Why the Paranoid Survive

Members of the hacker group Milw0rm broke into the local area
network (LAN) of the Bhabha Atomic Research Center (BARC) and retrieved
information on India’s nuclear weapon program.

Hackers stole credit and debit card information of 15,700
online customers of Western Union, whose Web site was unprotected while it was
undergoing maintenance.

Computer vandals attacked several pages of the London-based
HSBC Bank and posted pictures of British prime minister Tony Blair on its home
page along with a statement supporting the recent crippling fuel protest by
truckers and others demanding lower fuel prices.

Keeping today’s enterprise secure is a never-ending
struggle. Giants like HSBC, Yahoo, AT&T and Western Union have not, despite
heavy IT budgets and well thought-out security policies, been able to stave off
security breaches. These companies have spent fortunes on restoring normalcy in
the aftermath of a security problem. And this is not the last time they will
face such attacks either.

Just when you think you have an airtight system in place, a
new hacker technology or an especially diabolical adversary enters the picture.
What’s more, enterprise security breaches are not usually “outside
hacks”. In fact, the USA’s Computer Crime Unit of the FBI reports that
more than 80% of all network security breaches are inside jobs–disgruntled or
dishonest employees with their own agendas, or simply careless employees.

Regardless of the type of threat or where it comes from, it
is essential that an effective system that secures company assets be in place.
It is important to put in place policies that determine ‘who’ is authorized
for ‘what’ access and to ‘which’ information, denying any malicious or
destructive intrusion. This would mean a strong user authentication system in
place.

According to Swapan Johri, business head, enterprise
networks, HCL Comnet, a complete security solution will have to span across
security issues involving the physical protection of assets to user
authentication, access control, encryption, management and monitoring of the
network. An enterprise may employ any or all of these to achieve data integrity
and access control. Agrees Rangan Devrajan, GM, e-management and e-security
services, Hewlett-Packard India Software Operations (HP-ISO), “Since the
security compromise can come from many different sources, the security challenge
should span across the entire enterprise, including both tangible and intangible
aspects.” Johri adds, “The best strategy depends on the risk involved,
the cost of deployment and the cost of a security breach or lost data.”

Foundation: Physical security

The most obvious element of security is often the most easily
overlooked one–physical security or controlling access to the most sensitive
component in a computer network, the network administration or the server room.
As network and data access is controlled from these places, it is essential that
physical security be considered as key to the company’s security strategy.

No amount of planning or expensive technology can ensure that
a network is secure if unauthorized access to administration console is
possible. Even if a user does not have evil intent, an untrained user may
unknowingly provide unauthorized access to outsiders or override certain
protective configurations.

Next step: Access control

Access control governs a user’s ability to make a
connection to a particular network, computer or application, or to a specific
kind of data traffic. Access control systems are generally implemented using
firewalls, which provide a centralized point from which to permit or deny
access.

A firewall is the point at which your private company network
and a public network, such as the Internet, connect. A firewall system is a
hardware/software configuration, which sits at this perimeter, controlling
access into and out of your company’s network. While in theory firewalls allow
only authorized communications between the internal and external networks, new
ways are constantly being developed to compromise these systems, the above
mentioned case of BARC illustrating one such major breach. However, if properly
implemented they are very effective at keeping out unauthorized users and
stopping unwanted activities on an internal network.

In fact, firewalls can help an enterprise protect and
facilitate the network at a number of levels. They allow e-mail, and other
applications such as ftp and remote login as desired, to take place while
otherwise limiting external access to the internal network. They provide an
authorization mechanism, which provides a level of assurance that only specified
users or applications can gain access through the firewall. They also typically
provide a logging and alerting feature, which tracks designated usage and
signals at specified events. Firewalls offer address translation, which masks
the actual name and address of any machine communicating through the firewall.
For example, all messages for anyone in the technical support department can
have their address translated to techsupp@company.com, effectively hiding the
name of an actual user and network address.

Developers are also adding new functionality, such as
encryption capabilities to the firewall. Encryption is the coding, or
scrambling, of data and keeps unintended users from reading the information.
Virtual private networks use encryption to provide secure transmissions over
public networks such as the Internet. Firewalls can also be deployed within an
enterprise network to compartmentalize different servers and networks, in effect
controlling access within the network. For example, an enterprise may want to
separate the accounting and payroll server from the rest of the network and only
allow certain individuals to access the information.

Passwords: The soft underbelly

Proof of identity is an essential component of any security
system. It’s the only way to differentiate authorized users from intruders.
Authentication becomes particularly important when some of the more
sophisticated communication methods are used. In addition to proving identity,
authentication systems can be used to determine what information a person or
company can access–for example, a human resources database or corporate
financial database.

At the heart of the authentication issue is the use of
passwords–the most common security approach for network systems, including
servers, routers and firewalls. This is the challenge and response method, where
a software agent within a database system or a workgroup server presents the
person requesting access to a resource with a challenge, most often requesting a
username and password. It is a way of identifying and authenticating users as
they access the computer system. They provide verification that a user is who
they say they are. Unfortunately, there are a number of ways in which a password
can be compromised.

