How Secure Are You?

[InfoSec News <isn () C4I ORG>]

http://www.techweb.com/wire/story/TWB20000823S0006

By Susan Breidenbach, InformationWeek
Aug 23, 2000 (11:24 AM)

While IT managers spent huge amounts of time and resources to thwart
the threat of year 2000 problems, information security breaches in the
Internet economy are an even bigger threat. And unlike the millennium
rollover bug, security is not a one-time,easy-to-identify issue. It's
a process that must be continually refined using audits, access-rights
revisions, new tools, and changes to how data is stored. That may be
why so many businesses put security on the back burner until a crisis
flares up. It's time to go beyond awareness and take action.
Protection from security breaches requires investment in technology,
services, and personnel as well as adjustments in corporate culture.
"You have to constantly assess what's valuable in your company and
determine who needs to use it and how it should be secured," says Tim
Belcher, chief technology officer for RIPtech Inc., an application
service provider that offers outsourced security services to hundreds
of service providers, utilities, financial services, and health-care
companies. "If you put a Web server or remote client on the Internet,
it will get scanned by a hacker's probe at least once a day--even if
you're a low-profile company."

Managers say security is high on their to-do list. According to
InformationWeek Research's Global Information Security Survey
conducted in June, nearly three-quarters of 4,900 respondents regard
security as a top priority, up from 56 percent two years ago. Those in
banking, health care, finance, and telecommunications rate information
security as the highest business priority, with retailers a little
less concerned. In every sector, security is increasingly being viewed
as a key business driver.

"I see increased awareness and motivation among our own non-IT
executives and board members," says Alan Wright, senior VP and CFO of
Consumers Energy, a power utility subsidiary of $24 billion
diversified multinational energy company CMS Energy Corp. in Dearborn,
Mich. "When the 'Love Bug' brought Ford's worldwide e-mail system down
this spring, that was a real eye-opener. Before, there was a lot of
talk, and security was seen by business managers as a hassle and an
internal power play by IT." Like many other IT professionals, Wright
declined to discuss his specific tactics to combat cybercrime, but new
efforts are under way at his company.

Still, the typical company still isn't putting its money where its
mouth is. The study shows very little increase in corporate spending
on information security despite continued expansion of e-business
activities. Although security-technology vendors are enjoying
increased sales, it's mostly because more companies are spending, not
because individual companies are spending more, says Mark Lobel,
senior manager of technology risk services for PricewaterhouseCoopers,
which fielded the InformationWeek Research study. "Per-company
spending remains consistent with earlier surveys," he says.

What's going on? The truth is that while the dangers of the Internet
village have raised the profile of security risks, business managers
are still making deliberate decisions to proceed with rapid deployment
of e-business technologies, even without proper security in place. "If
enhanced security would slow things up or make them too costly,
management leaves it on the table," says Frank Prince, a senior
analyst with Forrester Research.

As a result, the rush to e-business appears to be creating a growing
security gap. Between this year and last, the number of respondents to
the InformationWeek Research survey claiming close alignment between
security policies and business goals declined from 41 percent to 38
percent, while the number reporting poor alignment rose from 12
percent to 17 percent.

"One of our manufacturing clients had its accounting systems locked
down really well, but left its research and development plans--the
crown jewels--quite vulnerable," Lobel says. "External auditors come
in every year and beat companies up over financial systems, but no one
does that for intellectual property."

Security spending has also failed to follow the migration of corporate
information in recent years. "Some companies are still spending
tremendous amounts to secure mainframes--a familiar territory--while
critical data has moved to Unix and NT ystems," Lobel says. And these
operating systems come with myriad vulnerabilities.

"The Internet is fundamentally Swiss cheese," says Alan Paller,
research director for the Sans Institute, a 124,000-user organization
in Bethesda, Md., that focuses on security issues and tries to get
vendors to offer more Internet-safe products.

Some vendors ship operating systems with security screws intentionally
loosened, and it's up to the installers to tighten them as needed. For
example, the Common Gateway Interfaces in Web server software can
supply hackers with root access to the server. Every copy of the
Apache open-source Web server--nearly two-thirds of installed Web
servers--comes with these vulnerabilities. "People tend to fix the
holes in the services they use, but leave the rest alone," Paller
says.

Plugging up every potential hole is a big job, and scripting tools
that attempt to automate the process generally don't provide
sufficient customization. Instead, highly skilled security
professionals have to do the job by hand--a process that can take
several weeks.

Enterprise security also needs to adapt to the new world of broadband
remote access--a big source of vulnerability. Small branch offices and
telecommuters are replacing intermittent dial-up connections with
persistent digital subscriber line and cable-modem links that create
new security holes. "These connections are always on, so there's a 100
percent chance that a hacker's ping sweep will find you," says the
chief security officer of a major financial institution who requested
anonymity. "And they have a permanent IP address, so the hacker can
come back again and again and ride your virtual private network into
the enterprise."

