IT security doesn't need to cost a bundle, but you certainly can't
afford to be without it. Even the financially challenged can
implement a strategy that will stop the majority of cyber-attacks,
says Danny Bradbury
IT security doesn't need to cost a bundle, but you certainly
can't afford to be without it. Even the financially challenged can
implement a strategy that will stop the majority of cyber-attacks,
says Danny BradburyThe problem with insurance is that many people only start
thinking about it after a disaster has occurred. This is also true
of security. Too many times companies have ignored the need for a
security strategy until after their systems have been hacked into
by an external mischief maker, or a disgruntled employee steals or
corrupts critical files. Unfortunately, because many companies skip
the security planning process early on, by the time they realise
that they need a security strategy they often don't have the budget
to implement one. This is especially true of smaller enterprises
without a core competency in IT. The result is that many companies
have to implement security on a shoestring.
Getting your security strategy wrong could bring disastrous
results, especially if you open up your applications and services
to Internet users. The IT industry has a history of documented
security breaches that have caused major damage to the reputationan
of organisations. Witness, for example, the recent case of
CDUniverse, a music e-commerce site selling CDs. A hacker broke
into the company's back end systems back in January and stole
350,000 user names and credit card details. The hacker asked for
$100,000 from the e-commerce site, and posted the details online
when it wouldn't cough up. More recently, in March two teenagers
were arrested in Wales and charged with hacking into Web sites and
stealing consumer credit card numbers.
One of the cheapest and most effective things that you can do to
enhance your security is to educate your employees, says Kevin
Black, sales director of security consultancy Internet Security
Systems. Obvious clangers include employees who use obvious
passwords and don't update them, but there are many others.
IT staff who blame careless end-users for security holes may
well be able to close up some vulnerable areas by improving their
own procedures, according to Chris Potter, Partner in global risk
management solutions at Price Waterhouse Coopers. One common
mistake that systems administrators make is forgetting to keep
track of publicly available material on good practice, he says. As
new security threats appear, new ways of dealing with them will
also come to light, and staff must keep up-to-date.
Best practice isn't the only thing you should be keeping tabs
on. As new vulnerabilities come to light, they are often posted on
the Internet, either on the supplier's own site or on an
independent site. One example is Xforce, the vulnerability update
service run by ISS - check it out at www.ISS.net. Similarly,
Microsoft keeps a running update of security loopholes for its
operating systems on its own site, and usually publishes free
patches for end-users and systems administrators to download.
Checking these sites, and others relating to your particular
hardware and operating system on a regular basis will enable you to
stay one step ahead of the hackers. Making sure that you update
your virus protection software equally frequently will protect your
system from all of those dodgy virus-ridden emails.
Triage is a good way of increasing the effectiveness of your
security while minimising the impact on the corporate wallet.
Potter explains that prioritising your systems so that the most
critical applications get the most attention is a vital part of any
low-budget security policy. Customer-facing systems are generally
the ones that need the most attention because you are throwing open
your software to the outside world. Customers and other business
partners cannot always be trusted to adhere to your internal
security procedures, so you have to tighten up the protection in
this area. Needless to say, if you are involved in Internet-based
e-commerce the importance of security in your customer-facing
environment becomes even greater, and this will take priority over
back-end line-up business systems which are further away from the
customer. You may choose to protect these back-end systems by
simply restricting communication between your middle tier
e-commerce application and your back-end order processing system
with the use of a batch transfer system between them rather than
allowing real-time data flow.
Another way of cutting back on your security budget is to rely
heavily on the security built into the operating system. This is
becoming more viable as operating system suppliers become more
security savvy. A good example here is Windows 2000. Microsoft has
reworked security within the system, integrating the well-known
Kerberos security system with its object-oriented Active Directory
network directory system. This makes it easier to manage internal
and external privileges and user identification. This is certainly
a big advance over previous versions of NT, says Malcolm Skinner,
product marketing manager at security tools supplier Axent.
"Because Lan manager is an easier thing to crack, that is what the
hackers went after," he says.
Nevertheless, just because an operating system includes enhanced
security doesn't mean that you can just slap it onto the server and
forget about it. The problem with advanced operating systems - and
Windows 2000 in particular - is that you have to have some
sophisticated configurations skills. Getting your directory
configuration wrong within Windows 2000 can create havoc at a later
stage, explains Black, echoing the opinions of other Windows 2000
experts. What you gain in security savings, you may therefore lose
in terms of skills investment. People who are good enough at
configuring this sort of software chargea high price for their
services.
