Securing the Internet

Securing the internet infrastructure that underpins corporate America has taken on a new urgency - some even call it a panic - as the nation moves deeper into its war on terrorism.

Professionals in both information protection and traditional security say the sudden rush to find solutions underscores a change in a long-held attitude - confirmed by an American Institute for Industrial Security study three years ago - that "it can't happen here."

That attitude led many corporations to put security spending on hold, leaving vast holes in network protection just as Internet attacks on companies doubled.

But the Sept. 11 terrorist attacks and the en suing barrage of government and intelligence com munity warnings about vulnerabilities of critical systems have washed away much of that complacency. In its wake is a growing movement among corporations to assess their security risks in detail, overhaul security budgets and protect themselves using both heightened traditional and high-tech methods.

"The response has been huge - unbelievable," said Caroline Hamilton, president and founder of Maryland's RiskWatch, which does detailed risk assessments for large corporations and government agencies. "I've never seen demand like this in the 10-year history of our company. Companies who've told us they don't have security problems are calling with their credit cards in hand."

Terrorist attacks or no, the latest numbers from the Computer Emergency Response Team Coordination Center, a security response group, should be enough to make I-managers review their Internet security. CERT last week said it has counted nearly 35,000 attacks and probes into company computers in the first nine months of this year.

At that rate, CERT's tally should top 46,000 for the year, more than double the 22,000 incidents reported last year.

But the Internet security landscape is strewn with unanswered questions. Can technological innovations themselves thwart cyberattacks, especially those launched by armies of terrorist hackers, who, many fear, could cripple the nation's ability to deliver goods and services?

Are firewalls and virtual private networks enough to protect critical infrastructure and the privacy of data for customers and clients? Or do we face more draconian measures - like shutting off access to information systems for all but a company's most trusted employees?

And how do those responsible for information systems ensure that employees with access to sensitive systems - especially those that could affect public safety - are trustworthy?

In short, where are the holes that need to be filled, and what are the most important priorities?

The search for answers is taking place in corporate boardrooms, in e-mail musings between technology officers and engineers and on golf courses between information systems peers.

What is emerging, said Francis Juliano, chief technology officer of international business auction house DoveBid, is something less than consensus over how far corporations should go to protect themselves, their personnel and their clients.

"The Internet has become an appliance like the telephone, television and indoor plumbing," Juliano said. "We don't have to have it to live, but we have come to rely on it. To prevent attacks that can shut that system down relies on the collaborative efforts of everyone on the Internet to defend it.

"I talk to CIOs [chief information officers] and other CTOs of corporations, and there is a lot of concern. If the Internet goes down, there is no one person to fix it. And the issues are so far-reaching, so complex, where do you start?"

While security coordination is a muddy issue, one thing is clear: There is a new resolve in corporate hierarchies to make security a priority - a resolve that corporate security experts say did not exist just six weeks ago.

In dozens of interviews conducted by Interactive Week, I-managers, information security experts, security consultants and corporate executives echoed a recurrent theme as companies scrambled to cope with the idea that the nation is at war with an enemy that is often invisible - and with the fact that they could become targets.

Corporate officials said they are re-evaluating and reassessing all levels of security. Oft-mentioned issues included Internet vulnerabilities to worms and viruses; ways to bypass secure entrances; and learning more about the habits of employees.

Bob Forbes, executive vice president and founder of Authentor Systems in Colorado, said he foresees new security systems that will not only watch the front and back doors, but track employees' personal habits - from the time they clock in, to the time they log on - and notice when norms are not followed.

"Hard outer shells are suddenly getting a lot of attention, just as the demand for access is increasing," he said. "You typically can't increase access and security simultaneously. So you turn to behavior-based models as opposed to, say, firewalls that have static rules, that don't look at the type of information a user is requesting."

The economic reality of increasing security is finding expression in prioritization - and in the recognition that more sophisticated technology is not the only answer. Confirming that security policies are in place and are adhered to and planning reactions to worst-case scenarios are becoming part of a new corporate mindset, insiders said.

In many cases, corporations are scrambling to find funds in an almost stagnant economy to pay for technological tripwires, more security personnel and higher walls around information systems.

"The tragic events of Sept. 11 have been a cold, hard slap in the face to senior corporate managers who once paid lip service to security, but failed to allow long-term or short-term budget planning," said Marquis Grove, a director of Information Systems Security of Ottawa.

Within many companies and among security advisers there is also movement toward integrating physical and information security systems, to present a "hardened target" to terrorists, criminals and even disgruntled employees who try to disrupt business.

