NET SECURITY - Access all areas
If the personal information of top journalists and even royalty can be infiltrated with ease, how secure are our networks and email accounts?
If, when you switched on your PC this morning, you typed '1234' orn be infiltrated with ease, how secure are our networks and email accounts? 'password' to gain access to your corporate network, extranet or email account, look away now. Your data is at risk. And you're probably not alone.
If you are ever invited to conduct an examination of network security for one of your corporate clients, the chances are that the results will spur them towards a radical rethink. Not only will the survey pinpoint areas that are potentially vulnerable from both external and internal attack, but also highlight weaknesses in their current set-up. Measures that the client thought would help to protect their corporate data could well be leaving them exposed and open to abuse.
One case, which was not publicised for obvious reasons, demonstrates just how easy it is for unauthorised users to wreak havoc. One day, a journalist at a national newspaper decided to find out who had been assigned - or been stupid enough to assign themselves - the password '1234'.
It turned out that the assignee was none other than the editor himself, whose private correspondence with management and staff - including the reporter himself - could have been made freely and publicly available.
While easy to remember, the no-brainer password invited intrusion.
UK company Gen Technology, a manufacturer and distributor of IT products, recently boasted on the Web that its security products were invulnerable to breaches by those seeking unauthorised access. According to press reports, a hacker responded by not only breaching the system, but also inflicting several damaging public case histories on one of the principals of the firm.
But even though awareness has grown over the past few years, the problem has existed for far longer. In the early 80s, two young computer enthusiasts, Steve Gold and Robert Schifreen, found themselves in court for hacking into the Prestel mailbox of the Duke of Edinburgh. The case, the first of its kind in the UK, became a cause celebre and drew national media coverage.
It is doubtful whether anything could have stopped determined hackers like Gold and Schifreen. But the case did highlight the lack of security in what, it must be admitted, was an early and crude email system, while the Gen case proves that nothing has really changed in nearly 20 years.
The case of the national newspaper editor is rather different - as it could have been laziness or the fact that he didn't know how to change it.
But taking the easy route is not confined to busy newspaper editors. Robin Bloor, chief executive of IT analysts Bloor Research, discussed the issue of security with the Hong Kong Jockey Club while on a consulting assignment. The Hong Kong Jockey Club is a highly sophisticated, heavily computerised operation. The club issues its account holders with handheld computers which allow them to place a bet remotely.
'Two years ago, the Hong Kong Jockey Club had 70,000 machines in the field. By now it probably has a quarter of a million,' says Bloor. 'When I asked it about security, it admitted conducting a survey into its users' choice of passwords.
The club found that 80 per cent of users chose either 'health', 'happy' or 'lucky' as their passwords because these are important in the Chinese culture.'
But on another level, he adds, the system is extremely sophisticated.
Every time a message is sent from the club to a member, an electronic token is sent with it as a unique identifier. If the reply does not contain the same token, the handheld machine is disabled from accessing the server.
But the password is probably the least secure of all security devices given the frailty of human behaviour and the complex nature of large organisations. One assistant branch manager of a high street bank had, until recently, 12 different passwords for various aspects of branch computing, ranging from access to the automated telling machine to the word processing system. Each of these was changed monthly, so memorising them became an impossible task. Inevitably, they had to be written down, so that in the event of absence through sickness or holiday, the bank's business could continue.
The most common form of security protection is to install a firewall.
This is a system which controls and prevents access to a network or part of a network from another network. Typically, a firewall would be installed between a corporate network or intranet and the internet.
Firewall software examines the format of a package, including the address of the machine from which it is sent and the machine to which it is directed.
If it finds, for example, that the sender is not entitled to access the machine to which it is sending, or the recipient is not entitled to receive the information contained within the package, it will not transmit the package.
The more sophisticated firewalls will lead the sender through a series of tunnels, all of them culminating in a dead end, while a profile of the intruder is built up so that further action can be taken.
According to Alan Laird, sales development manager at Bull, which markets the Secureware Netwall firewall through its dealers, there are a number of dangers to users who ignore the security risks. The first and most obvious is that the system will pick up a virus, either accidentally or deliberately. The second is the threat from disgruntled employees who wish to do their employer some damage and use the internet as a weapon.
