 |
|
|
Securing
Your Business
More and more companies are turning readily to the Internet as an established, easily available, yet cost-effective resource that will hopefully allow them to gain a competitive edge. The benefits of adopting Internet technology range from lower communications costs (transporting data across the Internet can cost much less than using a private network) to greatly improved communication - but there are many different risks involved. Security Issues It doesn’t seem too long ago that people were asking whether or not the virus threat was real, or if it was a scare tactic dreamed up by vendors of anti-virus software. As reports of “in the wild” viruses began to hit the press, the threat was finally accepted as having basis in fact, but still it was thought that as long as we were careful, “it could never happen to us”. But, of course, it can - and it does. World-wide publicity for the email-borne “Love Bug” has certainly raised awareness of virus threats to a new level. But there is still a fairly high level of scepticism has in the face of the Internet hacking threat. Is there really a problem? Once again, all it takes are a few well publicised attacks on major organisations to bring home just how vulnerable we are when we take up residence in the Global Village. Just recently, for instance, we have seen examples of how easy it can be to access sensitive data from outside a corporate network as first Barclays Bank and then Powergen failed to secure details of customer accounts and transactions. The resulting bad publicity and loss of confidence in both the companies themselves and the concept of e-commerce in general has not done the industry any favours. One in five respondents to a recent survey admitted that intruders had broken into, or had tried to break into, their corporate networks, via the Internet, during the preceding twelve months. This is even more worrying than it sounds, since most experts agree that the majority of break-ins go undetected. For example, attacks by the Defence Information Systems Agency (DISA) on 9,000 US Department of Defence computer systems had an 88 per cent success rate but were detected by less that one in twenty of the target organisations. Of those organisations, only five per cent actually reacted to the attack (Source: NCSA). The threat, therefore, is demonstrably real, and the network administrator is in the unenviable position of securing the corporate networks against similar events. The use of Internet technology in private networks has led to a “blurring” of the boundaries between the public and private portions of those networks. When purely internal networks take on the “look and feel” of the Internet, and when the public Internet is used to create a “Virtual Private Network” on an ad hoc basis, the goal is to make both public and private portions of the network appear as a seamless whole as far as the end-user is concerned. Such mixed access is not without its problems, however, since the security systems chosen must be flexible enough to meet the needs of both type of network connection whilst remaining completely transparent to the user. But effective network security is not just about buying the electronic equivalent of the five-lever lock and deadbolt. At last year’s Spotlight on e-Commerce and Internet Security held in Carcassonne, in the south of France by NetEvents (www.netevents.org) and The NSS Group, Malcolm Skinner, product marketing manager at Axent Technologies felt that there was more to it than installing a piece of software. “Security is about policy not technology. You've got to plan the infrastructure right. People who trust solely in firewalls have a false sense of security.” Security Policy So, whilst many organisations are still trying to get to grips with producing a formal IT strategy document, we must now ask them to look at producing a written Security Policy too. Too many organisations go shopping for a firewall, install it with all the default settings, and then sit back in the belief (usually mistaken) that they are fully protected. A firewall is purely a means to an end - a means of implementing a corporate Security Policy. The firewall is not the policy itself - different companies have different demands, for instance, and some may be able to accept more risks than others. Implementing a firewall involves making a number of often difficult choices - which service to allow or disallow, for instance - and these choices are driven by your own Policy. This document should cover such things as network service access, physical access, limits of acceptable behaviour, specific responses to security violations (i.e. disciplinary offence, instant dismissal, etc.), and who is responsible for the maintenance and enforcement of the policy. There are two levels of network policy that directly influence the design, installation and use of a firewall system:
The network service access policy should simply be an extension of a strong site security policy, and an overall policy regarding the protection of information resources within the company. This will cover everything from document shredders, through virus scanners and floppy disk tagging. The Security Policy must be part of an overall organisational security scheme by which everyone abides from the Chairman down to the janitor. The focus for such a policy must come from the top - it must have the unwavering support of the Chairman and the Board of Directors and those people must be seen to be practising what they preach. For instance, it is not acceptable for the Managing Director to turn off virus scanning because he finds it inconvenient. This is often the real test of an organisation’s commitment to its security policy - when it involves money. If there are a number of slow workstations still in use which take an inordinately long time to perform the virus scan, will management sanction capital expenditure to upgrade that hardware or will it tolerate a lapse in security by allowing users to disable the scanning operation? The short-sighted view is to suspend certain aspects of the Security Policy - perhaps initially only on a “temporary” basis until the upgrades can be effected. This, however, can backfire seriously since a security breach could result in data loss which could cost far more to recover from than the proposed hardware upgrades. Security Software Of course, the first place most administrators start when attempting to secure their network is with a firewall. There are plenty of excellent products on the market these days, and the technology has reached such a level of maturity that the firewall can almost be considered a commodity item. Almost, but not quite, since the ease with which these products can be configured via their smart graphical user interfaces (GUI) belies the complexity behind them, and a poorly configured firewall can be worse than no firewall at all. That is why it is important to define the security policy first, since this should determine just how the firewall should be configured. Backing up the firewall, you need the electronic equivalent of a burglar alarm – the Intrusion Detection System (IDS). “Behind the firewall you need IDS so you can monitor both external and internal users”, said Axent’s Skinner at last year’s NetEvents Spotlight. “If you haven't got a policy in place, one bit of technology isn't going to help you.” Dominic Storey, of security and authentication specialists RSA Security, agreed. “Passwords just aren't safe”, he claimed, “and the only way to be sure of security is to positively identify and monitor any traffic on your network.” This is an important point that actually covers two issues. The first is that many so-called “hacks” are perpetrated by insiders – disgruntled employees or contractors who have detailed knowledge of a company’s security methods. The second is that the weakest link in many security systems is still the user or administrator passwords – blank, installation defaults, password the same as the user name, we’ve seen them all. According to Storey, "you have to look at security on the application level as well as the server level. You simply can't afford to trust everyone who has got past the firewall." Of course, RSA provides extremely secure one-time password solutions in the form of SecureID tokens, but even you consider this to be a little too advanced for your company’s needs a good password policy is essential – after all, there is no point in having the most wonderful firewall and IDS money can buy if they can all be bypassed by simply logging on as username=admin, password=admin. Summary The implementation of a corporate Security Policy should cover all aspects of corporate security from physical access to the site, through storage and disposal of confidential documents, and obviously including network and Internet access. A good security technology should be powerful enough to support the features administrators need, including rules validation to inform the administrator of potential security back doors, automatic incident reporting to inform administrators when a security breach has occurred, and secure management of the firewall itself so hackers cannot reconfigure the firewall and create security problems. Such security technology should also be inexpensive, easy to implement, and transparent to end users. Whatever the risks, business practices must continue to evolve. In order to move forward, we must accept some of those risks, whilst doing our utmost to minimise them as far as is humanly - and technologically - possible. |
Security Testing |
Send mail to webmaster
with questions or
|