General Practice, Solo & Small Firm DivisionMagazine
Security Systems Protective MeasuresAgainst Hackers
By G.C. Eric Brumfield
As our world heads into the next millenium, companies in every industry are becoming more computer literate. Their need for some level of sophisticated networks to keep their competitive edge is becoming greater. With every network that is installed in an organization, there is also a risk that proper security measures were overlooked or taken for granted. In these cases, companies can face a great deal of embarrassment and anxiety and even lose millions of dollars due to security breaches.
When should companies invest in security systems? When can they determine if they are at risk without one? A rule of thumb is, any company that routinely stores sensitive, confidential information that is critical to their success, or information that could cause damage to them were it to end up in the wrong hands, should definitely look for a sound security system to protect its investment. Companies utilizing a local area network with a small number of users are at a lower risk than those that utilize a wide area network that connects to multiple sites within a city or multiple sites throughout the country.
Information equates to power and money in this day and age. The Internet is becoming one of the fastest ways to start a new business, grow an existing business or simply find needed information. Jim Reed, manager of public relations for V-One, a network security company in Germantown, Maryland, says, "It’s business-to-business commerce through the Internet that is going to make the Internet even bigger than it is now. And with companies communicating with each other through the Internet, vital information is being transferred back and forth. If the information falls into the wrong hands, it could be beyond damaging."
Law offices and other industries have to deal with the power of confidentiality. As we take a closer look at how freely information is passed via our internal networks and the Internet, we must begin to recognize the importance of having an adequate network security system that will protect this information and secure the rights of confidentiality for businesses and our clients.
After accomplishing the great task of installing a network security system, there is yet another concern that demands close attention: the ability to manage network security systems effectively so that hackers do not break through security walls and create nightmares for us all. Hacker is more than just a word to many. For some it’s, a career, and for others it is like a vampire in the night waiting to suck the blood and money from the life of a company. Most organizations in business today have been the victim of hackers at one time or another. Part of the reason is that hackers come in many shapes and sizes. They can be as small and as brilliant as the adolescent genius that lives next door–the kid that spends his time solving puzzles and breaking passwords on his PC in the basement, instead of playing with the boring computer-illiterate kids in the neighborhood. Or hackers can be as dangerous as the professionals, known as "Black Hats," computer criminals who make a living by breaking into unsuspecting computer systems and selling, destroying or manipulating data or information they poach.
How can businesses protect their investments with criminals waiting for the perfect opportunity to penetrate security systems? There are many security measures that can be taken. Some are very small steps, and others involve financial investments.
One major step that organizations can take is to eliminate use of the Internet on the job. It is common knowledge that Internet access and a modem are key sources of entry into an organization’s computer system. And every organization has its workaholics–you know, people who are so dedicated to work that they have to take some of it home with them. Then they remotely access the server at the office to make modifications to their critical projects. If the fire walls of our network security systems allow people with just average computer literacy to enter, then what opportunities for intrusion exist for the "Black Hats" of the world. Just a simple password can create a virtual playground for the professional hacker.
Welcome to the world of hacker. According to the third annual "Computer Crime and Security Survey," conducted by the Computer Security Institute in San Francisco (http:www.gocsi.com), computer crime and other information security breaches are on the rise, and the cost to U.S. corporations and government agencies is growing.
The CSI report released last March noted that 64 percent of respondents reported computer security breaches within the last year. This figure is 16 percent higher than CSI’s 1997 survey.
CSI also reported that, although most organizations have firewalls in place at their network perimeters, more than 70 percent had security flaws which left them vulnerable to even the most rudimentary malicious attacks.
Companies must first take proactive measures from within. Initial steps should be block the curious onlooker or the average computer hacker. This would basically protect documents within the system from internal onlookers, but it will not protect them from that experienced hacker outside, looking in. Measures might include password protection, masking and information-change detection. Getting into the habit of changing passwords regularly is a wise thing to do.
It’s recommended that companies change user passwords at least once a quarter. Masking techniques include disguising files inside the computer, or hiding ranges of information inside a file to make information appear unreadable or invisible. Change-detection techniques include audit trails such as byte count and formula difference locators. There are many security programs available in today’s marketplace that address spreadsheet and word-processing techniques, operating systems security, database protection, and general safeguards and Internet security, to name just a few. Depending on your business, any one or all of these programs would benefit to the protection of data or information within your systems. Companies that implement such internal protective measures move one step closer to preventing incidents like the Bernard Mayles case in 1991. Bernard stole drug-processing information from his then-employer pharmaceuticals giant Merck & Co, and tried to peddle it to an Eastern European company. That company’s agent turned out to have a different employer: the FBI. Mayles was sentenced to nine years in prison.