"Information technologists and corporate security managers have long enjoyed a love-hate relationship," said Grove, who doubles as information security director for an international Fortune 50 company.

"Unfortunately, there has been a long history of self-interest and self-promotion between the two groups that left them usually opposing measures being put forward by the other group," he said. "This reflected the fortress mentality of the past, where managers were more interested in protecting the size and function of their department than in what was best for the company."

Now, however, threat and risk assessments are in high demand at corporations of all shapes and sizes, from giants like Boeing to small firms - for which the faulty security of networks they hire to deliver their services could mean financial ruin.

Agencies of the federal government are also turning to private security interests to run risk assessments on networks, Web sites and other points of access to confidential information that could be valuable to international enemies.

Some corporations, like the Kansas' Yellow Freight national trucking company, said they have not made dramatic changes in security, but have thoroughly reviewed their procedures and sent blanket reminders to all employees to be alert for security breaches.

For others, it is clearly a brave new world of information and physical security, transformed in ways that were almost inconceivable before the terrorist events just six weeks ago.

Juliano said DoveBid has added redundancy to its operations to allow the company to run entirely from any of its three major U.S. facilities. It's also started reviewing security systems on "a daily, rather than weekly, basis," and is even checking names of suspected terrorists released by the FBI against its employees and system users.

While emergency reactions are under way to beef up security across the country, there remains an uneasy feeling that the most sophisticated of high-tech solutions are really only as good as the lock on the back door.

RiskWatch's Hamilton noted that electronic surveillance of facilities, biotech identity systems and other security measures are great - if the server on which they may all operate is safe.

"Take out the server, and what good is the security system?" she asked.

Forbes said such elementary steps as changing passwords regularly or making them more secure have been ignored by many businesses. A frequent complaint is that employees leave their passwords on sticky notes attached to keyboards, making the entire system vulnerable.

Such security concerns aren't limited only to small corporations.

"The range of clients seeking our assistance is running the full gamut," Grove said, "from major banking institutions, manufacturers, pharmaceutical companies, telecommunications players, Internet service providers, government agencies, hydroelectric operators, to food chain and agricultural companies. . .

"As such, there is no single silver bullet or blanket solution that can be draped over all companies. Each has specific needs, shortcomings, levels of risk that they are willing to assume, and levels of budgets that they are able to expend," he said.

Complex Networks

Network security experts say that while someechnologies are more prone to security breaches than others, the sheer complexity of modern enterprise networking is the greatest weakness for most companies.

I-managers responsible for evaluating new technologies have to understand how those technologies interact with existing setups, and make sure adequate resources are applied to maintaining high-touch systems. Individually, almost any communications service could be perceived as a security risk.

Private lines are staples of many enterprises, but new network vulnerabilities are leading I-managers to question whether they can afford to live with known security flaws in this immensely popular technology.

"AT&T has been hacked before," said Chris Calabrese, an Internet security analyst of a major health care company. "If you are going to use private lines, you have to understand you are relying on AT&T security, and you have to put it in all your contracts."

Most technologies that land on security experts' black list are new. They end up there for a simple reason: Not enough is known about their security flaws. They include network-based virtual private networks (VPNs), Multiprotocol Label Switching and Internet Protocol Security alike, and are mistrusted because customer traffic travels unencrypted from the origination point to the carrier's network.

Domain Name System servers and Border Gateway Protocol routers fall into that category because too few are patched properly against vulnerabilities. And fears persist over most Web-based technology that is open to viruses and worms - which covers almost any Internet technology.

Steve Bellovin, an AT&T Labs Research security scientist, pointed out that the technologies with the most vulnerabilities are the most popular ones - Web servers, Web browsers and mailers. But most of the problems that arise with those come from lack of maintenance; patches were available to prevent most recent virus outbreaks, including Code Red, he said.

I-managers should start to face the realities that, even with firewalls in place, most people are likely to sacrifice security for convenience, Bellovin said. A case in point was the Internet Engineering Task Force's recent infiltration by a virus that got in through an unsecured laptop used to dial in to the IETF network.

Should companies ban laptops from connecting to their local area networks? Experts said no. But security managers should spend more money and get firewalls they can control remotely so that they can refuse access to certain applications. Bellovin said some of the worst vulnerabilities can be introduced when users allow their computers to operate as servers for certain applications, a common practice with popular peer-to-peer file sharing setups.

Another reality of today's security situation is that most Web servers are vulnerable because most of their holes can't be patched - at least, not all at once.

"Web servers are very dangerous," Bellovin said. "I basically view those as sacrificial machines."