But Laird believes that there is a third threat that can be infinitely more harmful to the prosperity of a company. 'More important than a virus or disgruntled employee is someone eavesdropping on internal communications - perhaps finding out what a company has bid for a contract and then putting in a lower offer,' he said.
The growth of intranets which encompass not only the employees of a company but in many cases its customers and suppliers as well, heightens the risk companies take. 'Most people think the threat comes from outside the organisation in the form of viruses, but they sometimes forget that there are threats from disgruntled employees who have access to information via the internet that they should not have,' says David Ellis, security product group manager at distributor Unipalm.
According to Ellis, more re-sellers are beginning to take the issue of security seriously. Both he and Laird recommend that customers employ consultants rather than buy an off-the-shelf product.
'You have to look at the organisation as a whole and understand the way it works. We have a number of resellers that specialise in security, but what we are tending to find is that non-security-specialist resellers are now also offering a security service. The larger ones are also offering a consultancy service,' he says.
Bull approaches things from a slightly different angle while taking broadly the same approach. 'There is definitely a need for consultancy,' Laird says. 'What we find is that the medium-sized to large companies have had a very good record of security in the past, but do not yet fully understand what potential security risks the internet poses.
'We recommend that customers come to a company like Bull or one of the large consulting firms and then purchase the products we recommend from a dealer. Inevitably, there is a certain degree of systems integration work involved, which many dealers are not equipped to handle - but we are. On the other hand, even the most expensive firewall only costs about #20,000, which is not really in Bull's market,' he adds.
According to Laird, there are hidden dangers besides fraud and viruses that cause companies to lose money if they do not have a secure system. 'It is not always the most common threat that is the problem. The way that people lose money is in sheer disruption of business, having to take users off the air while fixing the problem. This has been estimated at 10 times the cost of a firewall, so for the sake of spending #20,000 on the most expensive firewall, the installation could lose #200,000,' he says.
The massive growth in intranets and, more recently, virtual private networks (VPN) has massively increased the need for security products, according to suppliers. While viruses and external hackers may be a cause for concern, internal security should not be ignored.
Ian Kilpatrick, group managing director of Wick Hill - which sells a variety of security products - says: 'Viruses are the greatest perceived threat and the one that everybody talks about, but the biggest threat is internal. FBI figures released in the US show that 70 per cent of fraud and malpractice is internal. People tend to forget this. They put in a firewall and think that they are safe. I am not knocking the importance of firewalls - we sell them - but they do not solve every problem.'
Kilpatrick confesses that internet security companies have a massive educational task ahead of them in convincing customers to purchase products. 'Talk to people about firewalls and their eyes glaze over,' he says.
In some cases the security aspects of products are sold almost by stealth, according to Kilpatrick. 'You can sell a fire box as something that can manage bandwidth and then tell the customer that it is a security product as well,' he says.
Kilpatrick identifies a number of areas that are vulnerable to the threat of unauthorised access, particularly from inside a company. Apart from the obvious threat to the financial sector and the human resources department, he believes research and development departments are particularly vulnerable.
'What we are starting to see is more companies using security devices inside their organisations.'
There are other, less obvious threats to large organisations, according to Kevin Black, UK sales director of Internet Security Systems. One of the most familiar attacks on a user's site involves what he defines as 'denial of service'. This has more to do with malice than fraud or industrial espionage. Denial of service is when an intruder attempts to shut down an organisation's online service by attacking the firewall or communications devices such as routers. Black cites the case of the New York Times whose network was regularly shut down by political activists who disagreed with the newspaper's politics.
He agrees with Kilpatrick that security products are difficult to sell.
'Security is like an insurance policy: you might recognise that you need one but you don't want to pay the premium.'
Kilpatrick adds: 'One of the examples I use when doing presentations is to ask how many people have burglar alarms. Almost no hands go up, but when I point out that an alarm costs about #200, everybody can see the sense of having one. But the next time I go back, the majority of people still have not installed one.'
The fact is that very few companies recognise that they need security products until they have been directly attacked - effectively shutting the stable door after the horse has bolted. One of the big problems is that very few companies are willing to admit that their networks can or have been breached for fear of losing customer confidence.
'I am sure that every leading bank has lost money but none will admit it,' says Bloor. Black recalls that Citibank did own up to being defrauded a few years ago. 'Citibank was attacked by East European hackers, but the only reason they were caught is that they were greedy and returned the next night to repeat the process. By that time the bank was ready and managed to trace the culprits,' he says. In fact, if the villains had not been caught, in all probability the bank would not have been so open about admitting its vulnerability.
