The mythology of Internet security

Although Internet security has grown up over the last 10 years, there are several myths that prevent real progress. NTA Monitor...

Although Internet security has grown up over the last 10 years, there are several myths that prevent real progress. NTA Monitor Ltd has compiled a list of the top 10 Internet security myths

Information is fast becoming the most valuable currency on the Internet. Consequently, protecting data from theft or corruption is a hot issue for most companies. There are, of course, many companies that test security. One such company is NTA Monitor Ltd (NTA).

NTA tests perimeter security. At a company's request, it carries out penetration testing to find holes in its security set-up. Few are given a clean bill of health, partly because IT staff rely on outdated or false information to plan security. As a result, NTA have located 10 common myths that recur among security "experts":

"As good as a firewall" syndrome

The first is the belief that in-house security measures are going to negate the requirement for a firewall. NTA refers to this as the "as good as a firewall" syndrome. Rather than pay for a commercial firewall, some companies believe that their software policies and set-up will protect them from attack. NTA states that this particular myth tends to be seen within organisations that have had several years experience on the Internet and whose security policies were originally made before commercial firewalls were available.

Staff who have worked within a company in an IT security capacity for a few years may believe they know all the risks and so take it upon themselves to declare their software design more effective than a commercial firewall. Unfortunately, because one person has designed it, its protection is limited to that person's knowledge and becomes dated and irrelevant soon after it is deployed. Security threats don't stop developing just because the security expert has finished developing his solution to the perceived problem.

Systems placed outside the firewall

Staff sometimes opt to place systems beyond the firewall. They set up perimeter security and then step outside it to test systems or avoid having to reconfigure them for new traffic. There are obvious legitimate reasons for companies to avoid letting some traffic through their firewall. They may not, for instance, wish suppliers or customers to be allowed in and yet still wish to communicate with them. This is often coupled with a misconception that there is no information of value in these outside boxes.

However, a system sat just outside the firewall is in just the right place to intercept all traffic, so that items like orders or email can be captured. Worse still, each time a legitimate teleworker connects back to the company through the firewall for FTP or telnet, their name and/or password can be sniffed.

Out-of-date systems

Time flies by for all of us. For Internet businesses, it flies even faster. Consider the industries' accumulated knowledge of security risks from attacks a year, or even six months ago. Internet businesses must keep their software up to date to prevent falling into the trap of having outdated systems that have (now) known security holes. A year ago, most of us thought Hotmail was unhackable.

Even a theoretical "perfect firewall" will be used to allow data through to internal systems - for email or web servers for example - and if these internal systems are using software with known problems, then the whole site is at risk despite having a firewall. All too often an organisation will have taken good care with all its perimeter components at the time of installation, but will then leave them neglected and unchecked for months or years. In the meantime, new security holes in the products they have in use become public knowledge on the Internet - and the organisation becomes a sitting target.

Misconfigured mail servers

Another great security risk (and risk to reputation) is that of spam. Spam, or unsolicited bulk email, costs virtually nothing to send and can be sent to 100,000 recipients in no time at all. What this means is that a spammer can annoy 100,000 existing or potential customers using your system.

Spammers often relay messages through badly set-up servers to avoid being deluged with flame mail responses from angry recipients. Some organisations allow message relaying for legitimate use but fail to set up the server properly. This provides the spammer with free access to the facility. This means that they spoof the "from and return" address line so that it appears to come from a legitimate source.

Another possibility could see your mail server collapsing under the strain, with the obvious problems for productivity and continuity of service. More seriously, the recipients may well believe the spam originated within your company and the resultant publicity can be catastrophic.

Letting people in

If you look at the average Internet business, it has outside suppliers that are allowed into the organisation in some form or another. These links must be protected. Even if a site's Internet connection is completely protected, there is a "back door" risk from shared organisational networks or supplier sites.

This problem tends to grow with organisational expansion. There is a need for direct buying or IT support, which means a compromise in terms of who the company lets into its network. There may be a number of external IT suppliers all creating new gateways into the company.

Trusting the supplier of security products

Security depends on trust. All companies must trust their staff not to steal data, their suppliers not to misuse their dial-in access privileges and their security suppliers to provide adequate protection. However, there is such a thing as being too trusting as many companies are finding to their peril. While you can trust suppliers of security, don't forget to test their systems for potential problems. Reviewing security systems on a regular basis is the job of the IT administrator or security officer, not the staff of that company too, so do not depend on user reports to find holes.

The most well-known security company may not always have the best product. Indeed, without testing there is no way to know. It is better to test often than pay for security breaches out of the company profits (or through the absence of them).

Leaving the back door open

Thinking outside the walls of the organisation is vital when ensuring that business over the Internet is secure. However, many companies use hosted web servers, which may have unknown or untested security risks. Companies should therefore never assume that a hosted web server is secure and should take steps to test and enforce their security policy with web servers used outside the organisation. It's vital to ensure that as an Internet business grows, the risk assessment expands to cover new servers, inside or outside the organisation.

Hosted web servers

Many organisations contract out the design and implementation of e-commerce and web applications. From a commercial point of view, it makes sense to "leave it to the experts". However, the most secure web transactions are those that are protected from attack at every point in the process. Companies have e-commerce applications built for them that encrypt all transactions using SSL, only to transmit them to badly secured servers within their organisation where the data can be attacked.

Dial-in access

Teleworking has raised a whole new set of security questions. One of these relates to dial-in access to services. Dial-in access is the process by which users dial in, through a modem or ISDN line, to the network to retrieve or send email, gain access to files, or sometimes to access services or place orders.

Many dial-in systems are set up incorrectly, allowing message relaying, which may lead to spamming or illegitimate use of the network (hacking). Many of these systems are put in place straight out of the box, with the default settings left on and inadequate authentication schemes. The question of how difficult a password system is to crack can depend wholly on how extensive the hacker's knowledge of Star Trek is, as the administrators who set these up can fall back on easily guessed passwords.

Effective anti-virus software

Viruses and Trojans can destroy a company in hours. Think what eight hours downtime would mean to the company's results. Think about the effect on share price or worker motivation. This is the clearest threat out there for Internet security businesses and it is one that all companies must take seriously.

Most companies have virus protection, of sorts. However, most virus checks are inadequate to cope with the needs of an Internet business. Having virus protection on every desktop in the company will avoid the propagation of most viruses within the office. Unfortunately, every worker with an Internet or email connection can still be infected through the mail server if there is no scanner on the Internet perimeter. The policy of just protecting the PCs and not the network from viruses means companies may inadvertently send out viruses to customers. To minimise this, anti-virus software must be updated regularly within any organisation and staff policies enforced to ensure appropriate use.

Ensuring your systems are safe, and remain safe, from security threats requires a mixture of hardware, software, vigilance and a certain amount of common sense. Being aware of the issues is the first step, the next is to fully audit your security measures and take advice.

For Internet businesses, there can be no excuses for service outages (after attack or spam relaying). Customers demand consistent service and this means constant vigilance against security threats.

Rachel Hodgkins

Read more on IT risk management