Security professionals say cybercrooks are targeting remote systems.
Some intruders are simply using the hard drives as free offline
storage for illicit files.

However, others are installing Trojan horse and "zombie" programs that
turn the remote computers into enterprise back doors and even launch
pads for denial-of-service attacks.

One PricewaterhouseCoopers' client was victimized when a telecommuter
received a game via E-mail and installed it on his company-issued
notebook PC. The game contained an embedded Trojan horse that
effectively turned the notebook into an access router for the
enterprise network. "The hacker could connect to the machine and
capture keystrokes and cruise around the corporate network with all
the same rights that the laptop's authorized user had," Lobel says.
The hacker's activities were noticed when the employee brought the
notebook into the office to use. The firewall set off an alarm when it
noticed too much traffic going back and forth across the port to which
the notebook was attached; at home, it went unnoticed.

Cable systems are even more vulnerable because they basically use the
original Ethernet "party-line" architecture and put a neighborhood on
a single subnet. Each packet is broadcast to everyone, and only the
addressee is supposed to process it. However, neighborhood hackers can
use Sniffer technologies to capture everything going across the
subnet, and they also have easy access to the other systems on it.

Since broadband access is clearly here to stay, enterprises can reduce
risks by installing personal firewalls on remote computers and
encouraging employees to turn off the machines when they aren't being
used.

While a lot of hackers are likely to be young thrill seekers, the
Internet is also providing ready access to industrial spies from all
over the world. According to the annual Computer Crime and Security
Survey by the Computer Security Institute and the FBI, theft of
proprietary business information accounts for more financial losses
than any other type of computer crime.

And those neighborhood kids can be co-opted: In 1997, CMS Energy
discovered that a $50,000 "bounty" or reward had been placed on
notebooks belonging to any CMS executive involved in bidding on
international projects. "These are multibillion-dollar bids, and they
frequently involve the governments of underdeveloped countries--often
former European colonies--in which corruption is a fact of life," says
CFO Wright, whose notebook qualifies for the bounty. "Industrial
espionage is very widespread in the energy industry, and a recent
article reported that a French oil company had a slush fund in
Switzerland for this sort of thing."

CMS was recently the target of a group of industrial spies who dressed
up like a cleaning crew and went into the company's Singapore office
looking for open, active computers. At the time, Singapore was the
center of several multibillion-dollar deals, so the local stakes were
particularly high.

This year's CSI/FBI report advises companies to make a top priority of
providing "adequate staffing and training of information security
practitioners." However, staffing up may be easier said than done
because security experts are in extremely short supply. "The biggest
problem in security is the lack of trained security people," Paller
says. "Some 2.3 million machines are being attached to the Internet
each month, and each of them is full of holes that need to be fixed."

One way to address the shortage of experienced security personnel is
to outsource--an approach recommended by eBSure Inc., a developer of
software that tracks the effectiveness and usability of Web sites. The
startup has its headquarters in Dallas and a research and development
center in Tel Aviv, Israel, with a lot of intellectual property and
sensitive business information going between the two locations on a
VPN.

Instead of investing in high-end hardware, software, and a staff that
could provide round-the-clock support, eBSure turned the protection of
its network perimeter over to RIPtech's security monitoring services.
EBSure pays $8,000 a month for managed firewalls and
intrusion-detection engines at both sites, and secured communications
between the two.

"We benefit from what RIPtech learns about all the incidents across
its broad customer base," says Kurt Ziegler, chairman and CEO of
eBSure. "It would be hard for us to keep up with all these new threats
by ourselves, because a lot of the incidents never get published."

The unwillingness of companies to go public with security breaches has
frustrated law enforcement officials for years and results in more
victims of the same sorts of incidents. In InformationWeek's study,
more than half the respondents said they don't report incidents to any
organization, and only 10% report them to authorities. Also, incidents
that appear to be isolated events may take on considerable
significance when aggregated because patterns emerge. As security
attacks in general become more complicated and better disguised, the
need for cooperation and discussion among potential targets is
increasingly important.

Global Integrity Corp., a security consulting firm, has come up with a
possible solution: the Information Sharing and Analysis Center
(www.wwisac.com), an organization that lets companies share
information about security problems anonymously. "It's sort of an
outgrowth of the critical information infrastructure effort, in which
people noted that nobody was sharing information about security
incidents," says Gene Schultz, Global Integrity's research director.

Global Integrity serves as a trusted broker that collects the
information, strips the identity of the source from it, and puts it in
a database that member companies can access. Launched nine months ago,
ISAC has 30 members from the banking, energy, manufacturing,
pharmaceutical, and securities industries. Annual membership is
$15,000.

Security incidents are reported to ISAC on a daily basis and range
from an insider bringing down a critical system to massive attacks on
E-commerce servers costing businesses tens of millions of dollars. The
Information Security Forum estimates that the average cost of such
security incidents is about $1.6 million. "The cost of incidents is
higher than senior management is coming to grips with," Schultz says.
"Senior management would be appalled if desktop and server machines
were being stolen, but electronic theft is going on right and left.
They just don't see it. There's an ostrich mentality here."

