Plugging the E-Security Sieve

By James ShultzIn recent field investigations to assess security procedures at airports and government installations, federal agents using counterfeit identification fairly sailed into supposedly secure areas. With effort and persistence, attackers can just as easily jeopardize computer networks.Jim Finn, a former computer hacker and, for the past 15 years, a principal with Unisys' Worldwide Enterprise Security Practice, knows how easy it is to compromise allegedly secure departments. Finn has led penetration exercises for government and business clients in Asia, Australia, Europe, Latin America and the United States to test the resilience of computer systems and the physical safeguards designed to protect them. In his last six field tests, Finn breached without challenge supposedly secure facilities where mainframes and servers are housed. "I've walked into computer centers directly off the street," he said. "I've gone into places I should never have gotten into."In all, Finn and Unisys teams of "ethical hackers" have participated in 200 "engagements:" penetration exercises requested by Unisys customers to test the effectiveness of security measures. In each try, Finn or a member of his team has slipped past defensive obstacles, electronic or otherwise. Although many organizations believe their e-security is strong enough to thwart most would-be intruders, most have not conducted a comprehensive evaluation of weak points, Finn said. In particular, vulnerabilities literally can start at the front door, with human beings not following simple, straightforward agency or company procedures."What about the rent-a-guard at the door?" he said. "Technology alone won't solve the problem. There's no magic formula."Finn points out that computer security, when carried out properly, will be uninteresting and mundane. Even so, e-security's chief requirement is constant attention to detail."Problems are caused by individuals not doing their job properly, day in and day out: not verifying IDs, installing firewalls incorrectly, failing to look at the hacker pages, not identifying weak nodes," he said. "You can't depend on SBI: security by ignorance. Otherwise, you can end up being a case study on a hacker Web page."XXXSPLITXXX-The crucial first step for an organization, Finn said, is to delineate its security goals: How secure do systems have to be, and which parts require the highest level of protection? Certain elements, such as networked communications nodes, are by design more assailable than others, and therefore should be regarded as logical points of hacker entry. Others may be resistant to outside interference but can be impaired easily by insiders with access and simmering resentments.Protecting computer systems in the public and private sectors is as much about behavior modification ? on the part of supervisors and supervised alike ? as it is upgrading to the latest and best program or hardware configuration, Finn said. Common sense precautions include: ? Reviewing how user IDs are established and then deactivated once employees leave, transfer or retire;? Making sure passwords contain at least eight characters and are sophisticated, not easily recognized terms or names;? Checking procedures to validate a phone call from an employee who has forgotten or misplaced a password;? Tracking the number of firewall pass-throughs and for whom they are authorized."What's changed is that it used to take a person with system administrator knowledge [to break in]," Finn said. "Now the threat and risk are greater. Just look at the hacker sites. Literally, there are software vulnerabilities found and posted on the Internet every hour."Once a security plan is designed, it can be executed and verified through repeated testing. Simulated attacks can gauge the strength of boosted defenses.Perhaps the most effective means of ensuring security is to build a secure network from the very beginning, according to Joseph Patanella, founder, president and chief executive officer of computer security services firm TrustWave Corp. in Annapolis, Md. "It's much easier to build in security rather than retrofit it," he said. "Nowadays, [access speeds are] not an issue, even if you're implementing high security. There are now high availability firewalls that get around those issues."For networks already in place, however, retrofitting may be the only answer. For these clients, TrustWave offers firewall protections, intrusion detection systems, customized authentication protocols, penetration testing and managed security services. After focusing on year 2000 concerns rather than the boom in e-commerce and Internet-related activity, businesses and agencies are only now turning their energies to computer security matters, Patanella said."Organizations put a lot of manpower and money into Y2K to the neglect of security," he said. "This year, they're really starting to pay attention."Aside from complete isolation, both physically and from the Internet, no security plan is completely perfect.At minimum, experts contend that security procedures must be moderately effective to deter all but the most determined intruders. Most attackers assume low-level preparation and response and will tire and move on to easier targets when repeatedly thwarted. Nevertheless, the sheer volume of onslaughts can be daunting for even the most fortified systems.XXXSPLITXXX-In 1999, there were an estimated 250,000 attacks against Defense Department computers, said Michael Harden, president and chief executive officer of CyberGuardian Inc. of Fairfax, Va. Of those, 65 were considered successful, having disrupted operations to various degrees. Yet even that quarter-million figure is a rough appraisal. Analysts believe that fewer than one in 150 attacks on Defense Department systems are even detected and reported. Harden believes that until recently, the federal government was ill-prepared to anticipate, much less defend, its millions of desktop computers and tens of thousands of networks."The government is behind the curve on this one," Harden said. "The bad guys, the hackers, are out there working all the time. The FBI Web site gets hit, the White House Web site gets hit. Because it's so spread out, DoD becomes an easy target and gets hit thousands of times a week."The recent spate of highly publicized denial-of-service and virus attacks against government and corporate systems has led not only to heightened awareness, but to demand for the services of those with security savvy. TrustWave, for example, saw a tenfold increase in revenue for its 1999 fiscal year. Another 1,000 percent increase is expected in fiscal year 2000. Those same market forces gave rise to Harden's CyberGuardian, formed in 1999 as a wholly owned subsidiary of Century Technology Services Inc. of Fairfax, an IT company whose clients include federal and state government agencies, Fortune 1000 companies, banks, hospitals and international businesses. CyberGuardian monitors the estimated 30,000-plus hacker sites on the Internet and can conduct 700 different information vulnerability audits, including 129 denial-of-service assessments, password