Advertisment

Why the Paranoid Survive

author-image
DQI Bureau
New Update

Members of the hacker group Milw0rm broke into the local area

network (LAN) of the Bhabha Atomic Research Center (BARC) and retrieved

information on India’s nuclear weapon program.

Advertisment

Hackers stole credit and debit card information of 15,700

online customers of Western Union, whose Web site was unprotected while it was

undergoing maintenance.

Computer vandals attacked several pages of the London-based

HSBC Bank and posted pictures of British prime minister Tony Blair on its home

page along with a statement supporting the recent crippling fuel protest by

truckers and others demanding lower fuel prices.

Keeping today’s enterprise secure is a never-ending

struggle. Giants like HSBC, Yahoo, AT&T and Western Union have not, despite

heavy IT budgets and well thought-out security policies, been able to stave off

security breaches. These companies have spent fortunes on restoring normalcy in

the aftermath of a security problem. And this is not the last time they will

face such attacks either.

Advertisment

Just when you think you have an airtight system in place, a

new hacker technology or an especially diabolical adversary enters the picture.

What’s more, enterprise security breaches are not usually "outside

hacks". In fact, the USA’s Computer Crime Unit of the FBI reports that

more than 80% of all network security breaches are inside jobs–disgruntled or

dishonest employees with their own agendas, or simply careless employees.

Regardless of the type of threat or where it comes from, it

is essential that an effective system that secures company assets be in place.

It is important to put in place policies that determine ‘who’ is authorized

for ‘what’ access and to ‘which’ information, denying any malicious or

destructive intrusion. This would mean a strong user authentication system in

place.

According to Swapan Johri, business head, enterprise

networks, HCL Comnet, a complete security solution will have to span across

security issues involving the physical protection of assets to user

authentication, access control, encryption, management and monitoring of the

network. An enterprise may employ any or all of these to achieve data integrity

and access control. Agrees Rangan Devrajan, GM, e-management and e-security

services, Hewlett-Packard India Software Operations (HP-ISO), "Since the

security compromise can come from many different sources, the security challenge

should span across the entire enterprise, including both tangible and intangible

aspects." Johri adds, "The best strategy depends on the risk involved,

the cost of deployment and the cost of a security breach or lost data."

Advertisment

Foundation: Physical security

The most obvious element of security is often the most easily

overlooked one–physical security or controlling access to the most sensitive

component in a computer network, the network administration or the server room.

As network and data access is controlled from these places, it is essential that

physical security be considered as key to the company’s security strategy.

No amount of planning or expensive technology can ensure that

a network is secure if unauthorized access to administration console is

possible. Even if a user does not have evil intent, an untrained user may

unknowingly provide unauthorized access to outsiders or override certain

protective configurations.

Advertisment

Next step: Access control

Access control governs a user’s ability to make a

connection to a particular network, computer or application, or to a specific

kind of data traffic. Access control systems are generally implemented using

firewalls, which provide a centralized point from which to permit or deny

access.

A firewall is the point at which your private company network

and a public network, such as the Internet, connect. A firewall system is a

hardware/software configuration, which sits at this perimeter, controlling

access into and out of your company’s network. While in theory firewalls allow

only authorized communications between the internal and external networks, new

ways are constantly being developed to compromise these systems, the above

mentioned case of BARC illustrating one such major breach. However, if properly

implemented they are very effective at keeping out unauthorized users and

stopping unwanted activities on an internal network.

Advertisment

In fact, firewalls can help an enterprise protect and

facilitate the network at a number of levels. They allow e-mail, and other

applications such as ftp and remote login as desired, to take place while

otherwise limiting external access to the internal network. They provide an

authorization mechanism, which provides a level of assurance that only specified

users or applications can gain access through the firewall. They also typically

provide a logging and alerting feature, which tracks designated usage and

signals at specified events. Firewalls offer address translation, which masks

the actual name and address of any machine communicating through the firewall.

For example, all messages for anyone in the technical support department can

have their address translated to techsupp@company.com, effectively hiding the

name of an actual user and network address.

Developers are also adding new functionality, such as

encryption capabilities to the firewall. Encryption is the coding, or

scrambling, of data and keeps unintended users from reading the information.

Virtual private networks use encryption to provide secure transmissions over

public networks such as the Internet. Firewalls can also be deployed within an

enterprise network to compartmentalize different servers and networks, in effect

controlling access within the network. For example, an enterprise may want to

separate the accounting and payroll server from the rest of the network and only

allow certain individuals to access the information.

Passwords: The soft underbelly

Advertisment

Proof of identity is an essential component of any security

system. It’s the only way to differentiate authorized users from intruders.

Authentication becomes particularly important when some of the more

sophisticated communication methods are used. In addition to proving identity,

authentication systems can be used to determine what information a person or

company can access–for example, a human resources database or corporate

financial database.

At the heart of the authentication issue is the use of

passwords–the most common security approach for network systems, including

servers, routers and firewalls. This is the challenge and response method, where

a software agent within a database system or a workgroup server presents the

person requesting access to a resource with a challenge, most often requesting a

username and password. It is a way of identifying and authenticating users as

they access the computer system. They provide verification that a user is who

they say they are. Unfortunately, there are a number of ways in which a password

can be compromised.