Kilpatrick recounts the tale of an irate customer who called Wick Hill to complain that the software he had been sold did not work. 'I happened to be in our technical department when the technician answered the phone.
The customer insisted that the software did not work and when the technician asked him what was wrong, he discovered that the customer was actually under attack at that very moment and that the software was in fact identifying the problem. We managed to trace the culprit, who turned out to be someone working for our customer's ISP,' he says.
As in medicine, prevention is better than cure in terms of internet security, according to Black. 'People request a penetration test (an attempt by an authorised third party to try to crack the network) about once a year.
But what they do not realise is that each time they change the configuration of their system or add a new piece of software, they are likely to leave holes in the system which can then be penetrated,' he says.
There is no doubt that internet security is of growing concern to many organisations, particularly as VPNs begin to take off. A small number of resellers are already specialising in security and some companies are actively recruiting these dealers. The cost of a firewall may be small - typically between #3,000 at the low end and #20,000 at the high end - but installing the system and integrating a security device with the rest of the network calls for specialist skills.
There is no reason why large dealers should not provide the sort of consultancy services currently supplied by the large consultancies and leading manufacturers, such as IBM, Bull and Unisys. Even if resellers cannot afford the staff and overheads to set up a consultancy and systems integration division, there is no reason why they cannot profit from the labours of others.
As Bull's Laird points out, a #20,000 sale is not really the sort of business that his company or others in the industry are really seeking.
The big suppliers would much rather the dealers handled the nuts and bolts of the business while they lap up the cream of consultancy and systems integration.
As anyone watching Station X, the BBC TV programme about the wartime efforts to crack the German encryption device, Enigma, will know, there is no such thing as an unbreakable code. But security devices for safeguarding the corporate internet are not so expensive as to make them prohibitive.
VIRTUAL PRIVATE NETWORKS (VPNs): A GROWING THREAT
Corporate users have always had large networks connecting remote sites many miles apart via a leased telephone line. Originally designed to pull together different branches of an organisation and allow them to communicate with head office, large companies began to gradually extend their networks to their suppliers and customers.
It was this extension to third parties that allowed manufacturing procedures such as JIT (Just In Time) to come into being. Instead of asking a supplier to manufacture a large batch of components to be put into store on the customer site, the manufacturer would simply call up the component from the supplier as and when it was needed. The corporate networks allowed purchase orders to be transmitted to suppliers within a matter of seconds.
These original networks had both advantages and disadvantages. One main advantage is that they were reliable and secure. Based mainly on mainframe technology, data integrity and data security were significant considerations.
Security products such as IBM's RACF (resource access control facility) were designed to ensure that only those users authorised to do so could access certain parts of the system. Attempts by unauthorised users to access parts of the system were logged and the location of the terminal or PC identified. The main disadvantage of these leased-line networks is that they are expensive.
As a report published last year by US consultants the Aberdeen Group on IBM's eNetwork VPN points out: 'While reliable and secure, these leased lines have been expensive to build and maintain. Businesses have eyed the internet and other public networks as an alternative vehicle for wide-area communications, but have been concerned about the inadequacy of security.'
But the consultants believe that the advent of internet protocol-based VPN has provided businesses with the opportunity to replace their leased-line based systems with public network systems. 'VPNs have matured to a point where they can supply the needed security to conduct business processes over public networks,' the report states. The Aberdeen Group also estimates that the move to VPN could lead to savings of between 20 to 80 per cent.
'If you are running a leased-line network 80 kilometres apart, it is cheaper to buy a firewall and run a VPN,' says Ian Kilpatrick, group managing director of Wick Hill.
According to the Aberdeen Group, VPNs are typically used in three ways: connecting remote or mobile users to corporate databases or other data via an ISP at the cost of a local call; connecting branch offices to headquarters, especially at times when there would normally be high traffic on a leased-line network, thus avoiding delays; and allowing extranet users, such as customers, partners and suppliers, access to internal resources.
But the Aberdeen Group hints that VPNs should be approached with caution. 'This approach works when all can agree upon a common VPN,' its report says.
The Aberdeen Group estimates that the VPN market will grow from $50 million in 1998 to more than $1 billion in 2001, 'making it one of the fastest growing segments of the networking industry'.