A Thousand Points of Entry
by Don Monkerud 
[Sidebar]:
Holes in the Wall
[Diagram]:
Network Security Configuration
[Diagram]:
Building Effective Enterprise-Wide Security
Establishing enterprise-wide security is no easy matter. Here are some
key issues to address in planning a comprehensive solution.
Security used to be almost as easy as locking the door to the computer
room at the end of the day. In today's multivendor, client/server environments,
often networked in enterprise-wide systems,
security is infinitely more complex. Networking computers, establishing
global networks and streamlining systems to gain business efficiencies create
new vulnerabilities to unauthorized access from within the company and from
outside.
Enterprise-wide networks, coupled with a major thrust in electronic commerce
on the Internet, potentially open a company's internal information to the
whole world. While the Internet promises a new way of doing business, the
risks incurred in using it are many. Effective security becomes the critical
enabler in extending a company's network to improve service and accommodate
the road warriors using remote access, while protecting the organization's
valuable information assets.
No national clearinghouse keeps statistics on computer break-ins and computer
crimes, and victims are understandably reluctant to publicize their experiences.
Therefore, reports of the extent of the problem are largely anecdotal, although
news reports chronicle some crimes of hackers. The British Banking Association
estimates that computer fraud costs banks $8 billion a year. A survey of
320 information security professionals at large organizations conducted
by the San Francisco-based Computer Security Institute found that only 51
percent of companies connected to the Internet had firewalls--electronic
barriers to limit access from the outside--in place and that 30 percent
of the breaches in security occurred even with a firewall.
A new study of 200 computer security directors by a team at Michigan State
University in East Lansing found a startling increase in the number of computer
crimes reported by the Fortune 500. Much of the crime resulted from
lax security measures associated with a lack of value placed on intellectual
property such as new designs, new concepts and marketing information.
Additionally, networking creates security issues that go beyond the company
itself and beyond the security problems it thinks are important. "Technology
has grown exponentially and created new and different types of vulnerabilities,"
says Andra Katz, a research associate at Michigan State. "There's a
geometric growth in the amount of abuse [reported], from 60 percent [of
all respondents] a few years ago to 98 percent today. That's a huge leap."
The new technology-driven vulnerabilities create a moving target for IS
managers attempting to secure their systems. The Michigan State study found
that full-time, trusted employees and contractors are responsible for most
computer crimes that include credit card fraud, telecommunications fraud,
copying of software, the use of computers for personal reasons and unauthorized
access to confidential files. Many employees access confidential data to
gain advantages over fellow employees.
At the same time as the Michigan study shows a rise in internal security
breaches, IS managers record an increasing number of "door knocks from
the outside." Hackers are getting increasingly sophisticated and, instead
of exploiting a single machine, attack the infrastructure of the networks.
The rise of "information brokers" and the "information underground"
means hackers no longer have to know the value of the information they steal;
brokers will locate a buyer for confidential company information and pay
the hacker accordingly.
Developing a Plan
What can an organization do to neutralize threats such as these? Most computer
systems grew willy-nilly, sometimes with limited oversight that paid little
attention to overall security. Policies and procedures have been initiated
in response to problems as they arose. Today's situation requires proactive
planning, but developing a framework for a security infrastructure is complicated.
"Security is hard because solutions that are good and easy to use aren't
here yet," says Bruce Schneier, author of Applied Cryptography (second
edition, John Wiley and Sons, 1996) and president of Counterpane Systems,
a security consulting company in Oak Park, IL. "Security is haphazard
and ad hoc. Companies hope for the best, but most company security is in
pretty sad shape."
Rich Pethia is manager of Trustworth Systems at the Software Engineering
Institute of Carnegie Mellon University in Pittsburgh and led one of the
first Computer Emergency Response Teams (CERT). Trustworth Systems is an
outgrowth of CERT; its goal is "to help the software-producing and
-using communities build and maintain trust in software-intensive systems
by decreasing the risks of computer security incidents." According
to Pethia, security incidents reported to CERT increased from 770 in 1992
to 2,400 in 1994. By analyzing factors that contribute to the increase in
security breaches, companies can begin to find solutions, he says.