Someone wanting to gain access can ‘listen’ for a
username and password as an authorized user gains access over a public network.
Similarly, someone wanting to gain access can mount an attack on your access
gateway, entering an entire dictionary of words (or license plates, or any other
list) against a password field. Users may loan their passwords to co-workers, or
may leave lists of system passwords in public places.

Why paranoia is healthy

Fortunately, there are password technologies and tools that
can assist making your network more secure. Useful in ad hoc remote access
situations, the one-time password generation system assumes that a password will
be compromised. Before leaving the internal network, a list of passwords, which
will work only one time against a given user name is generated. When logging
into the system remotely, this password can be used only once and cease to be
valid. There are also operating system features such as password aging and
password policy enforcement. Password aging is a feature that requires users to
create new passwords after certain intervals. Good password policy dictates that
there be a minimum number of characters and a mix of letters and numbers, and
the operating system will not accept a password not meeting these rules.

Then there are smart cards that provide extremely secure
password protection. Unique passwords, based on a challenge-response scheme, are
created on a small credit-card device. The password is then entered as part of
the logon process and validated against a password server, which logs all access
to the system. As might be expected, these systems can be expensive to
implement.

However, new access control methods like smart cards have yet
to gain popularity in India. According to a KPMG survey, almost 61% of the
respondents still depend only on a combination of user-id and password for
monitoring access into their systems.

Encryption and privacy

Even if both access control and authentication security
systems are completely effective, the enterprise can still be at risk when data
travels over a third-party network such as the Internet. Indeed, the low cost
and ease of connecting to the Internet have made it an extremely attractive
medium for communication within and between enterprises.

Encryption is a method of ensuring privacy of data so that
only intended users may view the information. It involves coding of data through
an algorithm or transform table into apparently unintelligible garbage.
Encryption can be used on data either stored on a server or as it is
communicated through a network.

Digital Encryption Standard (DES) is one of the oldest forms
of encryption. In fact, DES has been endorsed by the US-based National Institute
of Standards and Technology since 1975 and is the most commercially available
encryption standard worldwide. One major drawback with DES is that it is subject
to US export control programs and is generally not available for export.

RSA encryption is a public-key encryption system, and is
patented technology in the United States, and thus not available without a
license. However, the algorithm was published before the patent filing, and RSA
encryption can be used in Europe and Asia without a royalty. RSA encryption is
growing in popularity and is considered quite secure from brute force attacks.

An emerging encryption mechanism is Pretty Good Privacy (PGP),
which allows users to encrypt
e-mail as well as information stored on their systems. PGP also provides tools
and utilities for creating, certifying and managing keys.

Authentication and integrity

Authentication, simply, is knowing users are who they say
they are. This is important when using resources or sending messages in a large
private network, not to mention the Internet. Integrity is knowing that the data
sent has not been altered along the way. Of course, a message modified in any
way would be highly suspect and should be completely discounted. Message
integrity is maintained with digital signatures.

A digital signature is a block of data at the end of a
message that attests to the authenticity of the file. If any change is made to
the file, the signature will not verify. Digital signatures perform both an
authentication and message integrity function. Digital signature functionality
is available in PGP and when using RSA encryption. Kerberos is an add-on system
that can be used with any existing network. Kerberos validates a user through
its authentication system, and uses DES when communicating sensitive information–such
as passwords–on an open network. In addition, Kerberos sessions have a limited
life span, requiring people to login after a predetermined length of time and
disallowing would-be intruders to replay a captured session and thus gain
unauthorized entry.

Cracker toolkits

Some security experts advocate proactive use of the very
tools which hackers use in order to discover system weaknesses before those with
less than honorable intent do. By discovering weaknesses before the fact,
protective action can be implemented to fend off certain attacks. Perhaps the
most famous of these tools is Security Analysis Tool for Auditing Networks
(SATAN), which is publicly available on the Web. According to the US-based
National Computer Security Institute, many companies are using SATAN on their
networks to uncover vulnerabilities.

Managing security

A security system should allow for oversight and control by a
human authority. Any system that uses authentication requires some central
authority to verify those identities, whether it be the “/etc/”
password file on a UNIX host, a Windows NT domain controller or a Novell
Directory Service (NDS) server. The ability to see histories, such as repeated
failed attempts to breach a firewall, can provide invaluable information to
those charged with protecting information assets. Some of the more recent
security specifications, such as IPSec, require the presence of a database
containing policy rules. All these elements must be managed for the system to
work correctly. However, management consoles or functions themselves represent
another potential point of failure of a security system. It is therefore
important to ensure that these systems are physically secured and that
authentication is in place for any logon to a management console.

As HP ISO’s Devarajan says, enterprise security should be
viewed as an end-to-end problem to be solved and not specific to products or
application problems or to systems within the enterprise. “Security is a
process that needs to be defined, constantly monitored and updated as and when
needed,” he says.

Clearly, security policy and guidelines definition should be
pro-active. Unfortunately, almost all companies worldwide wake up to a security
policy only when an incident–which usually involves loss of data, information,
business and money–happens.

SHUBHENDU PARTH
in New Delhi

Leave a Reply

Your email address will not be published. Required fields are marked *