How Secure Are You?

(08/23/00, 2:24 p.m. ET) By Susan Breidenbach, InformationWeek

While IT managers spent huge amounts of time and resources to thwart the threat of year 2000 problems, information security breaches in the Internet economy are an even bigger threat. And unlike the millennium rollover bug, security is not a one-time,easy-to-identify issue. It's a process that must be continually refined using audits, access-rights revisions, new tools, and changes to how data is stored. That may be why so many businesses put security on the back burner until a crisis flares up. It's time to go beyond awareness and take action. Protection from security breaches requires investment in technology, services, and personnel as well as adjustments in corporate culture.

"You have to constantly assess what's valuable in your company and determine who needs to use it and how it should be secured," says Tim Belcher, chief technology officer for RIPtech Inc., an application service provider that offers outsourced security services to hundreds of service providers, utilities, financial services, and health-care companies. "If you put a Web server or remote client on the Internet, it will get scanned by a hacker's probe at least once a day--even if you're a low-profile company."

Managers say security is high on their to-do list. According to InformationWeek Research's Global Information Security Survey conducted in June, nearly three-quarters of 4,900 respondents regard security as a top priority, up from 56 percent two years ago. Those in banking, health care, finance, and telecommunications rate information security as the highest business priority, with retailers a little less concerned. In every sector, security is increasingly being viewed as a key business driver.

"I see increased awareness and motivation among our own non-IT executives and board members," says Alan Wright, senior VP and CFO of Consumers Energy, a power utility subsidiary of $24 billion diversified multinational energy company CMS Energy Corp. in Dearborn, Mich. "When the 'Love Bug' brought Ford's worldwide e-mail system down this spring, that was a real eye-opener. Before, there was a lot of talk, and security was seen by business managers as a hassle and an internal power play by IT." Like many other IT professionals, Wright declined to discuss his specific tactics to combat cybercrime, but new efforts are under way at his company.

Still, the typical company still isn't putting its money where its mouth is. The study shows very little increase in corporate spending on information security despite continued expansion of e-business activities. Although security-technology vendors are enjoying increased sales, it's mostly because more companies are spending, not because individual companies are spending more, says Mark Lobel, senior manager of technology risk services for PricewaterhouseCoopers, which fielded the InformationWeek Research study. "Per-company spending remains consistent with earlier surveys," he says.

What's going on? The truth is that while the dangers of the Internet village have raised the profile of security risks, business managers are still making deliberate decisions to proceed with rapid deployment of e-business technologies, even without proper security in place. "If enhanced security would slow things up or make them too costly, management leaves it on the table," says Frank Prince, a senior analyst with Forrester Research.

As a result, the rush to e-business appears to be creating a growing security gap. Between this year and last, the number of respondents to the InformationWeek Research survey claiming close alignment between security policies and business goals declined from 41 percent to 38 percent, while the number reporting poor alignment rose from 12 percent to 17 percent.

"One of our manufacturing clients had its accounting systems locked down really well, but left its research and development plans--the crown jewels--quite vulnerable," Lobel says. "External auditors come in every year and beat companies up over financial systems, but no one does that for intellectual property."

Security spending has also failed to follow the migration of corporate information in recent years. "Some companies are still spending tremendous amounts to secure mainframes--a familiar territory--while critical data has moved to Unix and NT ystems," Lobel says. And these operating systems come with myriad vulnerabilities.

"The Internet is fundamentally Swiss cheese," says Alan Paller, research director for the Sans Institute, a 124,000-user organization in Bethesda, Md., that focuses on security issues and tries to get vendors to offer more Internet-safe products.

Some vendors ship operating systems with security screws intentionally loosened, and it's up to the installers to tighten them as needed. For example, the Common Gateway Interfaces in Web server software can supply hackers with root access to the server. Every copy of the Apache open-source Web server--nearly two-thirds of installed Web servers--comes with these vulnerabilities. "People tend to fix the holes in the services they use, but leave the rest alone," Paller says.

Plugging up every potential hole is a big job, and scripting tools that attempt to automate the process generally don't provide sufficient customization. Instead, highly skilled security professionals have to do the job by hand--a process that can take several weeks.

Enterprise security also needs to adapt to the new world of broadband remote access--a big source of vulnerability. Small branch offices and telecommuters are replacing intermittent dial-up connections with persistent digital subscriber line and cable-modem links that create new security holes. "These connections are always on, so there's a 100 percent chance that a hacker's ping sweep will find you," says the chief security officer of a major financial institution who requested anonymity. "And they have a permanent IP address, so the hacker can come back again and again and ride your virtual private network into the enterprise."

Security professionals say cybercrooks are targeting remote systems. Some intruders are simply using the hard drives as free offline storage for illicit files.

