Lan Security: Hack-Breaking Work
While your client is intent on keeping out the spectre of a Russian hacker, they may be ignoring the threat of an internal security breach. Guy Clapperton reports
Security in computing has become a hell of a buzz-word. Virus scares, stories of horrendous hackery, it all adds up to one thing: you need to make your IT infrastructure as secure as possible, and considerably more so than Buckingham Palace, if you are to have any financial future at all. End of story.
Or is it? Just how essential is it that we should lock up our datas, ensure that no one ever gets hold of it and sneer nastily at anyone who doesn?t do so?
Case in point, and one close to home for anyone publishing a magazine like the one you are holding, is the holding of temporary files. News and features are researched, entered into a system either by remote workers or people working at the office. These are shot around a network and placed on hard copy. Although some rivals may have a passing interest in knowing what?s going into the next issue (although not as much interest as alarmists might choose to believe), once hard copy is available, the data held on computer is pretty worthless. Anyone hacking in would, on the whole, be wasting their time.
So in that instance, as long as the applications are robust, security appears not to be much of an issue. This is because VNU Business Publications, the company responsible for this and many equally august organs, is not a bank. On the other hand, anyone hacking into the accounts department?s network would be able to do serious amounts of damage. Freelance payments could be frozen or preferably inflated massively, staff payments could be lost, purchase orders demolished ? there is every reason to recommend a very secure network indeed for that particular environment.
Selling security for Lans, then, is a perfectly legitimate means of making money and adding value to a sale. The difficulty is that it is seen as a panacea, applied in every situation when it is not necessarily applicable as universally as all that. So a useful first move for a reseller wanting to win out selling data access control products, is to ascertain whether the client actually wants it.
This is not always a matter of size, as Novell market development manager Derek Ventner points out. ?If there?s only one of you working in an office but you?ve got the cure for cancer on disk, it needs protecting,? he says, eliciting a sigh of relief that he?s not one of these people who dramatises. ?The question you have to ask is whether your business would be damaged if you lost your data.?
Most businesses would indeed suffer if they lost data and time building it back up, and never mind how many precautions you have advised a customer to take against virus infection or hackers coming in from the Net. Virus protection is vital, of course, but it is only one facet of security, and the internet may have been overstated as a source of trouble. ?The thing that?s being thoroughly hyped at the moment is all these hackers from Russia who are going to break into your system,? says Robert Schifreen, editor of the Computer Security Encyclopaedia. ?But most experts agree that up to 70 per cent of hacking problems come from inside an organisation.?
That?s a lot of untrustworthy employees, but the figure is probably about right. Alan Webber is marketing manager of global services for systems integrator International Telecom Systems (ITS), and although he believes firmly that there are serious issues to be addressed in terms of internal security, it isn?t an area his company is asked to address terribly frequently. ?It?s not something our customers come to us with, although whether that?s because they don?t know about it or because they?re buying from elsewhere I couldn?t tell you.?
Certainly there is a problem to be addressed if Schifreen is right, and the user community seems to be under-educated. Simon Poulton, technical marketing manager at Cisco, believes it is an area of neglect within the corporate market. As to whose job it is to educate the customers about the risks they may be running, he is ambivalent: ?Obviously we don?t sell direct, so we rely on our resellers to spot the customer?s needs, but we do evangelise the products where they are suitable.?
Of the three basic levels of hackery ? internal, through the internet and dialling in direct to a network ? Poulton reckons dialling in to be the most widely ignored in the wake of the surge of interest in the internet over the past few years.
The actual means of addressing the problem with software are manifold. Novell?s answer is Novell Directory Services (NDS), an environment that accords users? specific rights within a rules-based system, all administered by a GUI-based set-up. It is designed so that people cannot damage data maliciously or, as is sometimes more likely, accidentally.
?You don?t want people to be able to get at something that could be harmful if they damaged it accidentally,? says Venter. Identifying users is done by a number of means ? digital signatures, encryption keys (see box) and plain passwords, all of which should add up to a pretty robust environment.
The Novell experience, particularly when debated in conjunction with its links to the equally robust Windows NT, may be reassuring for the user ? which is not something that should be used as a criticism ? but it places the dealer in another difficulty. Other companies want to sell their security utilities, and this is likely to become more than a little tricky when it turns out that the core system boasts enough security features without any extra added widgets.
It is here that the reseller has a tricky task. Your mission, Jim, should you choose to accept it, is to turn around to a customer and say ?here?s an environment that has been independently tested and proven secure and, er, here?s some security utilities you?ll need to go with it, there?s value for money?.
Novell?s Ventner certainly believes the natural thing to do is to have one centre for controlling the security on a network rather than building in multiple layers, even if only to reduce the probability of human error creeping in. So you can?t help but ask: is the whole extra utilities market anything more than a bit of a scam?