Someone wanting to gain access can ‘listen’ for a

username and password as an authorized user gains access over a public network.

Similarly, someone wanting to gain access can mount an attack on your access

gateway, entering an entire dictionary of words (or license plates, or any other

list) against a password field. Users may loan their passwords to co-workers, or

may leave lists of system passwords in public places.

Advertisment

Why paranoia is healthy

Fortunately, there are password technologies and tools that

can assist making your network more secure. Useful in ad hoc remote access

situations, the one-time password generation system assumes that a password will

be compromised. Before leaving the internal network, a list of passwords, which

will work only one time against a given user name is generated. When logging

into the system remotely, this password can be used only once and cease to be

valid. There are also operating system features such as password aging and

password policy enforcement. Password aging is a feature that requires users to

create new passwords after certain intervals. Good password policy dictates that

there be a minimum number of characters and a mix of letters and numbers, and

the operating system will not accept a password not meeting these rules.

Then there are smart cards that provide extremely secure

password protection. Unique passwords, based on a challenge-response scheme, are

created on a small credit-card device. The password is then entered as part of

the logon process and validated against a password server, which logs all access

to the system. As might be expected, these systems can be expensive to

implement.

However, new access control methods like smart cards have yet

to gain popularity in India. According to a KPMG survey, almost 61% of the

respondents still depend only on a combination of user-id and password for

monitoring access into their systems.

Encryption and privacy

Even if both access control and authentication security

systems are completely effective, the enterprise can still be at risk when data

travels over a third-party network such as the Internet. Indeed, the low cost

and ease of connecting to the Internet have made it an extremely attractive

medium for communication within and between enterprises.

Encryption is a method of ensuring privacy of data so that

only intended users may view the information. It involves coding of data through

an algorithm or transform table into apparently unintelligible garbage.

Encryption can be used on data either stored on a server or as it is

communicated through a network.

Digital Encryption Standard (DES) is one of the oldest forms

of encryption. In fact, DES has been endorsed by the US-based National Institute

of Standards and Technology since 1975 and is the most commercially available

encryption standard worldwide. One major drawback with DES is that it is subject

to US export control programs and is generally not available for export.

RSA encryption is a public-key encryption system, and is

patented technology in the United States, and thus not available without a

license. However, the algorithm was published before the patent filing, and RSA

encryption can be used in Europe and Asia without a royalty. RSA encryption is

growing in popularity and is considered quite secure from brute force attacks.

An emerging encryption mechanism is Pretty Good Privacy (PGP),

which allows users to encrypt



e-mail as well as information stored on their systems. PGP also provides tools
and utilities for creating, certifying and managing keys.

Authentication and integrity

Authentication, simply, is knowing users are who they say

they are. This is important when using resources or sending messages in a large

private network, not to mention the Internet. Integrity is knowing that the data

sent has not been altered along the way. Of course, a message modified in any

way would be highly suspect and should be completely discounted. Message

integrity is maintained with digital signatures.

A digital signature is a block of data at the end of a

message that attests to the authenticity of the file. If any change is made to

the file, the signature will not verify. Digital signatures perform both an

authentication and message integrity function. Digital signature functionality

is available in PGP and when using RSA encryption. Kerberos is an add-on system

that can be used with any existing network. Kerberos validates a user through

its authentication system, and uses DES when communicating sensitive information–such

as passwords–on an open network. In addition, Kerberos sessions have a limited

life span, requiring people to login after a predetermined length of time and

disallowing would-be intruders to replay a captured session and thus gain

unauthorized entry.

Cracker toolkits

Some security experts advocate proactive use of the very

tools which hackers use in order to discover system weaknesses before those with

less than honorable intent do. By discovering weaknesses before the fact,

protective action can be implemented to fend off certain attacks. Perhaps the

most famous of these tools is Security Analysis Tool for Auditing Networks

(SATAN), which is publicly available on the Web. According to the US-based

National Computer Security Institute, many companies are using SATAN on their

networks to uncover vulnerabilities.

Managing security

A security system should allow for oversight and control by a

human authority. Any system that uses authentication requires some central

authority to verify those identities, whether it be the "/etc/"

password file on a UNIX host, a Windows NT domain controller or a Novell

Directory Service (NDS) server. The ability to see histories, such as repeated

failed attempts to breach a firewall, can provide invaluable information to

those charged with protecting information assets. Some of the more recent

security specifications, such as IPSec, require the presence of a database

containing policy rules. All these elements must be managed for the system to

work correctly. However, management consoles or functions themselves represent

another potential point of failure of a security system. It is therefore

important to ensure that these systems are physically secured and that

authentication is in place for any logon to a management console.

As HP ISO’s Devarajan says, enterprise security should be

viewed as an end-to-end problem to be solved and not specific to products or

application problems or to systems within the enterprise. "Security is a

process that needs to be defined, constantly monitored and updated as and when

needed," he says.

Clearly, security policy and guidelines definition should be

pro-active. Unfortunately, almost all companies worldwide wake up to a security

policy only when an incident–which usually involves loss of data, information,

business and money–happens.

SHUBHENDU PARTH



in New Delhi

Advertisment