First, intruders are becoming more technically sophisticated, and there
are more of them. They have better understanding of networks and are more
deeply analyzing network software to exploit vulnerabilities. For example,
an awareness of topology lets them know where to plant eavesdropping software,
such as sniffers that steal passwords.
Second, moving from centralized mainframes to decentralized client/server
configurations causes rapid management changes and reorganization. In-house
security expertise may be fragmented and diffused throughout the organization,
making technical solutions more difficult to determine and accomplish.
Third, the rapid growth in networks and changes in technology push many
people into system administration without proper training. Such technicians
often are unable to configure secure systems.
Coupled together, these trends are disturbing, and companies need to establish
policies before they can counter the problems. Vendors are becoming more
security-conscious, which will help in the long run, but in the short run
users must try to anticipate and counter as many problems as they can. For
example, companies are placing heavy emphasis on firewalls but may be overlooking
the hundreds of modems installed to establish Internet connections. "A
company needs to look at the entire organization from top to bottom and
side to side to make sure they aren't missing any significant problems,"
says Pethia.
Analyzing Risks
As the first step in a comprehensive security plan, experts recommend identifying
assets, placing values on them and evaluating the threats to those assets.
Michele Crabb, a computer security analyst for the NAS facility at NASA
Ames Research Center at Moffett Field, CA, suggests conducting a risk analysis
that includes determining what information must be protected and at what
level, as well as the real threats to them.
NASA Ames does formal analysis. Assets include hardware, software, contract
personnel, storage media and facility building costs. Intellectual property
assets include program code, input data, system and program documentation,
World Wide Web servers and home pages, and databases. Safeguards analysis
features three categories: physical, such as building access controls and
remote camera surveillance; administrative, which includes all the policies
and procedures; and technical, such as computer access control, system monitoring,
password controls and audit trails.
According to Crabb, many sites suffer the same weaknesses. (For a list of
common weak spots in site security, see "Holes in the Wall" on
page 42.) Once the safeguards are evaluated, Crabb attempts to "break
the rules" by having a friend pose as an intruder to enter the building
or restricted areas without authorization or break into the computer system
from the outside. After determining areas of vulnerability, she balances
the risks against the cost of protecting the assets. At this point, the
company must determine how much it is willing to pay to make the assets
secure.
"One of the major problems comes down to the company's security stance,"
says Crabb. "What does a company want to protect, and what can it afford?
Not everyone needs the same level of security."
Failing to dedicate management resources to security can pose a major problem.
Few sites have a dedicated security officer, although a rule of thumb is
that any site with more than 100 machines needs someone whose primary responsibility
is to provide security for them. That person in turn needs ongoing security
training to keep up with new techniques for intrusion.
Acquiring Tools
Crabb says that, after determining the security philosophy for a site, the
next essential item is a collection of security tools. Intruders themselves
run many of these tools as they attempt to find a weak link to exploit,
and countering them will make the system more secure. (Tools listed below
are freely available as shareware over the Internet.) Crabb classifies tools
into four categories:
1. Tools to scan and test for system vulnerabilities. Some tools
locate early versions of the sendmail Unix utility (which allowed
unauthorized access to a system) and alert the system administrator. Others
allow administrators to check all hosts on the local network from a single
host. (Examples: Internet Security Scanner, Securescann and SATAN.)
2. Tools to scan the local hosts for configuration errors, such as
world-writable files and directories, poor passwords, unnecessary entries
in the /etc/inedt.conf file and others that can lead to security vulnerabilities.
(Examples: COPS, Tripwire, Crack and TAMU.)
3. Tools to enable users to perform functions in a more secure manner,
such as by enforcing stricter password construction or encrypting e-mail.
(Examples: npasswd, S/Key, Kerberos and tcp_wrapper.)
4. Tools to analyze what an intruder did after or during a security
incident. They can scan log files for inconsistencies or determine open
files. (Examples: LSoF, naiad, SLIC and prob_ports.)
While these free tools can answer many security needs, they are not for
everyone. Some companies do not want to rely upon shareware for security,
because public domain packages receive little software engineering and require
knowledgeable professionals to install and keep them up to date. Universities,
where shareware is often created, seldom have networks that carry mission-critical
data.