?Scam? is not a word greatly liked by many vendors, so PC Dealer wisely chose to rephrase the question before asking it. Asked whether there should really be any need for extra bits on top of a secure network, some nice unbiased people whose company exists to supply such things say yes, there definitely is.
David Kennedy, European product manager for PC Anywhere at Symantec, has to sell into precisely this environment. The company is well aware that NDS, as well as Microsoft Windows NT Server and most of the other operating environments around the place, already boasts a great many facilities that effectively duplicate what third parties used to offer. The key is to keep moving and offer more.
?Novell already offers a high level of security,? he concedes. You can specify who can access which drive from a remote location and what they can do with it when they log in, but there are other things you might want to do. If someone is dialling into the network you have to have the host PC up and running while it is waiting. Using PC Anywhere you can lock the host so that no one else can use it during this period.
?Or if your boss is dialling in while working from home, you could actually watch his screen to see what he?s doing when it ought to be confidential. We can disable the monitor so people can?t see what?s happening.? Internal hackery as well as external can be discouraged in this way.
As is so often the case, everybody sounds sincere and is offering the opportunity to add genuine value to a system installation ? except Schifreen, because he isn?t selling anything, which probably makes him a little more believable than anyone else. And yet the users seem not to know that they want this stuff, while some of the major system manufacturers ? notably Novell and Microsoft ? suggest their systems are robust enough, thanks. If the Watchdog team were here he?d no doubt accuse the industry of feeding off its own self-created demand again, but they?d be wrong.
Only a few years ago, very few people knew they wanted an internet connection. Two years ago, people were still writing off Web pages as a tacky piece of marketing that identified someone as a geek rather than a serious business ? that doesn?t get said so often any more. This is because they were new, but they were eventually sold successfully. In many ways, the reseller is faced with having to do things the other way around and market backwards on Lan security. The buzz is about internet and external threats, but the real trouble is the enemy within ? whether through malice, curiosity or plain incompetence.
The task is to tell a user yes, of course they can have their firewalls and they?ll be very useful, but they also need to attend to their existing installation and bring it up to par, which you told them it already was when they bought it.
But bring it up to par they must. After all, who is going to be interested in your customer?s confidential personnel records, the staff or some hacker in Russia? As Schifreen puts it when comparing local systems to the internet: ?Lans should be protected as much if not more so.? The snag is, they never are.
The crumb of comfort is to be found in the US, where the profile of a system?s vulnerability is starting to get taken seriously.
The Russian hackers may have been overplayed as a problem because, let?s face it, they are glamorous, windswept and interesting for the moment, but they do exist and one of them broke into a New York bank only recently. Another example was when someone hacked their way into Nasa, which was allegedly one of the most secure environments on the planet.
The network suppliers and the third parties are eager to plug the gaps which let people in, and that is all to the good. You can only hope that the awareness will filter down to the internal level as well, in spite of all the internet hype.
Ultimately, the reseller?s job in internal security is to sell on the idea that someone?s employees are going to be either untrustworthy or incompetent with their IT. It?s an essential job, but don?t expect it to make you particularly popular.
That?s not the way to do it
How to defeat any security measures: these are true stories
- If you run a small business with a non-dedicated server on a peer-to-peer network, stay logged in when you leave the room. Trust everyone not to look at your confidential records or explore what you have on the screen. Under no circumstances install a password-protected screen saver ? it?ll keep the intruders out but you?ll lose all your street cred.
- If you are a small business and don?t have a separate room for your server, don?t worry about activating the encryption when you?re switching it off and you?re the last to leave. Burglars won?t steal a server because they?ll see it?s important and they are kind-hearted people deep down.
- Spend all your resources protecting yourself against external hacking and forget the internal stuff. External people are genuinely interested in your personnel records and will spend all of their time trying to get at them, whereas your internal staff are impeccably trustworthy.
- If you have an old router as internal security, that?ll probably do. There is no need to upgrade, however technically literate your staff may be.
- When thinking of a password, try using your husband/ wife?s name. Nobody has ever done this before and your colleagues will never guess that?s what you?ve done.
The key to a secure network
One means of securing a network is to take advantage of the many flavours of encryption technology, most of which operate with a digital key. These can be public keys or private keys, and they will encrypt and unencrypt data at either end of an exchange. The problem is that the technology is being held back by the US legislature at the moment.
Currently, it is possible to achieve encryption with a 128K key, which would take some time for even the most experienced hacker to decipher. Unfortunately, nobody with this technology in the US is able to export it since the authorities have only recently started allowing 56K keys out of the country.
The reason is international security; anything the government can?t break down easily is a potential threat ? and in the wake of the Oklahoma bombing and the Olympics incident, it can only be right to take these matters seriously.
In Europe, the laws are more relaxed, although a European standard is likely to be forthcoming soon. This leaves European suppliers with a distinct advantage over their US competitors, but it also leaves the market artificially unbalanced. This one will run and run.