The protection racket

IT security doesn't need to cost a bundle, but you certainly can't afford to be without it. Even the financially challenged can...

IT security doesn't need to cost a bundle, but you certainly can't afford to be without it. Even the financially challenged can implement a strategy that will stop the majority of cyber-attacks, says Danny Bradbury

IT security doesn't need to cost a bundle, but you certainly can't afford to be without it. Even the financially challenged can implement a strategy that will stop the majority of cyber-attacks, says Danny Bradbury

The problem with insurance is that many people only start thinking about it after a disaster has occurred. This is also true of security. Too many times companies have ignored the need for a security strategy until after their systems have been hacked into by an external mischief maker, or a disgruntled employee steals or corrupts critical files. Unfortunately, because many companies skip the security planning process early on, by the time they realise that they need a security strategy they often don't have the budget to implement one. This is especially true of smaller enterprises without a core competency in IT. The result is that many companies have to implement security on a shoestring.

Getting your security strategy wrong could bring disastrous results, especially if you open up your applications and services to Internet users. The IT industry has a history of documented security breaches that have caused major damage to the reputationan of organisations. Witness, for example, the recent case of CDUniverse, a music e-commerce site selling CDs. A hacker broke into the company's back end systems back in January and stole 350,000 user names and credit card details. The hacker asked for $100,000 from the e-commerce site, and posted the details online when it wouldn't cough up. More recently, in March two teenagers were arrested in Wales and charged with hacking into Web sites and stealing consumer credit card numbers.

One of the cheapest and most effective things that you can do to enhance your security is to educate your employees, says Kevin Black, sales director of security consultancy Internet Security Systems. Obvious clangers include employees who use obvious passwords and don't update them, but there are many others.

IT staff who blame careless end-users for security holes may well be able to close up some vulnerable areas by improving their own procedures, according to Chris Potter, Partner in global risk management solutions at Price Waterhouse Coopers. One common mistake that systems administrators make is forgetting to keep track of publicly available material on good practice, he says. As new security threats appear, new ways of dealing with them will also come to light, and staff must keep up-to-date.

Best practice isn't the only thing you should be keeping tabs on. As new vulnerabilities come to light, they are often posted on the Internet, either on the supplier's own site or on an independent site. One example is Xforce, the vulnerability update service run by ISS - check it out at Similarly, Microsoft keeps a running update of security loopholes for its operating systems on its own site, and usually publishes free patches for end-users and systems administrators to download. Checking these sites, and others relating to your particular hardware and operating system on a regular basis will enable you to stay one step ahead of the hackers. Making sure that you update your virus protection software equally frequently will protect your system from all of those dodgy virus-ridden emails.

Triage is a good way of increasing the effectiveness of your security while minimising the impact on the corporate wallet. Potter explains that prioritising your systems so that the most critical applications get the most attention is a vital part of any low-budget security policy. Customer-facing systems are generally the ones that need the most attention because you are throwing open your software to the outside world. Customers and other business partners cannot always be trusted to adhere to your internal security procedures, so you have to tighten up the protection in this area. Needless to say, if you are involved in Internet-based e-commerce the importance of security in your customer-facing environment becomes even greater, and this will take priority over back-end line-up business systems which are further away from the customer. You may choose to protect these back-end systems by simply restricting communication between your middle tier e-commerce application and your back-end order processing system with the use of a batch transfer system between them rather than allowing real-time data flow.

Another way of cutting back on your security budget is to rely heavily on the security built into the operating system. This is becoming more viable as operating system suppliers become more security savvy. A good example here is Windows 2000. Microsoft has reworked security within the system, integrating the well-known Kerberos security system with its object-oriented Active Directory network directory system. This makes it easier to manage internal and external privileges and user identification. This is certainly a big advance over previous versions of NT, says Malcolm Skinner, product marketing manager at security tools supplier Axent. "Because Lan manager is an easier thing to crack, that is what the hackers went after," he says.

Nevertheless, just because an operating system includes enhanced security doesn't mean that you can just slap it onto the server and forget about it. The problem with advanced operating systems - and Windows 2000 in particular - is that you have to have some sophisticated configurations skills. Getting your directory configuration wrong within Windows 2000 can create havoc at a later stage, explains Black, echoing the opinions of other Windows 2000 experts. What you gain in security savings, you may therefore lose in terms of skills investment. People who are good enough at configuring this sort of software chargea high price for their services.

