Securing the internet infrastructure that underpins corporate
America has taken on a new urgency - some even call it a panic
- as the nation moves deeper into its war on terrorism.
Professionals in both information protection and traditional
security say the sudden rush to find solutions underscores a
change in a long-held attitude - confirmed by an American Institute
for Industrial Security study three years ago - that "it can't
That attitude led many corporations to put security spending
on hold, leaving vast holes in network protection just as Internet
attacks on companies doubled.
But the Sept. 11 terrorist attacks and the en suing barrage
of government and intelligence com munity warnings about vulnerabilities
of critical systems have washed away much of that complacency.
In its wake is a growing movement among corporations to assess
their security risks in detail, overhaul security budgets and
protect themselves using both heightened traditional and high-tech
"The response has been huge - unbelievable," said Caroline
Hamilton, president and founder of Maryland's RiskWatch, which
does detailed risk assessments for large corporations and government
agencies. "I've never seen demand like this in the 10-year history
of our company. Companies who've told us they don't have security
problems are calling with their credit cards in hand."
Terrorist attacks or no, the latest numbers from the Computer
Emergency Response Team Coordination Center, a security response
group, should be enough to make I-managers review their Internet
security. CERT last week said it has counted nearly 35,000 attacks
and probes into company computers in the first nine months of
At that rate, CERT's tally should top 46,000 for the year,
more than double the 22,000 incidents reported last year.
But the Internet security landscape is strewn with unanswered
questions. Can technological innovations themselves thwart cyberattacks,
especially those launched by armies of terrorist hackers, who,
many fear, could cripple the nation's ability to deliver goods
Are firewalls and virtual private networks enough to protect
critical infrastructure and the privacy of data for customers
and clients? Or do we face more draconian measures - like shutting
off access to information systems for all but a company's most
And how do those responsible for information systems ensure
that employees with access to sensitive systems - especially
those that could affect public safety - are trustworthy?
In short, where are the holes that need to be filled, and what
are the most important priorities?
The search for answers is taking place in corporate boardrooms,
in e-mail musings between technology officers and engineers
and on golf courses between information systems peers.
What is emerging, said Francis Juliano, chief technology officer
of international business auction house DoveBid, is something
less than consensus over how far corporations should go to protect
themselves, their personnel and their clients.
"The Internet has become an appliance like the telephone, television
and indoor plumbing," Juliano said. "We don't have to have it
to live, but we have come to rely on it. To prevent attacks
that can shut that system down relies on the collaborative efforts
of everyone on the Internet to defend it.
"I talk to CIOs [chief information officers] and other CTOs
of corporations, and there is a lot of concern. If the Internet
goes down, there is no one person to fix it. And the issues
are so far-reaching, so complex, where do you start?"
While security coordination is a muddy issue, one thing is
clear: There is a new resolve in corporate hierarchies to make
security a priority - a resolve that corporate security experts
say did not exist just six weeks ago.
In dozens of interviews conducted by Interactive Week, I-managers,
information security experts, security consultants and corporate
executives echoed a recurrent theme as companies scrambled to
cope with the idea that the nation is at war with an enemy that
is often invisible - and with the fact that they could become
Corporate officials said they are re-evaluating and reassessing
all levels of security. Oft-mentioned issues included Internet
vulnerabilities to worms and viruses; ways to bypass secure
entrances; and learning more about the habits of employees.
Bob Forbes, executive vice president and founder of Authentor
Systems in Colorado, said he foresees new security systems that
will not only watch the front and back doors, but track employees'
personal habits - from the time they clock in, to the time they
log on - and notice when norms are not followed.
"Hard outer shells are suddenly getting a lot of attention,
just as the demand for access is increasing," he said. "You
typically can't increase access and security simultaneously.
So you turn to behavior-based models as opposed to, say, firewalls
that have static rules, that don't look at the type of information
a user is requesting."
The economic reality of increasing security is finding expression
in prioritization - and in the recognition that more sophisticated
technology is not the only answer. Confirming that security
policies are in place and are adhered to and planning reactions
to worst-case scenarios are becoming part of a new corporate
mindset, insiders said.
In many cases, corporations are scrambling to find funds in
an almost stagnant economy to pay for technological tripwires,
more security personnel and higher walls around information
"The tragic events of Sept. 11 have been a cold, hard slap
in the face to senior corporate managers who once paid lip service
to security, but failed to allow long-term or short-term budget
planning," said Marquis Grove, a director of Information Systems
Security of Ottawa.
Within many companies and among security advisers there is
also movement toward integrating physical and information security
systems, to present a "hardened target" to terrorists, criminals
and even disgruntled employees who try to disrupt business.
"Information technologists and corporate security managers
have long enjoyed a love-hate relationship," said Grove, who
doubles as information security director for an international
Fortune 50 company.