Whatever you do in your networks, he said, don't make a Web server a front end to your database, especially if valuable information such as credit card numbers is stored there. Put that database on a separate server, build a firewall in between and restrict the language spoken between the two machines. The main objective here is to ensure that the Web server can't retrieve the entire database in one data dump.

Enterprises getting their first professional audit are finding out that their WANs are particularly vulnerable to single points of attack.

When vital traffic leaves the LAN, it's in the public network for great distances, no longer controlled by the company. Encrypting the data and taking other measures to create a VPN help. But companies also should secure their physical networks by having two separate routes to the public network - routes that go to separate central offices and that don't merge at one carrier hotel, experts said.

"There is a fundamental lack of understanding out there when it comes to the gravity of security breaches," said David Schatsky, senior analyst and research director of Jupiter Media Metrix. Every day, firms are surprised by audits that find their redundant networks aren't as effective as they thought they were, he said.

Enterprises are turning in great numbers to the business assistance divisions of blue-chip companies such as AT&T and IBM for outsourcing of business recovery services, said John Lawler, an Infonetics Research analyst.

"The whole business continuation market is being relegated to the big boys," Lawler said.

In lower Manhattan, customers of AT&T Business Solutions were up and running in a couple of days following the Sept. 11 attacks because AT&T knew its networks so well. Many of those without business continuation contracts are still struggling.

Sending data to multiple storage centers and data centers will reduce the damage done by geographically isolated terrorist attacks. Data center companies like Digital Island and Exodus Communications own innocuous buildings that would not be obvious targets, but two centers are always better than one.

"People want to spread their risk a bit," Lawler said. "They're saying, ëLet's spread it over two facilities.'"

Many large organizations are reluctant to put sensitive applications in Internet data centers, because individual servers that belong to different customers are often not restricted from "talking" to each other. Some I-managers - Calabrese is one of them - have never warmed to Web hosting for that reason.

"This is a decision that the management made and I think this is a mistake," Calabrese said about his company's decision to outsource Web hosting to a service provider. "We can get seriously nailed on this one."

Still, managed security service providers and network management firms said they have seen a substantial increase in interest in the wake of the Sept. 11 attacks.

"Inquiries about security services continue to increase. We are definitely seeing an upswing," said Kathleen Ryan, spokeswoman of IBM Global Services. Big Blue's services arm had significant success in outsourcing this year, signing more than $1 billion in Web hosting contracts since Jan. 1. The company has also launched a fleet of new security-related services, including firewall construction and management, intrusion detection, virus alert monitoring and ongoing security checks.

The recent Code Red and Nimda worms have also accelerated interest in outsourcing hosting and security, Ryan said. "If you are self-hosting and you get hit with a virus attack, you have to handle it yourself."

Node Com, a real estate firm that specializes in data centers and telecom hotels, said it also has seen a dramatic up-tick in interest, which it attributes to a widespread realization among I-managers that the best way to protect themselves against disasters like the destruction of the World Trade Center is by spreading their resources among locations.

But as more companies move equipment off-premises, that will likely lead to increased need for managed security services and remote network management, said Chuck Adams, security general manager of remote network management services provider NetSolve.

"This isn't science fiction anymore," Adams said. "Companies can't deny any longer that they need to employ diligent management practices to handle significant business risks" that come from security-related issues.

Wireless Worries

Perhaps the most menacing security holes may lie in pieces of the network that Internet and IT managers don't even know exist.

Wireless LANs are cropping up in an organic fashion throughout corporations, often without the knowledge of a central manager.

"Departments are going out and putting them out for the department, without thinking about the ramifications for the rest of the corporation. If the CIO found out, they'd freak out," said Dean Douglas, general manager of wireless e-business services of IBM Global Services.

Cisco Systems had that problem internally. Shortly after Cisco acquired wireless LAN gear provider Aironet, employees quickly began deploying access points around the corporate campus.

"Soon we had 260 rogue Aironet deployments," said Kittur Nagesh, product line manager for the Aironet wireless LAN solution of Cisco.

Cisco's IT department took stock of the network pieces and quickly deployed a security solution across the network. The company also created an internal policy for extending the network.

"The rogue deployments went away because people found they could work with the policy and have a well-managed system," Nagesh said.

IBM hopes to help companies examine disparate network pieces so that IT departments can be sure that the networks are secure. IBM Security and Privacy Services recently introduced a security auditor service whereby the company will audit wireless LANs for corporations and assess the security vulnerabilities.

IBM also addresses authentication and encryption issues for customers, and has introduced a security chip - a cryptographic microprocessor - that will be integrated into its ThinkPad notebooks and NetVista desktops.