However, others are installing Trojan horse and "zombie" programs that turn the remote computers into enterprise back doors and even launch pads for denial-of-service attacks.

One PricewaterhouseCoopers' client was victimized when a telecommuter received a game via E-mail and installed it on his company-issued notebook PC. The game contained an embedded Trojan horse that effectively turned the notebook into an access router for the enterprise network. "The hacker could connect to the machine and capture keystrokes and cruise around the corporate network with all the same rights that the laptop's authorized user had," Lobel says. The hacker's activities were noticed when the employee brought the notebook into the office to use. The firewall set off an alarm when it noticed too much traffic going back and forth across the port to which the notebook was attached; at home, it went unnoticed.

Cable systems are even more vulnerable because they basically use the original Ethernet "party-line" architecture and put a neighborhood on a single subnet. Each packet is broadcast to everyone, and only the addressee is supposed to process it. However, neighborhood hackers can use Sniffer technologies to capture everything going across the subnet, and they also have easy access to the other systems on it.

Since broadband access is clearly here to stay, enterprises can reduce risks by installing personal firewalls on remote computers and encouraging employees to turn off the machines when they aren't being used.

While a lot of hackers are likely to be young thrill seekers, the Internet is also providing ready access to industrial spies from all over the world. According to the annual Computer Crime and Security Survey by the Computer Security Institute and the FBI, theft of proprietary business information accounts for more financial losses than any other type of computer crime.

And those neighborhood kids can be co-opted: In 1997, CMS Energy discovered that a $50,000 "bounty" or reward had been placed on notebooks belonging to any CMS executive involved in bidding on international projects. "These are multibillion-dollar bids, and they frequently involve the governments of underdeveloped countries--often former European colonies--in which corruption is a fact of life," says CFO Wright, whose notebook qualifies for the bounty. "Industrial espionage is very widespread in the energy industry, and a recent article reported that a French oil company had a slush fund in Switzerland for this sort of thing."

CMS was recently the target of a group of industrial spies who dressed up like a cleaning crew and went into the company's Singapore office looking for open, active computers. At the time, Singapore was the center of several multibillion-dollar deals, so the local stakes were particularly high.

This year's CSI/FBI report advises companies to make a top priority of providing "adequate staffing and training of information security practitioners." However, staffing up may be easier said than done because security experts are in extremely short supply. "The biggest problem in security is the lack of trained security people," Paller says. "Some 2.3 million machines are being attached to the Internet each month, and each of them is full of holes that need to be fixed."

One way to address the shortage of experienced security personnel is to outsource--an approach recommended by eBSure Inc., a developer of software that tracks the effectiveness and usability of Web sites. The startup has its headquarters in Dallas and a research and development center in Tel Aviv, Israel, with a lot of intellectual property and sensitive business information going between the two locations on a VPN.

Instead of investing in high-end hardware, software, and a staff that could provide round-the-clock support, eBSure turned the protection of its network perimeter over to RIPtech's security monitoring services. EBSure pays $8,000 a month for managed firewalls and intrusion-detection engines at both sites, and secured communications between the two.

"We benefit from what RIPtech learns about all the incidents across its broad customer base," says Kurt Ziegler, chairman and CEO of eBSure. "It would be hard for us to keep up with all these new threats by ourselves, because a lot of the incidents never get published."

The unwillingness of companies to go public with security breaches has frustrated law enforcement officials for years and results in more victims of the same sorts of incidents. In InformationWeek's study, more than half the respondents said they don't report incidents to any organization, and only 10% report them to authorities. Also, incidents that appear to be isolated events may take on considerable significance when aggregated because patterns emerge. As security attacks in general become more complicated and better disguised, the need for cooperation and discussion among potential targets is increasingly important.

Global Integrity Corp., a security consulting firm, has come up with a possible solution: the Information Sharing and Analysis Center (www.wwisac.com), an organization that lets companies share information about security problems anonymously. "It's sort of an outgrowth of the critical information infrastructure effort, in which people noted that nobody was sharing information about security incidents," says Gene Schultz, Global Integrity's research director.

Global Integrity serves as a trusted broker that collects the information, strips the identity of the source from it, and puts it in a database that member companies can access. Launched nine months ago, ISAC has 30 members from the banking, energy, manufacturing, pharmaceutical, and securities industries. Annual membership is $15,000.

Security incidents are reported to ISAC on a daily basis and range from an insider bringing down a critical system to massive attacks on E-commerce servers costing businesses tens of millions of dollars. The Information Security Forum estimates that the average cost of such security incidents is about $1.6 million. "The cost of incidents is higher than senior management is coming to grips with," Schultz says. "Senior management would be appalled if desktop and server machines were being stolen, but electronic theft is going on right and left. They just don't see it. There's an ostrich mentality here."

