The expert view on computer security

13 Feb 2003

The internet has been a double-edged sword for the business community. While it has undoubtedly opened up huge commercial opportunities, it has also increased the threat from viruses and hackers.

The most recent computer security survey performed by the Computer Security Institute and the Federal Bureau of Investigation estimated that in the US alone, the cost of security breaches amounted to US$455m in 2001. Of those companies surveyed, 74pc cited their internet connection as a key point of attack.

Against this background, we have asked several experts to look at hypothetical case studies of security breaches and recommend a course of action. Below Hugh Marron of IP Options and Conor Flynn of Rits Information Security Consulting give their antidote to an imaginary hacking incident, while next week two more security experts will look at how to deal with a virus attack. The series will conclude with a special e-security feature in Digital Ireland (the monthly technology supplement to the Irish Independent) on 27 February.

The security problem:
Acme Ltd is a medium-sized manufacturing company with 300 office-based employees, all of whom have PCs. The company also has an intranet site running off a SQL (structured query language) Server database. Acme employs a full time IT manager who installed a firewall two years ago but has been too busy to update it since. Last month, someone hacked into the company’s intranet site and posted obscenities on the homepage. Management suspects a former employee – a computer programmer – who had been made redundant six months before. The breach of security is embarrassing for the company and its IT manager has been instructed to tighten up security so that such an attack cannot happen again. How should he go about it?

Hugh Marron, business development manager, IP Options:
“The first question to ask is how the hacker got access to the network. In this case, a former employee is suspected, so maybe he worked from home occasionally and therefore had remote access. It might be that his Windows NT account wasn’t disabled when he left the company, so he could have had secure virtual private network access through the firewall. If his own account was disabled, did he have friends in the company whose password he could use? Or he could have used the age-old tactic of social engineering – ringing up the company to solicit passwords from an unsuspecting employee.

Another possibility is that the company was testing wireless connectivity and had an unsecured wireless access point stuck onto its network. If this was the case, the hacker could have sat outside the office and got access to Acme’s wireless local area network (WLAN) using his laptop, wireless card and some freely available scanning software. I think wireless networks are going to pose the greatest security threat over the coming years because it extends your network beyond the walls of your office. There is default security within WLAN systems but it can be breached pretty easily.

In summary, the security strategy I would recommend for this company would be, firstly, to have a strong password policy in place. Passwords should be changed on a regular basis, particularly critical passwords such as administrator and firewall passwords.

Second, two-factor authentication should be introduced to access critical servers, for example a personal identification number plus a smart card.

Thirdly, firewalls should be carefully monitored and maintained. Any accounts that are set up through the firewall should be disabled as soon as the person leaves and again, there should be some sort of password management in place.

Next, if an unauthorised user does gain access to your network you want to make it as difficult as possible for them to access key systems. This is why all web servers, be they internal or external, need to be locked down, ie you will carefully control who has access to it and restrict the server specifically to the role required of it. In many cases, companies don’t fully secure their intranet servers because they don’t see a threat coming from inside the company.

Finally, security sign-off policies are very important. If a person leaves a company, there should be a human resource sign-off sheet that says that his Windows account has been disabled, remote access has been disabled, his laptop taken back and so on. With computer security, the simplest measures can sometimes have the biggest impact.”

Conor Flynn, technical director, Rits Information Security Consulting:
“There’s no point in spending a lot of money on new controls without identifying how the incident actually occurred.

First, I would look at the logs on the firewall to see whether any traffic came in at the time of the hacking. To determine that, you have to look at the machine that was hacked, the intranet server, to determine where the obscenities were placed. Also, as the contents of the website were being fed from the SQL Server database, the hacker could have compromised this server and changed the entries on the database.

The company should also try to determine where the offensive material is being stored on the server and what dates and time stamps are on those files. By so doing, they can build up a picture of what time of day or night this incident would have happened. It may be that there was inadequate physical security in the building at night and the ex-employee had his own keys to let himself into the building.

The next question is whether the employee had remote access and whether this access was disabled when he left. We often find that companies don’t disable employees’ remote access accounts after they leave or else have a shared account for everyone – one user name and password for remote access. These are all things that need to be changed but there’s no money required; they are just policies and procedures.

Moving into the preventative area, basic things such as hardening the intranet server and SQL Server, ie patching the security holes and reviewing the rules, are very important.

Firewall maintenance is another key action. The company should review the rules and see what versions of software are on the firewall and the operating system the firewall is running on to make sure that isn’t a weak point. It should also get into a habit of reviewing the firewall logs to identify if people are trying to get in and if someone does come in who shouldn’t be.

Finally, the company should properly control remote access with individual user names and passwords and ensure that remote access accounts are disabled when employees leave the organisation.”

By Brian Skelly