Enron: Security Woes, Too?

[InfoSec News <isn () c4i org>]

http://www.eweek.com/article/0,3658,s=1884&a=23757,00.asp

March 8, 2002
By  Mary Jo Foley, Baseline 

Protecting a company from external computer hackers is not a job for
the faint of heart. Even when the attacks are routine, it's tough, and
it can be risky. Add a bunch of angry ex-employees and a slew of
investigators who all want to get at your internal data and mess with
it for their own varied reasons, and now you're sitting on a powder
keg.

Just ask Enron.

In early January, a would-be hacker figured he'd shine his own light
on the internal workings at the giant—and failing—global energy
trading company by getting hold of its top executives' travel records.  
How best to find the details? Infiltrate the automated
travel-and-entertainment software system used by Enron to keep track
of executives' travel, according to Concur Technologies, which
developed the system and has hosted it for Enron at several
co-location sites across the country for the past two years.

The good news is that Concur detected the attempt to intrude on the
Houston company's internal records within 60 seconds, according to
Concur Chairman and CEO Steve Singh. The company thwarted the
potential breach within three to four minutes. Enron's data was not
compromised.

At least not this time. But the incident begs the question: Should
Enron be doing more to prevent this kind of security risk,
particularly as the company's image in the public eye darkens and the
tales of its travails and questionable business deals angering former
employees and investors drag on for weeks and months?

Although Enron executives declined to comment for this story, a former
Enron information technology consultant says security at the
energy-trading firm was lax. If, as computer security experts claim,
Enron epitomizes the state of internal and external security at most
Fortune 500-level companies, then it also offers lessons that others
would do well to heed. What's key to those lessons?

Concur is just one of many tens or even hundreds of applications
running at a global company such as Enron. Enron had thousands of
desktop PCs and servers running operating systems including
Microsoft's NT 4.0 and Windows 2000, Sun Microsystems' Solaris, other
flavors of Unix, and the Linux free variant of Unix, say parties with
knowledge of the company's systems.

On the application side, Enron also was a hodgepodge, using Microsoft
Exchange Server as its primary mail system, Oracle and Microsoft SQL
Server databases, and enterprise-application integration software from
Tibco. Concur wasn't the only hosted application run by Enron. At some
point, the company employed, among others, sales force automation
software from Salesforce.com. Executives with Salesforce.com, like
those at most of the vendors on Enron's IT list, declined to talk
about one of their former favorite customers.

Passwords and Post-Its

On the network and systems management fronts, "everything was
custom-built," says Charles Turich, a former IT contractor with Enron
Net Works, a division of Enron that provided help desk, hardware,
trader, remote and executive support for the entire company.

Security was fairly loose, says Turich, given the fact that Enron's
primary business was trading millions of dollars worth of energy
commodities in big chunks. Turich says he saw traders and other users
in the EnronOnline trading division regularly running file-sharing
applications—such as Napster, Gnutella clones, and Morpheus—that left
open holes in the company's firewalls.

"It was commonplace for traders, general users, and executives to give
their passwords out freely to help-desk, desktop-support and
trader-support personnel. Because of the complicated password policies
at Enron, many users hid a piece of paper under their keyboard or
mouse pad with the user names and passwords to the different
applications run throughout the course of the day," says Turich. "It
was not uncommon to find them stuck to the monitor, either, with a
Post-it Note."

Security fixes and patches were applied in an equally haphazard
manner, Turich adds. During his tenure Enron was hit twice, extremely
hard, by the Code Red and Nimda viruses, he says. Contractors and
information technology employees spent many hours installing a new
software configuration on hundreds of machines that could have been
patched and protected by the timely application of a critical update
beforehand, Turich says.

If a company is under immediate threat of both internal and external
attack, the best way to minimize risk is simply to cut all wires to
the outside world, says David Raikow, an independent security
consultant in San Francisco. "It would be best to just clamp down on
outside connections," he says.

This would involve taking down existing firewalls and replacing them
with new, completely different ones; physically pulling the plug on
all PC dial-up connections and wireless ports; changing all passwords
and cleaning out authentication databases; and shutting down any
unused machines, Raikow says. Once the dust has settled, the company
should look at performing an audit with the help of a professional
security-monitoring firm to search for places where internal or
external hackers might have tried to lay traps or create back doors
that would allow unauthorized access, Raikow adds.

Gartner Inc., the Connecticut-based research firm, estimates that more
than 70% of unauthorized access to information systems is committed by
employees, as are more than 95% of intrusions that result in
significant financial losses to a company. Yet a fundamental challenge
for any company like Enron, with so many internal technology
contractors and external trading partners, is discerning who has and
who needs various levels of access to internal systems. Companies that
are changing rapidly as a result of multiple mergers—or
layoffs—particularly face this problem.

"How do you identify who an insider is, these days?" asks Mark
McClain, president of Austin, Texas-based Waveset Technologies, an
identity-management software and services vendor. "A non-employee can
sit on site every day, and an employee can work at home and never come
in. There are non-employees who might have higher access levels to
data inside a company than do employees."

At the same time, companies often are not sure which employees have
access to what. As a result, they are left unable to properly shut the
door and halt access to a system. Enron IT staff, for example, wrote a
piece of code designed to shut off the network access of laid-off
employees upon termination, says Turich. But were administrators aware
of all the permissions held by each and every severed IT employee?

Companies need to prioritize the "three A's" in internal security:  
authentication, authorization and administration, says McClain.  
Otherwise, he noted, when companies lay off employees en masse,
"you're going to get hacking, defacing of Web sites, posting of
employee social security numbers—the electronic version of going
postal."

Security experts say they aren't surprised by any of this. Enron's
situation highlights the importance of securing not just a company's
externally facing systems, such as its Web site and
business-to-business hubs, but its internal systems, too. And there's
not a moment to waste. "Enron (sounds like) a security basket case.  
They need to do things that give them security now. Not in six
months," says Bruce Schneier, founder of Counterpane Internet
Security, a managed security-service provider based in Virginia. "It's
not the time for vulnerability studies, or policy development, or
product deployment. It's time to post a guard, and quickly."

Security, from the Inside Out

* Create a centralized system for detecting and reporting unusual
  activity that could signal a security breach

* Maintain backup systems that can be switched on if your main systems
  are compromised

* Train all employees on how to prevent compromising of systems 
* Protect your facilities physically so intruders can't just walk in

Source: Plural, IT professional services firm



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.