Management may be burying its head in the sand for several reasons.
One is the trade-off between added security and ease of use. They fear
a backlash from both executives and rank-and-file users when measures
such as logon time-outs and long alphanumeric passwords are
instituted.

People forget the passwords and make frequent calls to the help desk,
or they write the passwords on Post-its attached to the sides of their
terminals.

Gartner Group reports that password management is one of the
mostlabor-intensive and risk-prone IT functions, and costs between
$200 and $300 per user each year.

Despite the publicity surrounding denial-of-service and virus attacks,
most serious security incidents are never reported because they're
perpetrated by employees. Companies cover them up rather than risk the
loss of customer trust.

"Numerically, more attacks come from the outside now, but they are
mostly kids who come in out of curiosity and nibble around but don't
really know how to attack you with a lot of skill," Schultz says.
"However, one insider with the right skills can ruin your company."

The need to address employee breaches is often obscured by all the
solutions for physical and network security. Firewalls and
authentication systems do a good job protecting networks from remote
attacks, and heavy doors with biometric locks and video cameras can
keep strangers from breaking in at night, but employees are already on
the inside.

"When we were evaluating co-location centers, people in the front
lobby would brag about Kevlar-lined walls, and some even talked about
withstanding nuclear attacks, but hardly anyone talked about personnel
security," says Wade Myers, chairman and CEO of Interelate Inc., an
ASP that provides customer-relationship management services and
software. "Realistically, the risk of someone shooting bullets or
nuclear missiles into the data center is very low."

At one facility, Myers and his team walked in the back door and into
the data center unchallenged. The co-location facility was expanding
rapidly, and a small army of employees, contractors, and business
partners were scurrying about setting up new servers and switches.
"There's a fast-growth mentality; everything is moving so fast that
they haven't had time to put proper practices in place."

Encryption can provide an added level of security when hackers do
masquerade as authorized users or administrators and gain entry. If
secure-session options are used, Web browsers and servers do a good
job encrypting the data they exchange. However, traffic often
traverses LANs in the clear.

"Most companies are appalled at the amount of sensitive information we
pull off their networks during our assessment," says RIPtech's
Belcher. "Encryption would have more acceptance if some nontechnical
managers could actually see what is going across their networks."

Companies are starting to enhance security by encrypting data stored
on servers, but a lot of desktop data remains exposed. Desktop
solutions provide encrypted folders into which sensitive files can be
dropped, but they may rely too much on users to know what needs
protection. Similarly, when users register for digital certificates,
they indicate how the certificate is to be protected--such as smart
card or password--and "no protection" may be an option.

"Someone could walk up to your desktop and get to your certificate
without having to get through any security," says Scott Schnell, VP of
marketing for RSA Security Inc. Authentication systems often aren't
extended to the desktop, and people can simply bypass the logon
procedure and gain access to the local system. Stolen notebooks are
completely vulnerable if the contents aren't encrypted.

RSA is starting to see some customers implement an always-on policy
for hardware-based authentication. Users must have a token to access
any machine, internal or external.

One new security challenge is the complexity and granularity of
protection needed by business-to-business computing environments.
Originally, vendors helped customers build moats that kept outsiders
out, but E-business is all about inviting some of them in. "The next
stage is being able to have very detailed access and content control,"
Schnell says.

Through a partnership agreement, RSA's strong-authentication and
digital-certificate technologies are being coupled with Netegrity
Inc.'s multilevel access-control expertise to produce a security
system that can accommodate many types of users and scopes of access
rights.

The CSI/FBI report states that "the threat from computer crime and
other information security breaches con-tinues unabated ... the
financial toll is mounting."

Companies must secure the areas where the main risks reside--which are
not always the current source of pain. For example, companies with
employees in Europe must comply with the European Union's privacy
directive, which goes into effect in 2001.

"A small security review up front might cost $100,000, while an
emergency response to an incident after the fact would run $350,000 to
$500,000," Lobel says. According to the InformationWeek Research
survey, however, nearly half of the respondents are spending only
$50,000 or less on security.

The best technologies and wisest policies will take security only so
far without extensive user and management buy-in. "You have to create
a win-win situation," says Andrea Hoy, chief information security
director for Fluor Corp., an $11 billion engineering, construction,
maintenance, and diversified services company in Aliso Viejo, Calif.
"Users have to see the benefits to themselves: Strong security is
keeping the wrong people from seeing their salary and personnel
records or getting into the bank accounts where their checks are
automatically deposited," says Hoy, a security professional for more
than 15 years and the 1991 winner of the Security Education Manager's
Award for her work applying continuous process improvements to the
implementation of information security.

Absolute protection may be unattainable, but better levels of
security--with equal parts vigilance and honest commitment--will go a
long way to protect your company.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".