It’s early Tuesday morning and you’ve just arrived at work. As you sit with a cup of coffee going through your mail, your phone rings — it’s your boss, sounding alarmed. “I’ve just had a call from some American security agency. Apparently they’ve traced us because our computer’s been trying to hack into the Pentagon. What on earth have you been up to?”
It’s an amusing thought but a serious reality: New Zealand companies don’t take network security seriously enough. The IT manager in question has probably never dreamed of hacking the Pentagon — an outside hacker has just taken advantage of the fact he never changed his server password from the factory-set one, and is using it for her own nefarious ends.
Mike Kennedy, managing director of security company Extranet, says he regularly talks to ISPs about small businesses developing their first e-commerce sites.
“The other day one told me that for every 10 companies signing up for an e-commerce site, only one will be interested in any form of security at all — and that one probably only wants a basic firewall.”
New Zealand business is mostly made up of small to medium-sized companies. They’re finally getting the message that they should be on the Internet or at least have email and browser access, but no-one’s really getting the message through about how vulnerable that makes them.
After all, the argument goes, who would want to hack a small, remote company that makes (let’s say) socks with bungy-jumping kiwis on the side?
That’s where people miss the point, says Kennedy. “You’re not a little New Zealand company. You’re just an IP number among millions of others, and there are people who sit there constantly scanning for security gaps. They’ll pick you up.”
There are hundreds of hacker groups around the world, he says, and Extranet tries to keep an eye on what they’re up to.
It’s not necessarily your information they’re after, he says, though even sock manu-facturers have competitors who’d love to see their figures and new designs.
“Often they’ll use the server for themselves. They get into your NT server using one of the standard passwords and then use it to conduct other activities and disguise who they are. It may not do you any harm until you find that your server’s been involved in hacking.”
Similarly, he says, if someone wants to put a company out of action, they can line up thousands of machines like yours and get them to interrogate another server until it overloads and falls over. Your machine could be one of the interrogation squad — or one of the ones that gets attacked.
According to industry sources, this is what happened to Amazon.com, eBay and others recently.
It doesn’t do any long-term damage but how will your business cope with the server out of action? “They just do it for a laugh,” says Kennedy, but it’s not going to be funny if it happens to you.
Interconnect security business manager Mike Conboy recently travelled to San Jose, California to attend the RSA 2000 conference on security issues and has returned full of ideas for New Zealand business.
One of the biggest issues to come out of the conference, he says, is that of due diligence: have you done everything that could reasonably be expected of you in terms of security?
While people are getting more confident about sending their details to a secure site, he says, “where is it stored on that e-commerce system?”
The recent case where credit card numbers were stolen from CD Universe’s site is a perfect example of what can go wrong, he says.
“The issues are the policy and procedure as to what these people actually do with your information. It’s not enough to have email encryption — you need to look inside the network.”
In the US, says Conboy, cases are already coming up in the courts — people are suing where their information has been used incorrectly and arguing that the CEO failed to take due diligence regarding the security of that information.
Even if you avoid the court case, the business damage is huge.
So what can companies do? First of all, look inward. The majority of security breaches don’t come from outside anyway — employees and former employees can do a lot of harm. They might delete or alter files, email your customer list to competitors, or just spend huge amounts of unproductive time surfing the Web.
“You’ve got to define what people in each job can do,” says Conboy.
“Your network administrator can look at all your email if she wants — but do you want her to? You have to enforce what people can and can’t do.”
That’s getting easier with new products on the market, he says, which more strictly control what people can do.
Keeping on the straight and narrow
Blocking non-work related URLs and filtering email can improve productivity and also protect the company from lawsuits if staff are viewing porn or emailing unsavoury material.
“There’s more to it than that, as well,” says Conboy, “because how do staff know, when they look at a site, that the code coming down is what it says it is. You can get ActiveX and Java applets coming down and finding out information about you, maybe looking for a Quicken file that has credit information.”
The dangers are real, he says, and technologies are being developed to identify these problems but many companies still aren’t aware enough.
And of course, make sure staff have regularly-changed, difficult-to-guess passwords to keep security up. It’s hard and they’ll fight it, but it’s vital.
Having sorted out internal problems, it’s time to look at whether your firewall is sufficient.
Cheap firewalls are all very well, says Kennedy, “but a third of our business is in replacing substandard security systems. They either can’t do the job at all or they’re too limited and can’t expand to do what the company wants. The higher-end firewalls are pretty configurable because they’ve anticipated what you’re likely to want to do but the lower-end ones don’t have that level of sophistication.”
Another vital difference, he says, is that the better products start by blocking every communication in and out of your network, so that you have to decide what gets through and open holes for it.
“The others have everything open, and you have to close it all. That takes a fair degree of expertise, to think of all the things that have to be closed off.”