Another cheap alternative to this is the pre-configured,
plug-and-play hardware/software combo. Steve Ashmore, pre-sales
consultant at security company Mirapoint, offers just such a
product in the form of his Internet Messaging Server. "You need
someone skilled in Exchange to put it on to a public network like
the Internet," he says.
"It can be done but I'm talking about the time and skill that is
required to ensure that all those doors are closed." Buying an
off-the-shelf product that comes with all of the security settings
prearranged takes some of the skills requirements away from the
customer, he argues. Of course, the downside to this is that a
pre-configured box offering a vanilla security configuration is
easier for hackers to crack. IT administrators therefore need to
balance the amount of money that they spend on customisation with
the potential vulnerability of such a system.
You could spend a great deal of money on security, and still
fail to create a system that is completely watertight. Unless you
are the Pentagon - and perhaps even if you are - there will always
be loopholes in your system. The trick is to cover the majority of
the gaps with the least amount of cash, so that any chinks in your
armour will only appeal to the really determined infiltrator. The
tools and technologies to achieve this are straightforward,
especially if your main concern is protecting a simple e-mail
server and Lan. The greatest tool that you can use, however, is the
one sitting on your shoulders. A little common sense goes a long
way.
Security tools for the financially challenged
Security software needn't cost the earth. In fact, it needn't
cost anything at all. There is a variety of low-cost and no-cost
software in the public domain that you can use to help secure your
IT systems.
- One of the most popular pieces of software is Blackice
Defender, from Netice. You can pick up this nifty piece of
software for just $40, but it will give you a firewall that you can
install on an end-user desktop or notebook PC. The product will be
of particular interest to SoHo users, along with corporate
employees who work from home a lot. Features include the ability to
detect unauthorised intrusion, gather information about the hacker
and block infiltration. The company also produces corporate
versions of the product.
- If you are more interested in securing your server for free,
then go to www.inet.no/dante to find out about Dante, a firewall
originally developed for OpenBSD and Solaris, but then ported to
other platforms. The system can run transparently on the server,
and is distributed under a free licence, complete with source code.
It was developed by Norwegian company Inferno Nettverk.
- Another devilishly clever piece of software is the Security
Administrator's Tool for Analysing Networks (Satan). This piece of
Unix software is designed to explore your Unix server to find
security loopholes. Running it will produce a list of problems that
you should solve to increase your security. The product also
includes tutorials that will help you fix any security issues on
your system. The home page for the product, explains some of
the most common security problems revealed by the product. These
include old versions of sendmail, writeable anonymous FTP home
directory, remote shell access from arbitrary hosts and
arbitrary files accessible via TFTP - a worrying array of
security screw-ups. You would be well advised to run Satan
against your own network. The chances are that if you don't, a
hacker will.
- Communications between computers using unprotected Internet
protocols are notoriously vulnerable to sniffing, meaning that they
can be intercepted en route over the Internet. You can stop this
using Tunnel Vision, which has been made available for free by
those nice people at Canadian company Worldvision. The system,
which needs a Linux kernel to run, creates an encrypted virtual
private network (VPN) between two computers running the software.
Go and get it from
www.worldvisions.ca/tunnelv/index.html.
Different security technologies
There are different types of security tool available and they
all have their place.
Firewall: Firewalls are absolutely necessary if you have
any intention of opening up your Lan to external communications.
One situation where you may be able to get away without using a
firewall is if you are connecting between two networks owned by the
same company over a very secure link. Buying an expensive,
sophisticated firewall may do you more harm than good if you don't
have the skill to configure it properly, because you may leave
loopholes in the system inadvertently. Buying a cheap and cheerful
firewall will offer you basic security without any bells or
whistles, and will be easier to implement.
Encryption: Hard disk encryption technology is included
as a feature within Windows 2000 Professional edition, and IPSec
encryption between the desktop and the server is also an integral
part of the software.
Anti-virus: This isn't really a freeware category, not
least because any anti-virus software worth its salt requires
ongoing updates from the software provider, which costs money. Many
smaller companies that have not trained their staff to deal with
incoming macro and .exe attachments will find themselves overrun
with viruses before they can say "Melissa". Virus protection
software is a very mature part of the security market, and it is a
commodity item. Spend the minimal amount required for a corporate
licence and be grateful that the software is available. When your
competitor is tearing its hair out trying to recover from massive
data loss and suffering the embarrassment of having passed the
viruses on to its customers, you'll realise how valuable your
investment was.
More e-security news