Network Security (Matthew Titcombe)
Not so many moons ago, when I was in the military, one of my primary concerns was security. Nope, I wasn't a security police officer but a war planner. A majority of my job dealt with handling classified documents and data files. Everything became more automated. We even had a classified computer in our office. As the computer custodian for that PC, I had to deal with all types of fun issues, like information security and computer security.
That job has laid critical foundations for what this and next month's columns will be about - security. We are going to jump into Internet and Intranet security. But before we go much further, let me climb back up on my soapbox for a minute É
Ahem. Your information is money. This and next month's articles are about protecting your information.
While I had to protect classified war plans against espionage, you need to protect your business's data against your threats. Just as a foreign nation would love to get its hands on our war plans, so would your competition, which may be growing in-house as you read this.
Know Your EnemyI referred above to sources of security breaches, but let me quickly cover them. The commonly known one is from an external source, a.k.a. hackers. The more insidious source of security problems, and far less advertised, is internal sources: your employees.
Due to the scope of both, I am going to cover external sources this month and internal ones next month. The primary reason for this choice is that the proliferation of broadband Internet access (cable modems and xDSL routers) across America will increase external threats to your data.
"In 1996, the risk from outside threats to information and computer systems was 10 percent," according to John Gray, network security guru at John Gray Security Consulting Inc. "The risk from inside threats was 90 percent. With the explosion of the Internet, the ratio has moved to 20 percent from outside vs. 80 percent from inside. Even though the risk from outside threats has doubled in the last four years, most security incidents still occur from inside."
Let me clarify Internet access a bit more. Internet access comes in two breeds: dial up and 24-7. Someone who dials up to the Internet via a modem does not normally have a static address but is assigned a new one every time he connects.
For example, my modem is assigned an Internet address of 184.108.40.206 from my ISP. After hanging up and re-dialing, my address became 220.127.116.11. So if a vandal thought he had figured out how to access my systems at the "167" address, he now has to relocate me at my new address after figuring out if I am the same person at the "167" address. In this case, my random address protects me just as well as a security device.
Someone with 24-7 access, however, is assigned a static address. If we tweak the example above, even after reconnecting, my Internet address would have remained "167." I explain to my clients looking at 24-7 Internet access that they are now the proverbial sitting duck in a shooting gallery full of people with big guns.
Thanks to the ability to access the Internet by cable modems and xDSL routers, commercial and residential clients are being given static addresses by the thousands every day without fair warning of the hazards they are open to.
Let's talk about hackers for a bit. According to an emphatic Gray, hackers are either vandals or, like the cowboys of the Old West, black hat hackers using their skills for the wrong purposes. The majority simply is vandals. Why? Let's step back in time for minute.
When we were growing up, the Internet didn't exist, and the only way to communicate over long distance was by mail or phone. Mail had chain letters, and we all either have received or made prank calls.
Today's kids are growing up in an international world where there is an incredible amount of anonymity via the Internet. Since the same urge is there, and the tools for hacking are just as available as the can of spray paint at the local hardware store, today's vandals are hitting Web sites and networks for the fun of it. One of the most popular sites to hit is the Pentagon. In 1998, the Pentagon reported 5,844 attacks, while 1999 saw almost a 400 percent increase to 22,144 cyber-attacks. As of Aug. 4, the count is just under 14,000.
So what does this have to do with you and your business? If you have Internet access without the right protection, your entire business can be wiped out, spread across the globe or used against you.
Method To The MadnessLet's take a look at the standard operating procedure for a cyber vandal. The typical process starts with an automated program that can scan every Internet address in the world for known security openings. Albeit, this can take forever, so a vandal will target a specific range. For example, let's say the hacker is prowling my block, 208.204.46.xxx, where the xxx represents the random addresses assigned by my Internet service provider. His program will test all ports if they are open in order to gain access.
Think of a prowler trying to break into a neighborhood. Prowlers will go from house to house (your Internet address) trying to get in through an unsecured window or door (port). In computer terms, a port may be a Web page server (Windows 98 has a built-in Web page service that is exploitable), e-mail or a host of other openings that should be locked.
Once in, a hacker will use one of five basic techniques against your network:
- Computer Virus: A program made to automatically infect your system and then spread faster then a case of flu at your kid's school. A good example of this is the infamous "I Love You" virus.
- Network Worm: This is specialized program that looks for space to run on a system and then ties up network resources in order to crash the system. The vandals that targeted Yahoo earlier this year used a modified worm to "zombify" a PC or server that was then used to bring down Yahoo and other companies by drowning their servers with useless data.
- Trojan Horse: This little program, like its namesake, looks great on the outside but carries a nasty payload internally. An example of this one is the Happy99.exe program I am still cleaning up today. Happy99 was a program written in 1998 and sent around via e-mail. When executed, it showed a pretty display of fireworks while the horse unloaded a program that would trash your Internet connectivity.