"Corporations have standards for software, and it's unlikely that public
domain tools will be developed in a way that meets corporate standards,"
says Gene Schultz, program manager at SRI International, a research institute
in Menlo Park, CA. "If a university's machines crash, there's little
cost. But if a corporation's machines crash for an hour, it could cost millions
of dollars."
Private Policy
Viewing policies and procedures as a one-time exercise that establishes
a fixed plan is futile, because the rapidly changing computing environment
will render policies and procedures obsolete. Schultz favors having an evolving
security infrastructure in which teams from different corporate functions,
such as security, IS and various business units, brainstorm on what the
network will look like over time. By developing "snapshots" of
the network at given points in time, it is possible to anticipate threats
and attempt to develop and design mechanisms into the network to counter
them.
"Threats have to be addressed on a priority basis," Schultz says.
"If it's an Internet connection to a corporate network, think about
some kind of gateway-level control, like secure routers or firewalls. If
it's to secure servers in internal networks, think about running a network-wide
tool, like a network intrusion detection tool. But by all means develop
intrinsic capabilities, which are fundamentally more important than add-on
capabilities. Intrinsic capabilities will be more difficult to defeat and
less costly to implement and maintain."
Another trend--the baseline control approach--is gaining popularity, according
to Schultz. While risk analysis can be useful if an industry has a unique
configuration, companies often get bogged down in resource-consuming guesswork.
The baseline control approach simply implements the kinds of security
controls that peer companies are using. This process works because security
controls are evolving along with the threats and tend to focus on the most
serious threats, rather than any possible threat that might occur. In essence,
if your peers on the Internet are using firewalls, use firewalls; if LAN
administrators are installing audit packages, do the same.
"The main kinds of controls people are using today are gate-level controls,
like firewalls and secure routers, service-based security controls that
make TCP/IP more secure and enhanced authentication tools, like tokens and
smart cards," Schultz says. "At the same time, I never want to
leave an impression that network security can be completely managed. Heterogeneous
environments and protocols are impossible to control completely."
Wising Up Users
While security tools are good for technical people, it's the users who often
allow intruders into a network. Most people view their computer as an appliance,
like a telephone, and don't want to bother about security. Yet they should
understand security issues and the vulnerabilities they create when they
log onto the Internet.
"I agree with the statement, 'Security is not something you buy, it's
something you do,'" says Sandra Sparks, computer scientist and manager
of the United States Department of Energy's Computer Incident Advisory Capability
team at Lawrence Livermore National Laboratory in Livermore, CA. "We're
paying for years of neglect because security didn't get built into our information
processing systems. It was usually an afterthought. Unix is an example of
an operating system that was built to get solutions quickly, without needing
to consider security. It was never intended for use in the business arena
of today, and we are paying a price for its popularity."
Outthinking intruders is tough. Sparks reports one case where a desktop
computer's security was compromised, and the company placed a guard on the
office. The guilty employee simply saw the guard at the door, slipped into
a nearby office and logged into the guarded computer from the PC in there.
Another case involved a company that placed firewalls on its servers and
then discovered a sniffer installed just inside the firewall.
Nevertheless, making users aware of security risks can increase the level
of security. For example, Boeing Information and Support Services in Everett,
WA, sees its employees as the first line of defense. A training program
attempts to make all employees responsible for sensitive data on the network.
Security professionals develop technical safeguards such as firewalls and
encryption.
"There are many pressures pushing electronic commerce forward at a
feverish pitch," says Bob Jorgensen, a spokesperson for Boeing. "We
have to make sure that security moves as rapidly on the social and economic
side."
Built-in Security
On the IT side, another trend is to build security features and functions
into hardware and software. Many companies rely on third parties for security
features, often on an OEM basis; others, such as DEC, Hewlett-Packard and
IBM, are building security capabilities into their products, which can be
used as needed. For additional security, third parties provide special features.
"In today's seven [days]-by-24 [hours] global organization, you go
into the information systems and turn on the security features that you
want," says Jim Schindler, information security programs manager for
HP in Cupertino, CA. "For a minimum, you want a set of tools for authentication,
access control authorization, integrity, and audit mechanism and audit reduction
tools that provide analysis of the data to detect system and information
attacks."
According to Schindler, no one tool is enough. This core set of tools can
analyze vast amounts of data automatically. The tools are necessary to control
the physical boundaries of the system and control access.
