Computer Security White Paper

How safe is it out there

So you want to go on the internet, you want to do business on the web, and online financial transactions with your bank. You want to go online! You are opening your door to the cybernetic world and you anxiously await the returns. The internet and the web are new frontiers , new markets to be tapped , but beware , there be tigers out there.

Past the metaphor, what is not obvious to all the business people going online is how secure they are doing so! Let's face it , modern day office equipment is in its majority geared towards ease and transparency of use, and not of security of data.The ease by which one of your employees shares his/her printer with the rest of the team, is the same ease by which an outsider can access the resources of her/his computer. The ease by which an NT server shares its disks , is an open invitation to outsiders to peek into and even destroy your hard earned business data.

Let us first define what connecting to the internet means. At the majority of the cases a company purchases a router and signs a service agreement with an internet provider, and lo and behold they are online. All this is fine but have you ever sto pped to consider who is out there ? It is not only your current and prospective clientele, not only your suppliers, but also your competitors and enough sixteen year old hackers with more time to themselves than they know what to do with!

Your competition is indeed a thorn at your side, but your competition armed with your internal data is a tiger unleashed. There is simply no defense against an able , willing and armed enemy, especially when that enemy is armed with your internal o perations, be they personnel reports, or tax papers. And do not forget the destructive tendencies of underage hackers. They may be of no competition to you, but they are of grave consequence. If a hacker breaks into your server and starts deleting and altering files (philes in hacker slang) , the results will be quite unpleasant to your operation. At best you will lose time and money trying to restore the damage and go full steam again. At worse you operation will be affected so grossly that only a totalshutdown will be able to bring thing under control. Either way you lose , be it your market share or your time, it all translates to revenues lost and disgruntled boards of trustees.

Of course your MIS department is not wrong to want to go online, neither are your instincts telling you that you are right to let them do so. But is your organization equipped with elephant guns and lion snares? Can your MIS director become a secur ity expert within a heartbeat, or should you hire even more people under the shady title of Network Security Manager?

You are right, of course that very few people hear of security issues directly. After all the very nature of the beast is to be cryptic. National and international organizations exists to alert the computer community of potential and actual securit y breaches, such as the CIAC and the CERT (Computer Emergency Response Team). It is also rather embarrassing for a large computer corporation such as Microsoft to admit that they have overlooked the security of their products.

How easy it is

The tools are already available for wily foes to attack your organization, and they are regularly used to perform random, and directed sweeps of potential victims. Tools like SATAN and STROBE can very easily and quickly find out your internal digit al infrastructure. The notoriety of the above tools bespeaks little of their abilities. A poorly administered network appears literally perforated, with each perforation being a potential access tunnel. This problem is especially exacerbated with the new generation of file sharing systems such as CIFS.

The situation becomes especially troublesome when we take into account the most common business setup on any modern organization. Chances are that most of the computers inside your organization are more or less Windows ™ based, with the possibili ty of a few Window NT ™ servers thrown around as application servers. It is obvious that this setup is inherently insecure. The minute a hard disk is shared without a password imposed upon it, this disk becomes available for browsing not only to your local net , but to the totality of the internet also.

Let us take a possible scenario that has occurred all too often. You are in a hurry, a new server is needed, a new box comes in and goes to production immediately, your MIS folks do not set a password because they were pressed for time, after all you can either have ease and speed of use or security but not both. Maybe the upper management pressed them more than they should, maybe they were not careful enough by themselves. In any occasion you can consider this machine as being effectively open for perusal to the rest of the planet. Everybody knows that the default account is called administrator and with the new generation of client programs like smbclient, an adversary can see what you hold in this computer.

It may sound just to easy to happen but the fact of the matter is that it is! More sites on the internet are poorly maintained than the sites that are taken good care of. And the trouble does not end at the file sharing level. Setting up a public WEB server , an extranet in modern parlance, creates some issues in and by itself. WWW server software has its own set of problems and can even create back doors to your operations and internal workings.

Whose fault it is

It is nobody's fault, yet every person is responsible, MIS for not being paranoid enough, users for demanding total transparency, and management trying to extract more productivity out of everyone without considering the consequences.

Do not discount your vendor's inability to inform you timely of problems. It is more often than not the case that computer or software vendors' marketing personnel obscure the issue of security problems when they crop up. Even worse they do not even test their products for possible outside tampering. It is rather disquieting to find out on the public forums the security risks of a particular application, rather than have its creator stress test the application ahead of time. One application that readily comes to mind is Microsoft's Internet Explorer , that would readily give out its users password to a malicious site.

Obscurity and denial of problems is a common practice among large vendors but it definitely is not security. To not know about a problem , does not make that problem disappear, it just makes it so much more dangerous when an ill willing individual stumble s across it.

The Remedy, buying a Firewall

How do you decide which firewall is best for you ? Do you just go out and buy one from a vendor, and we go back to square one, to trusting a vendors ability to see itself from the outside? Absolutely not. There are a few thing to consider before installin g a firewall. First of all let us consider your infrastructure, let us call it A, then your firewall must be of type B. In this fashion -allow me the pun- even if the security of the security machine is breached, a cracker cannot glean any more information about your infrastructure due to the dissimilarity of the systems.

You also have to consider that off the shelf software cannot work on all cases and under all conditions, since different organizations have different needs. Where one needs absolutely FTP access , another will require a read only FTP access from the outside world, etc. etc. ad nauseum. So custom solutions are not to be avoided but checked carefully for compliance to specs.

Copyright and Copy Angelos Karageorgiou

<< Back to my Home page