- Logic Bomb: This application is like a parasite. Its intent is to kill with no care for self-replication. It kills by wiping your hard drive, filling it full of junk or destroying critical files. For instance, a programmer may include a module of code in the accounting program that checks for the existence of his user account. If his account is present, then that means he is still an employee and the accounting program should continue to function normally.
If his account isn't present, however, then that would mean that he quit or was fired. If his account isn't present, then the module of code executes and does something, such as deleting all of the accounting records.
- Sniffer: A sniffer is like a bloodhound looking for a trail. Except, in this case it is normally programmed to look for passwords or specific information, which it relays back to the originator.
Build Your ArmyThe question at hand now is, how do you protect yourself and your business? First, we need an understanding of a generic Internet access solution, as shown in the network firewall diagram, to demonstrate these key points. I am going to base the following suggested steps on two premises. The first premise is that you are connected to the Internet 24-7 via some type of device, in this case a DSL router (fancy name for a modem). Secondly, you are sharing the connection with the rest of the people in your office.
Now, let me explain the diagram. The Internet, symbolized by a cloud (I don't know who came up with that one, but it is the standard symbol), is connected by a DSL router. The router then hands the transmitted information to the firewall. The firewall can be a program running on a computer or a network appliance hard-coded to provide security protection against outside threats.
A firewall is like a police officer patrolling your "house's doors and windows" to ensure they are secured. It is designed to scan all incoming information and redirect it appropriately. In sticking with my previous address example, the firewall would have an Internet address of "18.104.22.168." The firewall would redirect it to the appropriate requester, for example the server with a local area network address of 10.0.0.1. That redirection is called network address translation and is one of the first key layers of protection.
The firewall also should be configured to look for malformed information and deny its access. An analogy of this would be a letter with an originating wrong address. The "police officer" scans the originating address for veracity and, if it is improper, sends it back. Some firewalls can be designed to open the mail and look for viruses.
I suggest you ask the assistance of a network security technician to help you and your business develop a security solution. Let me emphasize a point here: Network security is a complex specialty that the average computer consultant does not get into too heavily.
While I understand all the foundational issues, I work with John Gray's firm to validate my proposals and then I have his firm set up the solutions for me. I highly encourage all of you to frankly ask your computer consultants about their security expertise, and do not be afraid to work with someone else they may recommend.
OK, here are my tips for securing your local area network from intruders. Please note this list is generic and is subject to dramatic change based upon your business's needs:
- o Keep up on all of the security updates for your systems. For example, within the past 24 hours, I have received four security bulletins from Microsoft. While the bulletins normally are not glaring issues, the really good vandals will be getting these messages, too, and will learn how to exploit them against you. It is a lot of work. At this level, I suggest putting your security/computer consultant on retainer to address any security updates.
On that note, I suggest having your security consultant attempt a penetration attack after performing a vulnerability analysis. In the movie "Sneakers," Robert Redford plays a white hat hacker who gets paid by corporations to do just this. If you are using your Internet access for more then just e-mails and surfing the Web (for example, hosting your own Web site), I highly encourage this.
- If you do not have an anti-virus program, get one today. Internet access has become the bloodstream that these pesky and sometimes nasty viruses are flowing through.
Just as your business or home may have an alarm system, you can and may want to consider an intrusion detection system for your network. This would notify you of suspicious activity and other telltales of a vandal interloping on your network.
- If you have a password to your server with administrative capabilities, change it. Do not use it except when needed, and do not give it out. The last key you want a vandal to have is the master key that opens the vault!
Change your passwords at least every 60 days with a minimum of six characters, including two numbers. I suggest the passwords be set to rotate, and remember the last five so your users are not bouncing between just two passwords.
- If you have file and print sharing running on Windows 9X systems, turn it off. This is a wide open door to any hacker. If you cannot afford to do so, set up the file and print sharing using passwords.
Learn, read and stay alert.
Other ResourcesOn that last note, let me suggest the following resources for you to consider and use.
For another article on network security, I suggest visiting PC World's article on making your PC hackerproof at www.pcworld.com.
For a good site to test your PC's security vulnerability while avoiding nerdese, go to gr.com. You can test your system's security via its Web page and attack or download its IP Agent testing program to test your system more thoroughly. After running this program myself, I was notified, "Your computer is very secure against typical threats and discovery from passing Internet scanners." The site cannot cover every known threat but does give a good barometer indication of your threat level.
If you have a single computer connected directly to the Internet via a DSL router or cable modem, I suggest obtaining a personal firewall program, like Network ICE's BlackICE Defender at www.networkice.com, or a personal firewall appliance, like LinkSys' Instant Broadband EtherFast Cable/DSL Router at www.linksys.com.
Next month we'll address the internal security threat to your business. Let me leave you all this month with a network security axiom: "The only secure computer is one turned off, completely unplugged, and in the middle of a desert."