How Secure Is Your Data?

In the wired world of Internet commerce, companies and consumers are worried about security breaches caused by unauthorized users. But analysts and industry professionals are increasingly asserting that the problem is close to being manageable.

Still, business and consumer fears are fed by the media coverage of high-profile attacks, such as those perpetrated by Kevin Mitnick, the notorious hacker who broke into companies such as Pacific Bell, Netcom and Digital Equipment Corp. His last arrest was in February 1995. "Users are fixated on Internet security as if legions of pimple-faced hackers wait at the ready to scour through their e-mail," and that's simply not the case, said the Forrester report.

No system is completely secure, but businesses must feel comfortable with the level of risk they are undertaking. Companies should expect to lose $1 of every $1,000 of Internet transactions to fraud, the report said. That may seem like a lot, but it's actually a small amount when compared to more accepted forms of communications. For example, Forrester estimates that for every $1,000 in American cellular telephone revenue, $19.83 will be lost because of fraud.

To establish a comfort level, businesses must evaluate their security status and look at the big picture, said Rita Yavinsky, director of strategic alliances for Digital Equipment Corp.'s Internet offerings. Digital is trying to capitalize on the success of its Alta Vista search engine and brand its Internet software products with the Alta Vista name.

Companies must evaluate physical locations, operating systems, applications and networking security, said Yavinsky. Firewalls, which are designed to prevent unauthorized server access, are often the keystone around which a secure environment is built, she said. They provide a moat that can repel attacks. However, the trick is to ensure that there is a drawbridge -- a way for employees to get through the firewall and do their jobs. For instance, firewalls can be so secure that off-site employees will have difficulty accessing their company's network. In-house employees also may have trouble accessing the Internet.

Tunneling software allows a user to burrow through a firewall and establish an encrypted channel with the company's network. It can make the virtual office a reality, said Yavinsky. It works by allowing users outside the facility to dial into the network and act as though they are on the network.

However, companies must be careful when setting up outside access mechanisms. The key is to ensure that they don't allow unauthorized access. Security is not intuitive, it's a complicated problem to solve, said Mike Zboray, research director with Gartner Group, a market research firm in Stamford, Conn. Unlike most computer systems, "seeing [security functions] operate does not mean [they] are working," said Zboray.

Two important elements in establishing secure systems are removing "super user" login and creating mandatory access controls. System administrators can use a super user or "root" login to reach any area of a system. If an intruder discovered that login, he would have access to any area of a company's network. Software companies are increasingly removing this kind of access.

BDM International Inc. recently debuted an Internet server, dubbed Cybershield, that eliminates the super user login. There may be only one system administrator, but to access different functions, that person must use different logins for critical areas, said Bill Dawson, BDM Federal vice president of Information Systems Security.

Another feature that Cybershield uses to control access is containment areas. Each area is essentially a walled-off section surrounded by filters within Cybershield. The areas limit damage to user files, system files or to the operating system. The filters also help eliminate problems such as viruses. Anyone coming into a company's internal network from the Internet must first pass through the containment area.

Cybershield also requires off-site users dialing into the server to use a device that changes the user's password with each use.

BDM plans to issue a challenge to see if people can break into the server. There could be financial incentives, but that has yet to be determined.

Part of what the company hopes to demonstrate is that its server, which has received one of the highest security certifications possible from the government, is a good option for private companies, such as cellular phone businesses or record companies.

Business executives across industry sectors proclaim that the true commercial power of the Internet will not be realized until companies can control their risk.