Management may be burying its head in the sand for several reasons. One is the trade-off between added security and ease of use. They fear a backlash from both executives and rank-and-file users when measures such as logon time-outs and long alphanumeric passwords are instituted.

People forget the passwords and make frequent calls to the help desk, or they write the passwords on Post-its attached to the sides of their terminals.

Gartner Group reports that password management is one of the mostlabor-intensive and risk-prone IT functions, and costs between $200 and $300 per user each year.

Despite the publicity surrounding denial-of-service and virus attacks, most serious security incidents are never reported because they're perpetrated by employees. Companies cover them up rather than risk the loss of customer trust.

"Numerically, more attacks come from the outside now, but they are mostly kids who come in out of curiosity and nibble around but don't really know how to attack you with a lot of skill," Schultz says. "However, one insider with the right skills can ruin your company."

The need to address employee breaches is often obscured by all the solutions for physical and network security. Firewalls and authentication systems do a good job protecting networks from remote attacks, and heavy doors with biometric locks and video cameras can keep strangers from breaking in at night, but employees are already on the inside.

"When we were evaluating co-location centers, people in the front lobby would brag about Kevlar-lined walls, and some even talked about withstanding nuclear attacks, but hardly anyone talked about personnel security," says Wade Myers, chairman and CEO of Interelate Inc., an ASP that provides customer-relationship management services and software. "Realistically, the risk of someone shooting bullets or nuclear missiles into the data center is very low."

At one facility, Myers and his team walked in the back door and into the data center unchallenged. The co-location facility was expanding rapidly, and a small army of employees, contractors, and business partners were scurrying about setting up new servers and switches. "There's a fast-growth mentality; everything is moving so fast that they haven't had time to put proper practices in place."

Encryption can provide an added level of security when hackers do masquerade as authorized users or administrators and gain entry. If secure-session options are used, Web browsers and servers do a good job encrypting the data they exchange. However, traffic often traverses LANs in the clear.

"Most companies are appalled at the amount of sensitive information we pull off their networks during our assessment," says RIPtech's Belcher. "Encryption would have more acceptance if some nontechnical managers could actually see what is going across their networks."

Companies are starting to enhance security by encrypting data stored on servers, but a lot of desktop data remains exposed. Desktop solutions provide encrypted folders into which sensitive files can be dropped, but they may rely too much on users to know what needs protection. Similarly, when users register for digital certificates, they indicate how the certificate is to be protected--such as smart card or password--and "no protection" may be an option.

"Someone could walk up to your desktop and get to your certificate without having to get through any security," says Scott Schnell, VP of marketing for RSA Security Inc. Authentication systems often aren't extended to the desktop, and people can simply bypass the logon procedure and gain access to the local system. Stolen notebooks are completely vulnerable if the contents aren't encrypted.

RSA is starting to see some customers implement an always-on policy for hardware-based authentication. Users must have a token to access any machine, internal or external.

One new security challenge is the complexity and granularity of protection needed by business-to-business computing environments. Originally, vendors helped customers build moats that kept outsiders out, but E-business is all about inviting some of them in. "The next stage is being able to have very detailed access and content control," Schnell says.

Through a partnership agreement, RSA's strong-authentication and digital-certificate technologies are being coupled with Netegrity Inc.'s multilevel access-control expertise to produce a security system that can accommodate many types of users and scopes of access rights.

The CSI/FBI report states that "the threat from computer crime and other information security breaches con-tinues unabated ... the financial toll is mounting."

Companies must secure the areas where the main risks reside--which are not always the current source of pain. For example, companies with employees in Europe must comply with the European Union's privacy directive, which goes into effect in 2001.

"A small security review up front might cost $100,000, while an emergency response to an incident after the fact would run $350,000 to $500,000," Lobel says. According to the InformationWeek Research survey, however, nearly half of the respondents are spending only $50,000 or less on security.

The best technologies and wisest policies will take security only so far without extensive user and management buy-in. "You have to create a win-win situation," says Andrea Hoy, chief information security director for Fluor Corp., an $11 billion engineering, construction, maintenance, and diversified services company in Aliso Viejo, Calif. "Users have to see the benefits to themselves: Strong security is keeping the wrong people from seeing their salary and personnel records or getting into the bank accounts where their checks are automatically deposited," says Hoy, a security professional for more than 15 years and the 1991 winner of the Security Education Manager's Award for her work applying continuous process improvements to the implementation of information security.

Absolute protection may be unattainable, but better levels of security--with equal parts vigilance and honest commitment--will go a long way to protect your company.

Back To The Study