Another situation that might have been avoided is the case of a retail store chain managed by Bill Kesl, director of systems integration at Datamax Systems Solutions in Boca Raton, Florida. A computer-savvy store clerk at Kesl’s would log on to an electronic register and change prices so that an accomplice could buy items for next to nothing. In both cases, individuals were able to access sensitive computer information and use it for dishonest purposes, due to relaxed security parameters.
As companies move toward decentralized networks of personal computers and away from centralized, easily protected mainframes, they become more vulnerable to hacking. In an effort to make businesses more user-friendly, we are inevitably making them more hacker-friendly as well.
The "Black Hats" of the world create varied nightmares for businesses. A hacker tampered with automaker BMW’s Web site as a New Year’s prank last January, taking the image of a BMW roadster tearing down the highway and transforming it into a car wreck by turning the car upside down and painting in skid marks. Later that same month, critics of Indonesia’s then-President Suharto hit 15 government domains, including the site of the nation’s police force, inserting their views onto the Web sites.
There is also the "denial of service" attack, in which a hacker tricks a computer so that it shuts down or is so busy with bogus requests that it can’t handle legitimate ones. In March, a series of "denial of service" attacks crippled hundreds of systems, including computers owned by NASA and other government agencies, various academic institutions, Microsoft Corporation and other commercial institutions. Last year a virus shut down computers for two days at National City Corporation, a Cleveland bank. The bank spent at least $400,000 to correct the virus rewiring during the attack to activate backup computers.
In a survey conducted last year by Information Week and Ernst & Young of New York, 40 percent of respondents reported losses of up to $100,000 from macro viruses; nearly half (47 percent) reported losses of up to $100,000 due to other types of viruses.
Nick Simicich, an IBM Senior Security consultant in Boca Raton, Florida, tests social engineering methods when conducting security audits for clients. Social Engineering is a term that commonly used by low-key hackers to describe posing as employees of a company in order to gain sensitive information. "I’ve gone up to a security person carrying a laptop, "Simicich says," asked him what the policy is on laptops and walked out the door." He has also gotten passwords by posing as a company computer technician: "I’ll just say, ‘Could you do me a favor and give me your password so I don’t have to look it up?’" These are just a few of the potentially hundreds of techniques that hackers use to wreak havoc on our organizations.
One very common preventive measure that companies are using is to hire outside organizations to strengthen their network security systems. The organizations conduct a series of diagnostic tests from outside, to see how easy it is to crack the firewalls of the target organization–with the permission of the organization. This adds a new twist, paying someone to hack systems to discover the weaknesses.
One company that provides this service to all industries is IBM. Dave Gamey, of IBM Canada, is a consultant for public and private-sector organizations, including banks. Gamey is engaged in an ongoing war against computer criminals as a member of a 100-man team of "White Hats." The White Hats charge up to $40,000 to attempt to outwit their black-hatted opponents, using technologies such as Trojan horses, jails, spoofing, password guessers, war-dialers, stealth port scanners, firewalls, sniffers, daemons and finger commands. When Gamey and his team win, they can save a company embarrassment, anxiety, hours of labor costs and millions of dollars in potential losses. The $40,000 cost for this service is minimal; Gamey and his merry team of white hatters believe that they have saved millions for their clients.
Where Are We Heading
Traditionally, computer crimes have been inside jobs. But technology continues to advance, giving us all the potential to gain a competitive edge. Companies need take the proper steps to avoid internal hacking and to set security parameters, because it will become increasingly more expensive to secure data. John D. Spain, executive vice president of information technology security at Asset Management Solutions, an Atlanta-based security firm, says, "Companies need to classify their information. If you don’t know what you need to protect, it’s hard to protect it.". We must all become more knowledgeable about common occurrences of internal and external hacking in our types of businesses, to protect our investments better in the next millennium.
Network Security Systems are a great enough problem by itself. One that has the government setting regulations on the use of information flowing through the Internet with encryptions on it. Today our worry is the loss of great profits as a result of this hacker problem, let’s hope that tomorrow our worry won’t be that we will all be living in a world like the one depicted in the 1998 movie, "Enemy of the State," where the government is the real "Black Hat" to worry about.
Once we take the time and make the necessary investments to determine our security needs we will move one step closer to what we would all like to believe is "real security."
G.C. Eric Brumfield is president of BIT Consultants Incorporated, an IT Staffing Firm in Detroit, Michigan. He can be reached at Brumfield1@aol.com