Firewalls in demand
The growth of extranets and virtual private networks has increased the need for firewalls and security enormously because suddenly everyone is opening up information that used to be kept under wraps.
“With e-commerce and all the other growth areas you have to remember that you’re putting your cash register out there,” says Kennedy.
“If you were putting your real cash register out in the street, you’d make sure it was secure!”
People carrying laptops with confidential information also cause major headaches for employers, he says.
“A mortgage manager’s laptop, for example, has so much personal information about clients that it would be a disaster if it got lost — so we sell software to encrypt the hard disk. Banks and government agencies are just beginning to recognise how serious this is.”
It’s also getting more and more vital to make sure people can access the information they’re entitled to and no more, says Conboy, because people often share access to equipment but aren’t allowed to see the same data.
New technologies that are starting to take off include “proximity devices” that let a computer know who you are, biometric readers to scan fingerprints and irises, smartcards and authentication tokens which give an ever-changing password to be combined with a PIN.
Eventually, PKI or public key infrastructure (see box) will take off and make security much easier, he says.
“I’ve been going to the RSA conference for five years and every year they say ‘this is the year of PKI’ but I think it might be for real this time.”
Companies are finally moving from talking about the technology to talking the business case, he says, and explaining how it will actually work. “
It’s a classic IT problem, in that it’s got to be easy or people won’t use it. There’s still plenty of talk about the technology but there were a few smart vendors talking business practice and ease of use.”
Now he just has to persuade New Zealand companies that it matters enough to spend the money. Things are getting better, says Asia Online (formerly Iconz) product manager Geoff Mason, with companies starting to understand the risks, and more ready to spend now that Y2K is (almost) past without trouble. “We go in on a consultancy basis and point out the weaknesses in their networks.
Most are starting to look forward now, considering moves to e-commerce and so they take in the security aspects too.”
They tend to have read enough about the security issues to recognise they need to take care, he says.
It’s just an education problem, agrees Patrick Carson, Telecom’s marketing manager, IT partnering and packaging. Most companies in New Zealand are only now starting to get involved online and don’t know why or whether they need protection, he says.
“And you have to keep it in perspective. If they’re just using the Web for information exchange and nothing mission critical, it may not be that big a deal.”
But problems can turn up for any company connected to the Web, says Kennedy.
“We hear about lots of near misses and a few catastrophes — there are at least two or three incidents a week where we’re asked to investigate. So we’re not scaremongering — people do suddenly get picked on and find there’s 200 machines attacking their mail server.
“If they’d had a firewall, they’d just have got a little message from it warning this was happening. Or more likely, it wouldn’t have happened at all because they weren’t an easy target.”
Gillian Law is a Computerworld reporter. Phone her at: 0-9-302 8775.
Security lessons from the airport
By Gillian Law In a corporate whitepaper on content security, Worldtalk Corporation makes an analogy between the types of security products available and an airport’s security system.
Network security products or access security products are the immigration department. They decide who can come in and who can get out. Driven by network firewalls, these are the most commonly adopted security products.
Content security products are the customs department. They determine what comes in and goes out, operating at the application level (such as email and Web applications) and monitor the content of the data.
Authentication products are the passport issuing agency, these create identities for users for identification and authentication. Certificate Authorities, plus hardware and software tokens create these network passports.
Security assessment tools are the surveillance cameras. These products let organisations determine their exposure to security risks and rate security measures they might take.
They will detect intrusions to the corporate network and monitor network resource abuses by both authorised and unauthorised users.
Public key future rests on standard
By Gillian Law We’re told this is going to be the year of PKI (public key infrastructure) — so what is it and how does it work?
In essence, public key encryption is like a private language for each user. Only you can understand your language, so noone else can read your mail.
Every device will have encryption software and two keys: a public key for distribution to other users and a private key which is kept and protected by the owner.
When I send a message from my PC in Auckland to a colleague in Dunedin, I use her public key (which she has previously given to me).
That converts the mail into her language. Using her private key, she’ll decrypt it into straightforward English.
This only really works, of course, if there’s some way of administering who gets what key and making sure that people are who they say they are. That’s where a PKI comes in, enabling the centralised creation, distribution, tracking and revocation of keys.
The first step is authentication, making sure that people are who they say they are. While password logons are a possibility, the most likely (and secure) method is digital certificates.
When you apply for a certificate, the certificate authority will check your identity with a registration body and then issue the certificate (in the form of a digital document) with your name, public key and digital signature. This can then be used to prove who you are and pass on your own key to others. So far New Zealand has only one digital certification provider — Wellington-based 128i.
PKI is still ‘future’ technology with several standards being promoted and no authorities yet established, but it will make for more secure communications than are currently available.