August 21, 2000

Printer ready

How Secure Are You?

continued...page 2 of 3

More on security:

It's Time To Clamp Down (7/10/00) Tele.com Security Leaks (6/26/00) Computer Reseller News Maximum Security (6/12/00)

Send Us Your Feedback

Cable systems are even more vulnerable because they basically use the original Ethernet "party-line" architecture and put a neighborhood on a single subnet. Each packet is broadcast to everyone, and only the addressee is supposed to process it. However, neighborhood hackers can use Sniffer technologies to capture everything going across the subnet, and they also have easy access to the other systems on it.

Since broadband access is clearly here to stay, enterprises can reduce risks by installing personal firewalls on remote computers and encouraging employees to turn off the machines when they aren't being used.

While a lot of hackers are likely to be young thrill seekers, the Internet is also providing ready access to industrial spies from all over the world. According to the annual Computer Crime and Security Survey by the Computer Security Institute and the FBI, theft of proprietary business information accounts for more financial losses than any other type of computer crime.

And those neighborhood kids can be co-opted: In 1997, CMS Energy discovered that a $50,000 "bounty" or reward had been placed on notebooks belonging to any CMS executive involved in bidding on international projects. "These are multibillion-dollar bids, and they frequently involve the governments of underdeveloped countries--often former European colonies--in which corruption is a fact of life," says CFO Wright, whose notebook qualifies for the bounty. "Industrial espionage is very widespread in the energy industry, and a recent article reported that a French oil company had a slush fund in Switzerland for this sort of thing."

CMS was recently the target of a group of industrial spies who dressed up like a cleaning crew and went into the company's Singapore office looking for open, active computers. At the time, Singapore was the center of several multibillion-dollar deals, so the local stakes were particularly high.

This year's CSI/FBI report advises companies to make a top priority of providing "adequate staffing and training of information security practitioners." However, staffing up may be easier said than done because security experts are in extremely short supply. "The biggest problem in security is the lack of trained security people," Paller says. "Some 2.3 million machines are being attached to the Internet each month, and each of them is full of holes that need to be fixed."

One way to address the shortage of experienced security personnel is to outsource--an approach recommended by eBSure Inc., a developer of software that tracks the effectiveness and usability of Web sites. The startup has its headquarters in Dallas and a research and development center in Tel Aviv, Israel, with a lot of intellectual property and sensitive business information going between the two locations on a VPN.

Instead of investing in high-end hardware, software, and a staff that could provide round-the-clock support, eBSure turned the protection of its network perimeter over to RIPtech's security monitoring services. EBSure pays $8,000 a month for managed firewalls and intrusion-detection engines at both sites, and secured communications between the two.

"We benefit from what RIPtech learns about all the incidents across its broad customer base," says Kurt Ziegler, chairman and CEO of eBSure. "It would be hard for us to keep up with all these new threats by ourselves, because a lot of the incidents never get published."

The unwillingness of companies to go public with security breaches has frustrated law enforcement officials for years and results in more victims of the same sorts of incidents. In InformationWeek's study, more than half the respondents said they don't report incidents to any organization, and only 10% report them to authorities. Also, incidents that appear to be isolated events may take on considerable significance when aggregated because patterns emerge. As security attacks in general become more complicated and better disguised, the need for cooperation and discussion among potential targets is increasingly important.

Global Integrity Corp., a security consulting firm, has come up with a possible solution: the Information Sharing and Analysis Center (www.wwisac.com), an organization that lets companies share information about security problems anonymously. "It's sort of an outgrowth of the critical information infrastructure effort, in which people noted that nobody was sharing information about security incidents," says Gene Schultz, Global Integrity's research director.

Global Integrity serves as a trusted broker that collects the information, strips the identity of the source from it, and puts it in a database that member companies can access. Launched nine months ago, ISAC has 30 members from the banking, energy, manufacturing, pharmaceutical, and securities industries. Annual membership is $15,000.

Security incidents are reported to ISAC on a daily basis and range from an insider bringing down a critical system to massive attacks on E-commerce servers costing businesses tens of millions of dollars. The Information Security Forum estimates that the average cost of such security incidents is about $1.6 million. "The cost of incidents is higher than senior management is coming to grips with," Schultz says. "Senior management would be appalled if desktop and server machines were being stolen, but electronic theft is going on right and left. They just don't see it. There's an ostrich mentality here."

Management may be burying its head in the sand for several reasons. One is the trade-off between added security and ease of use. They fear a backlash from both executives and rank-and-file users when measures such as logon time-outs and long alphanumeric passwords are instituted.

People forget the passwords and make frequent calls to the help desk, or they write the passwords on Post-its attached to the sides of their terminals. Gartner Group reports that password management is one of the most labor-intensive and risk-prone IT functions, and costs between $200 and $300 per user each year.

Despite the publicity surrounding denial-of-service and virus attacks, most serious security incidents are never reported because they're perpetrated by employees. Companies cover them up rather than risk the loss of customer trust.

continue on to page 3
return to page 1

Illustration by Ricarrdo Stampatori

Back to This Week's Issue
Send Us Your Feedback
Top of the Page

---