Another cheap alternative to this is the pre-configured, plug-and-play hardware/software combo. Steve Ashmore, pre-sales consultant at security company Mirapoint, offers just such a product in the form of his Internet Messaging Server. "You need someone skilled in Exchange to put it on to a public network like the Internet," he says.

"It can be done but I'm talking about the time and skill that is required to ensure that all those doors are closed." Buying an off-the-shelf product that comes with all of the security settings prearranged takes some of the skills requirements away from the customer, he argues. Of course, the downside to this is that a pre-configured box offering a vanilla security configuration is easier for hackers to crack. IT administrators therefore need to balance the amount of money that they spend on customisation with the potential vulnerability of such a system.

You could spend a great deal of money on security, and still fail to create a system that is completely watertight. Unless you are the Pentagon - and perhaps even if you are - there will always be loopholes in your system. The trick is to cover the majority of the gaps with the least amount of cash, so that any chinks in your armour will only appeal to the really determined infiltrator. The tools and technologies to achieve this are straightforward, especially if your main concern is protecting a simple e-mail server and Lan. The greatest tool that you can use, however, is the one sitting on your shoulders. A little common sense goes a long way.

Security tools for the financially challenged

Security software needn't cost the earth. In fact, it needn't cost anything at all. There is a variety of low-cost and no-cost software in the public domain that you can use to help secure your IT systems.

  • One of the most popular pieces of software is Blackice Defender, from Netice. You can pick up this nifty piece of software for just $40, but it will give you a firewall that you can install on an end-user desktop or notebook PC. The product will be of particular interest to SoHo users, along with corporate employees who work from home a lot. Features include the ability to detect unauthorised intrusion, gather information about the hacker and block infiltration. The company also produces corporate versions of the product.

  • If you are more interested in securing your server for free, then go to to find out about Dante, a firewall originally developed for OpenBSD and Solaris, but then ported to other platforms. The system can run transparently on the server, and is distributed under a free licence, complete with source code. It was developed by Norwegian company Inferno Nettverk.

  • Another devilishly clever piece of software is the Security Administrator's Tool for Analysing Networks (Satan). This piece of Unix software is designed to explore your Unix server to find security loopholes. Running it will produce a list of problems that you should solve to increase your security. The product also includes tutorials that will help you fix any security issues on your system. The home page for the product, explains some of the most common security problems revealed by the product. These include old versions of sendmail, writeable anonymous FTP home directory, remote shell access from arbitrary hosts and arbitrary files accessible via TFTP - a worrying array of security screw-ups. You would be well advised to run Satan against your own network. The chances are that if you don't, a hacker will.

  • Communications between computers using unprotected Internet protocols are notoriously vulnerable to sniffing, meaning that they can be intercepted en route over the Internet. You can stop this using Tunnel Vision, which has been made available for free by those nice people at Canadian company Worldvision. The system, which needs a Linux kernel to run, creates an encrypted virtual private network (VPN) between two computers running the software. Go and get it from

    Different security technologies

    There are different types of security tool available and they all have their place.

    Firewall: Firewalls are absolutely necessary if you have any intention of opening up your Lan to external communications. One situation where you may be able to get away without using a firewall is if you are connecting between two networks owned by the same company over a very secure link. Buying an expensive, sophisticated firewall may do you more harm than good if you don't have the skill to configure it properly, because you may leave loopholes in the system inadvertently. Buying a cheap and cheerful firewall will offer you basic security without any bells or whistles, and will be easier to implement.

    Encryption: Hard disk encryption technology is included as a feature within Windows 2000 Professional edition, and IPSec encryption between the desktop and the server is also an integral part of the software.

    Anti-virus: This isn't really a freeware category, not least because any anti-virus software worth its salt requires ongoing updates from the software provider, which costs money. Many smaller companies that have not trained their staff to deal with incoming macro and .exe attachments will find themselves overrun with viruses before they can say "Melissa". Virus protection software is a very mature part of the security market, and it is a commodity item. Spend the minimal amount required for a corporate licence and be grateful that the software is available. When your competitor is tearing its hair out trying to recover from massive data loss and suffering the embarrassment of having passed the viruses on to its customers, you'll realise how valuable your investment was.

    More e-security news

  • Read more on IT risk management