"Unfortunately, there has been a long history of self-interest
and self-promotion between the two groups that left them usually
opposing measures being put forward by the other group," he
said. "This reflected the fortress mentality of the past, where
managers were more interested in protecting the size and function
of their department than in what was best for the company."
Now, however, threat and risk assessments are in high demand
at corporations of all shapes and sizes, from giants like Boeing
to small firms - for which the faulty security of networks they
hire to deliver their services could mean financial ruin.
Agencies of the federal government are also turning to private
security interests to run risk assessments on networks, Web
sites and other points of access to confidential information
that could be valuable to international enemies.
Some corporations, like the Kansas' Yellow Freight national
trucking company, said they have not made dramatic changes in
security, but have thoroughly reviewed their procedures and
sent blanket reminders to all employees to be alert for security
For others, it is clearly a brave new world of information
and physical security, transformed in ways that were almost
inconceivable before the terrorist events just six weeks ago.
Juliano said DoveBid has added redundancy to its operations
to allow the company to run entirely from any of its three major
U.S. facilities. It's also started reviewing security systems
on "a daily, rather than weekly, basis," and is even checking
names of suspected terrorists released by the FBI against its
employees and system users.
While emergency reactions are under way to beef up security
across the country, there remains an uneasy feeling that the
most sophisticated of high-tech solutions are really only as
good as the lock on the back door.
RiskWatch's Hamilton noted that electronic surveillance of
facilities, biotech identity systems and other security measures
are great - if the server on which they may all operate is safe.
"Take out the server, and what good is the security system?"
Forbes said such elementary steps as changing passwords regularly
or making them more secure have been ignored by many businesses.
A frequent complaint is that employees leave their passwords
on sticky notes attached to keyboards, making the entire system
Such security concerns aren't limited only to small corporations.
"The range of clients seeking our assistance is running the
full gamut," Grove said, "from major banking institutions, manufacturers,
pharmaceutical companies, telecommunications players, Internet
service providers, government agencies, hydroelectric operators,
to food chain and agricultural companies. . .
"As such, there is no single silver bullet or blanket solution
that can be draped over all companies. Each has specific needs,
shortcomings, levels of risk that they are willing to assume,
and levels of budgets that they are able to expend," he said.
Network security experts say that while someechnologies are
more prone to security breaches than others, the sheer complexity
of modern enterprise networking is the greatest weakness for
I-managers responsible for evaluating new technologies have
to understand how those technologies interact with existing
setups, and make sure adequate resources are applied to maintaining
high-touch systems. Individually, almost any communications
service could be perceived as a security risk.
Private lines are staples of many enterprises, but new network
vulnerabilities are leading I-managers to question whether they
can afford to live with known security flaws in this immensely
"AT&T has been hacked before," said Chris Calabrese, an
Internet security analyst of a major health care company. "If
you are going to use private lines, you have to understand you
are relying on AT&T security, and you have to put it in
all your contracts."
Most technologies that land on security experts' black list
are new. They end up there for a simple reason: Not enough is
known about their security flaws. They include network-based
virtual private networks (VPNs), Multiprotocol Label Switching
and Internet Protocol Security alike, and are mistrusted because
customer traffic travels unencrypted from the origination point
to the carrier's network.
Domain Name System servers and Border Gateway Protocol routers
fall into that category because too few are patched properly
against vulnerabilities. And fears persist over most Web-based
technology that is open to viruses and worms - which covers
almost any Internet technology.
Steve Bellovin, an AT&T Labs Research security scientist,
pointed out that the technologies with the most vulnerabilities
are the most popular ones - Web servers, Web browsers and mailers.
But most of the problems that arise with those come from lack
of maintenance; patches were available to prevent most recent
virus outbreaks, including Code Red, he said.
I-managers should start to face the realities that, even with
firewalls in place, most people are likely to sacrifice security
for convenience, Bellovin said. A case in point was the Internet
Engineering Task Force's recent infiltration by a virus that
got in through an unsecured laptop used to dial in to the IETF
Should companies ban laptops from connecting to their local
area networks? Experts said no. But security managers should
spend more money and get firewalls they can control remotely
so that they can refuse access to certain applications. Bellovin
said some of the worst vulnerabilities can be introduced when
users allow their computers to operate as servers for certain
applications, a common practice with popular peer-to-peer file
Another reality of today's security situation is that most
Web servers are vulnerable because most of their holes can't
be patched - at least, not all at once.
"Web servers are very dangerous," Bellovin said. "I basically
view those as sacrificial machines."
Whatever you do in your networks, he said, don't make a Web
server a front end to your database, especially if valuable
information such as credit card numbers is stored there. Put
that database on a separate server, build a firewall in between
and restrict the language spoken between the two machines. The
main objective here is to ensure that the Web server can't retrieve
the entire database in one data dump.
Enterprises getting their first professional audit are finding
out that their WANs are particularly vulnerable to single points
When vital traffic leaves the LAN, it's in the public network
for great distances, no longer controlled by the company. Encrypting
the data and taking other measures to create a VPN help. But
companies also should secure their physical networks by having
two separate routes to the public network - routes that go to
separate central offices and that don't merge at one carrier
hotel, experts said.