Currently, three methods of controlling access are the most effective and
popular: firewalls, security tokens and encryption.
Firewall Functions
Firewalls allow access from the outside only to specifically registered
individuals, who encounter challenge/response schemes that operate on layer
three, four or seven of the OSI communications protocol stack, with the
most security found at the highest level. Companies are using firewalls
not only to protect the network from the outside; often several firewalls
are used to partition off an internal network and protect departments within
the company (for example, separating accounting from engineering).
A recent trend is the creation of virtual private networks that encrypt
messages between firewalls. In this way secure data can be sent over the
Internet but be freely accessible once it reaches the internal network destination.
"One of the reasons we've seen such growth is that firewalls impose
no compatibility, functional or performance penalties," claims Steve
Lipner, vice president of Trusted Information Systems, a vendor of firewall
systems in Glenwood, MD. "A properly designed firewall gives transparency,
function, high performance and a high degree of security."
However, there are evident limits to firewalls. One is their lack of flexibility;
like any wall, they keep out everyone, even some people to whom you would
like to give access. Also, many sites install firewalls and ignore internal
security or forget that some machines are remotely accessible via another
route.
Playing the Secure Card
Originally, hackers gained access into computer systems by exploiting easily
crackable passwords. Although passwords remain prevalent in many networks,
they are becoming a thing of the past, especially because of concerns over
network eavesdropping and sniffer attacks. As firms use more contractors,
employees working out of their homes, and salespeople and managers on the
road, a secure method of reaching the internal network to access e-mail
and databases is essential.
There are several schemes for tokens or secure cards to access a network.
Patty Rosewater, IT risk manager at Hewlett-Packard in Palo Alto, CA, chose
a random-number generator card to guard remote access to the corporate network.
The card generates a random set of numbers that at some given time will
match the number set on the CPU of the computer. When they match, the user
then has 30 seconds to enter a password. Such a system typically runs about
$100 per user, including hardware for the modem and software, plus $10 to
$15 per month in support.
Rosewater sees systems evolving in the future to include "bio-verification"
by which voice, finger or retina prints will verify a user. Alternatively,
a user may carry a card that, when inserted into a PC, will not only allow
access to the network but set up the individual's entire desktop and file
system on the accessed machine.
However, token card systems are expensive and, in the secure ID model, the
master server can become a single point of failure. If the server is accessible,
all the information is compromised. The master server also becomes susceptible
to denial-of-service attacks.
"Although cards will be with us for a while, the future is encryption,"
says Rosewater. "We have road warriors who work from their car or home
and need to dial into our networks. We're increasingly sending confidential
information over public networks. With hackers getting more sophisticated
equipment, we'll have to go to encryption."
Encryption the Answer?
Public-key encryption essentially provides a secure "secret code"
consisting of two "keys," a public one that is available for everyone
to use (and generated by multiplying two large numbers) and a private one
of two large numbers known only to the user. Because the factoring
of the public key--the number of digits that multiplied together will give
the public key--is so large, breaking the code is quite difficult. For example,
mathematicians are currently working on factoring a 150-digit number, while
secure public keys typically have more than 230 digits.
Because this technology is complex, encryption software companies typically
OEM their products. Operating an encryption program also must be transparent
to the user. "The adoption of encryption is increasing dramatically,"
says Jim Bidzos, president of RSA Security Systems in Redwood City, CA,
a leading vendor of this technology. "By the end of 1996, every new
product will feature built-in security, and by 1997 no products will be
sold that don't have built-in encryption." But encryption has problems
related to standards and U.S. government controls over exporting encryption
technology.
It remains certain that no security mechanism will eliminate all worries.
Security, almost by definition, requires human diligence. Peter G. Neumann
of SRI International, author of Computer-Related Risks (Addison-Wesley,
1995), addresses the limits of purely technological solutions. "Although
this year's simplistic answer to security is firewalls, there is no magic
bullet," he says. "Even the best technology can be made useless
by sloppy management practices. A third- or fourth-level exposure threat
can become number one very quickly. You can't count on tools to give you
the answers; you need good attitudes." Those responsible for security
have no choice but to stay abreast of current developments.
Don Monkerud writes about business and computer issues
from Aptos, CA. He can be reached at 70713.2215@compuserve.com.