The chip supports key encryption and digital signatures. Using devices with the chip, mobile workers can securely access corporate networks from public wireless LANs, such as those popping up in airport lounges and cafÈs, Douglas said.

Those workers can also access corporate information securely from home wireless networks, another arena that the IT department often does not oversee. Some enterprises encourage workers to order high-speed wired connections to their homes so that they can work after hours. Some of those workers may deploy their own wireless LANs in their homes, but without introducing security precautions.

"It's the IT guy's worst nightmare," said Doug Klein, CEO of Vernier Networks, a provider of security solutions for wireless networks.

The best defense against such security holes is education and the creation of corporate policies that help workers to secure their home wireless LANs, Klein said.

Vernier offers an authentication solution that sits at the wireless access point. The solution allows corporations to set policies for individual users, which restrict some employees from accessing certain information.

While security consultants are fielding calls from new customers, they are also getting more inquiries from existing customers about additional security. Most of those involve authentication, the practice of ensuring that individuals who log onto the network are who they say they are.

"One thing we do see now is the request for more biometrics, and customers asking how an organization implements biometrics," said Marlina Yee-Hales, a product manager of Novell. "Companies have been talking to our consulting business asking how we can help them."

Biometrics is only one portion of a "two-factor" authentication system in which employees use proofs other than a password to gain access to the corporate network. The other factor could be a smart card or a token - a tiny device with a digital number that gets punched in along with the password - used with biometrics.

Software from security provider Safewww places a digital signature on the computer so if someone steals or guesses a password, they also must be sitting at that user's machine.

While a number of new technologies can help shelter companies from cyberattacks, many security experts feel recent events simply placed more attention on what businesses should have been doing all along: getting serious about security.

"It's not so much about the latest and greatest technology, it's more of a focus on the fundamentals of security," said Ed Skoudis, vice president of security strategy of Predictive Systems, a security consulting business in New York. Skoudis is also the author of Counter Hack: A Step-by-Step Guide to Computer Attacks and Defenses.

Skoudis said most of the inquiries he's getting from I-managers now are about shoring up security policy. Most also want to tighten disaster recovery plans so an event doesn't wipe out security perimeters.

Setting up intrusion detection and response practices, establishing mandatory security settings for all servers and software that reside on their networks, and going through those networks to make sure those settings are in place are also getting top priority.

Said Skoudis: "The fact people are returning to the basics to make their systems more secure - that's a good thing."

Senior Writers Robert Bryce, Nancy Gohring, Brian Ploskina, Bill Scanlon and Max Smetannikov, and Matrix Editor Todd Spangler contributed to this report.

1. Identify and locate your assets. Assess the importance of both information and material goods. Example: A computer may cost $3,000 to replace. The information on that computer might cost $60,000 to replace.
2. Perform a threat risk assessment. Categorize the likelihood of assets being stolen and the resulting damage. So, if a company has a public Web server,he cost of it going down from a denial-of-service attack might be the time required to bring the system back online - let's say, two hours from the IT department. If this Web server is used to perform financial transactions, then the cost must also include the number of purchases lost while the server is down.
3. Adopt a "need-to-know" philosophy. The CEO does not need a password to enable him to gain access to the accounting system. If he has access and someone finds out his password - e.g., he uses one password for all systems - it can be misused.
4. Perform an informal site survey of your organization. You can either relocate valuable assets to more secure areas or take extra measures - additional locks, smart cards, security personnel, etc. - to guard these assets.
5. Institute a standard for classifying all information. An advertising plan might be restricted to specific people in the marketing and business development departments. An engineering document that details trade secrets would be restricted to specific engineers.
6. Ascertain who needs access to external resources. This is an extension of the need-to-know philosophy. Although cumbersome, it may be necessary to adopt strict policies regarding the use of the Web and the downloading of third-party software from unknown sites.
7. Create a disaster recovery plan. Pick a worst-case situation - usually such plans assume the building has burned down - and consider how you will stay in business and service your customers. This exercise will serve to highlight the data and equipment that is critical to your operation. It will also make you think about how long your operation can be "down" without suffering irreparable harm.
8. Appoint someone to be responsible for security policy enforcement. This can be one person or a group of individuals.
9. Review the impact of any intended procedural changes on your employees. Will they be capable of shutting off alarm systems, changing passwords every month, locking their drawers every night and using password-enabled systems?
10. Understand that the implementation of any security policy needs regular validation. Reviewing the security policy six months after it was written will frequently uncover a few major deficiencies.