cracking attempts, resistance of modems to compromise and firewall-penetration tests. The company offers remedies for improper firewall installation and monitors the creation of and additions to hacker dictionaries, which contain extensive lists of popular people names, historical dates, pet names and names of cities. Intruders can use these words to scan for and then hijack common passwords."The stuff hackers can do is so far beyond what most of us can imagine, it boggles the mind," Harden said. "But most are opportunists. If you can figure out what your holes are and plug them, 99 percent of the battle is over. If you make it as difficult as possible, they'll lose interest and move on."Covert computer combat is the aim of Recourse Technologies in Palo Alto, Calif. The firm, founded in February 1999, intends to contain, control and track malicious computer attacks, offering software to gather information about attacks, their nature and the attackers' identities. One product, ManTrap, lulls attackers into an ersatz environment ? what it calls a demilitarized zone ? where ManTrap maintains an audit trail of all activities, including a keystrokes record, storage of log files and examination of applications for evidence of destructive intent, all without a hacker's knowledge.ManTrap can be configured to send alert messages based on the severity of attacks, notifying system administrators and tracking the source of the attack across a distributed network. Once an attack is identified, a related product, ManHunt, automatically determines the source of the attack and shares the information with other involved networks, such as an upstream network service provider. ManHunt also has a recording feature that, in concert with ManTrap, provides data needed for apprehension and possible prosecution. "It's a way to figure out whether you're dealing with a 15-year-old [amateur] hacking around, or with someone who's intent on doing serious harm," said Fred Kost, vice president of Recourse Technologies product marketing and management. "Covert systems are a way to level the playing field. You can gather information on a potential intruder without detection."XXXSPLITXXX-Thwarting intruders before they even attempt penetration is the aim of Ernst & Young subsidiary eSecurityOnline in Kansas City, Mo. It began in mid-June to offer to the public and private sectors a suite of Internet-based security services. Based on the ability of its technical staff to stay current with security threats by scouring the Internet and other sources, the company touts its ability to bring to desktop computers continually updated information on security threats, software weaknesses and software fixes. Subscribers log on and indicate the applications they are running to obtain access to some 2,250 known vulnerabilities for 300 software applications, including operating systems and databases. Device-specific weaknesses, such as those that can be exploited on routers and switches, can also be pinpointed. Once eSecurityOnline.com identifies exploitable soft spots, it ranks each by level of urgency and notifies information technology managers or system administrators.Another of the company's online offerings, a baseline-standards service, goes a step further by offering eSecurityOnline customers "asset hardening," or secure resets of common software programs, including changes to registry settings, router configurations and passwords and user identifications. Subscribers also receive free virus updates and patches to combat viruses.For a yearly fee per user, per computer, eSecurityOnline.com will continue to uncover potential threats and solutions to deter attack."There are a lot of very sharp security professionals, in both government and corporate America, that are forever managing risk," said Tony Spinelli, vice president of online services for eSecurityOnline. "What we're offering is a proactive and perpetual feed to the subscriber. You can receive alerts on a daily basis. It is solutions before problems."Those problems seem destined to multiply. A physically isolated computer that is nonetheless electronically connected to the Internet is just as vulnerable to intrusion as any highly staffed government agency or corporate office. According to CyberGuardian's Harden, by 1999 there were roughly 1 billion unique, accessible pages on the World Wide Web. Internet traffic is anticipated to double every 100 days, and a new network is added every 30 seconds. Business-to-business e-commerce is projected to hit at least $1.5 trillion by 2004, with thousands of financial institutions online and hundreds enabled for cash and credit-card transactions.Attacks that disrupt operations are only a beginning. In the future, malicious hackers likely will aim for a much bigger score than just the bragging rights to a well-executed assault. Some analysts have concluded it is only a matter of time before a single incident either nets an attacker or costs a provider at least $1 billion."You can have secure applications," said Unisys' Finn. "But it takes thought. It doesn't happen automatically. Hackers only have to get lucky once. You have to be lucky 24 hours a day."XXXSPLITXXX-Michael Harden, president and chief executive officer of CyberGuardian Inc. of Fairfax, Va., and author of "Information Security: A Guide To Protecting Your Information and Computer Systems from Hackers," has compiled statistics from a variety of organizations on the nature and extent of computer attacks:• As many as 100,000 hackers operate worldwide.• At least 30,000 hacker-oriented Web sites are accessible to Internet users. Hacker tools and techniques can be downloaded easily by anyone with a computer and a modem. • One hacker site reports that a particular attack application has been downloaded by more than 120,000 individuals. A 1999 survey conducted by the Computer Security Institute and the FBI on corporate computer security determined: • System penetration by outsiders and unauthorized access by insiders increased for three years running.• Sixty-two percent of respondents reported security breaches in the last twelve months.• Fifty-seven percent of respondents reported their Internet connection as a frequent point of attack.• Forty-three percent reported from one to five incidents originating externally.• Denial-of-service attacks were reported by 32 percent of respondents.• Twenty-six percent reported theft of proprietary information. • Sabotage of networks and/or data was reported by 19 percent. • While 98 percent of respondents reported using anti-virus software, 90 percent reported some form of virus contamination.• Although 91 percent used firewalls, penetrations still occurred.• Fifty-one percent of respondents acknowledged financial losses, but only 31 percent could quantify them.• One hundred sixty three respondents reported a total loss of $123,779,000 due to computer crime.• Losses due to theft of proprietary information amounted to $42,496,000.• Losses due to financial fraud accounted for $39,706,000.• Among the 12 respondents who could quantify financial damage from Internet site attacks, the average loss was $198,583.