought Ford's worldwide E-mail system down this spring, that was a real eye-opener. Before, there was a lot of talk, and security was seen by business managers as a hassle and an internal power play by IT." Like many other IT professionals, Wright declined to discuss his specific tactics to combat cybercrime, but new efforts are under way at his company.

The typical company's still isn't putting its money where its mouth is. The study shows very little increase in corporate spending on information security despite continued expansion of E-business activities. Although security-technology vendors are enjoying increased sales, it's mostly because more companies are spending, not because individual companies are spending more, says Mark Lobel, senior manager of technology risk services for PricewaterhouseCoopers, which fielded the InformationWeek Research study. "Per-company spending remains consistent with earlier surveys," he says.

What's going on? The truth is that while the dangers of the Internet village have raised the profile of security risks, business managers are still making deliberate decisions to proceed with rapid deployment of E-business technologies, even without proper security in place. "If enhanced security would slow things up or make them too costly, management leaves it on the table," says Frank Prince, a senior analyst with Forrester Research.

As a result, the rush to E-business appears to be creating a growing security gap. Between this year and last, the number of respondents to the InformationWeek Research survey claiming close alignment between security policies and business goals declined from 41% to 38%, while the number reporting poor alignment rose from 12% to 17%.

"One of our manufacturing clients had its accounting systems locked down really well, but left its research and development plans--the crown jewels--quite vulnerable," Lobel says. "External auditors come in every year and beat companies up over financial systems, but no one does that for intellectual property."

Security spending has also failed to follow the migration of corporate information in recent years. "Some companies are still spending tremendous amounts to secure mainframes--a familiar territory--while critical data has moved to Unix and NT systems," Lobel says. And these operating systems come with myriad vulnerabilities.

"The Internet is fundamentally Swiss cheese," says Alan Paller, research director for the Sans Institute, a 124,000-user organization in Bethesda, Md., that focuses on security issues and tries to get vendors to offer more Internet-safe products.

Some vendors ship operating systems with security screws intentionally loosened, and it's up to the installers to tighten them as needed. For example, the Common Gateway Interfaces in Web server software can supply hackers with root access to the server. Every copy of the Apache open-source Web server--nearly two-thirds of installed Web servers--comes with these vulnerabilities. "People tend to fix the holes in the services they use, but leave the rest alone," Paller says.

Plugging up every potential hole is a big job, and scripting tools that attempt to automate the process generally don't provide sufficient customization. Instead, highly skilled security professionals have to do the job by hand--a process that can take several weeks.

Enterprise security also needs to adapt to the new world of broadband remote access--a big source of vulnerability. Small branch offices and telecommuters are replacing intermittent dial-up connections with persistent digital subscriber line and cable-modem links that create new security holes. "These connections are always on, so there's a 100% chance that a hacker's ping sweep will find you," says the chief security officer of a major financial institution who requested anonymity. "And they have a permanent IP address, so the hacker can come back again and again and ride your virtual private network into the enterprise."

Security professionals say cybercrooks are targeting remote systems. Some intruders are simply using the hard drives as free offline storage for illicit files. However, others are installing Trojan horse and "zombie" programs that turn the remote computers into enterprise back doors and even launch pads for denial-of-service attacks.

One PricewaterhouseCoopers' client was victimized when a telecommuter received a game via E-mail and installed it on his company-issued notebook PC. The game contained an embedded Trojan horse that effectively turned the notebook into an access router for the enterprise network. "The hacker could connect to the machine and capture keystrokes and cruise around the corporate network with all the same rights that the laptop's authorized user had," Lobel says. The hacker's activities were noticed when the employee brought the notebook into the office to use. The firewall set off an alarm when it noticed too much traffic going back and forth across the port to which the notebook was attached; at home, it went unnoticed.

continue on to page 2, 3

Illustration by Ricarrdo Stampatori

Back to This Week's Issue
Send Us Your Feedback
Top of the Page

---