"There is a fundamental lack of understanding out there when
it comes to the gravity of security breaches," said David Schatsky,
senior analyst and research director of Jupiter Media Metrix.
Every day, firms are surprised by audits that find their redundant
networks aren't as effective as they thought they were, he said.
Enterprises are turning in great numbers to the business assistance
divisions of blue-chip companies such as AT&T and IBM for
outsourcing of business recovery services, said John Lawler,
an Infonetics Research analyst.
"The whole business continuation market is being relegated
to the big boys," Lawler said.
In lower Manhattan, customers of AT&T Business Solutions
were up and running in a couple of days following the Sept.
11 attacks because AT&T knew its networks so well. Many
of those without business continuation contracts are still struggling.
Sending data to multiple storage centers and data centers will
reduce the damage done by geographically isolated terrorist
attacks. Data center companies like Digital Island and Exodus
Communications own innocuous buildings that would not be obvious
targets, but two centers are always better than one.
"People want to spread their risk a bit," Lawler said. "They're
saying, ëLet's spread it over two facilities.'"
Many large organizations are reluctant to put sensitive applications
in Internet data centers, because individual servers that belong
to different customers are often not restricted from "talking"
to each other. Some I-managers - Calabrese is one of them -
have never warmed to Web hosting for that reason.
"This is a decision that the management made and I think this
is a mistake," Calabrese said about his company's decision to
outsource Web hosting to a service provider. "We can get seriously
nailed on this one."
Still, managed security service providers and network management
firms said they have seen a substantial increase in interest
in the wake of the Sept. 11 attacks.
"Inquiries about security services continue to increase. We
are definitely seeing an upswing," said Kathleen Ryan, spokeswoman
of IBM Global Services. Big Blue's services arm had significant
success in outsourcing this year, signing more than $1 billion
in Web hosting contracts since Jan. 1. The company has also
launched a fleet of new security-related services, including
firewall construction and management, intrusion detection, virus
alert monitoring and ongoing security checks.
The recent Code Red and Nimda worms have also accelerated interest
in outsourcing hosting and security, Ryan said. "If you are
self-hosting and you get hit with a virus attack, you have to
handle it yourself."
Node Com, a real estate firm that specializes in data centers
and telecom hotels, said it also has seen a dramatic up-tick
in interest, which it attributes to a widespread realization
among I-managers that the best way to protect themselves against
disasters like the destruction of the World Trade Center is
by spreading their resources among locations.
But as more companies move equipment off-premises, that will
likely lead to increased need for managed security services
and remote network management, said Chuck Adams, security general
manager of remote network management services provider NetSolve.
"This isn't science fiction anymore," Adams said. "Companies
can't deny any longer that they need to employ diligent management
practices to handle significant business risks" that come from
Perhaps the most menacing security holes may lie in pieces
of the network that Internet and IT managers don't even know
Wireless LANs are cropping up in an organic fashion throughout
corporations, often without the knowledge of a central manager.
"Departments are going out and putting them out for the department,
without thinking about the ramifications for the rest of the
corporation. If the CIO found out, they'd freak out," said Dean
Douglas, general manager of wireless e-business services of
IBM Global Services.
Cisco Systems had that problem internally. Shortly after Cisco
acquired wireless LAN gear provider Aironet, employees quickly
began deploying access points around the corporate campus.
"Soon we had 260 rogue Aironet deployments," said Kittur Nagesh,
product line manager for the Aironet wireless LAN solution of
Cisco's IT department took stock of the network pieces and
quickly deployed a security solution across the network. The
company also created an internal policy for extending the network.
"The rogue deployments went away because people found they
could work with the policy and have a well-managed system,"
IBM hopes to help companies examine disparate network pieces
so that IT departments can be sure that the networks are secure.
IBM Security and Privacy Services recently introduced a security
auditor service whereby the company will audit wireless LANs
for corporations and assess the security vulnerabilities.
IBM also addresses authentication and encryption issues for
customers, and has introduced a security chip - a cryptographic
microprocessor - that will be integrated into its ThinkPad notebooks
and NetVista desktops.
The chip supports key encryption and digital signatures. Using
devices with the chip, mobile workers can securely access corporate
networks from public wireless LANs, such as those popping up
in airport lounges and cafÈs, Douglas said.
Those workers can also access corporate information securely
from home wireless networks, another arena that the IT department
often does not oversee. Some enterprises encourage workers to
order high-speed wired connections to their homes so that they
can work after hours. Some of those workers may deploy their
own wireless LANs in their homes, but without introducing security
"It's the IT guy's worst nightmare," said Doug Klein, CEO of
Vernier Networks, a provider of security solutions for wireless
The best defense against such security holes is education and
the creation of corporate policies that help workers to secure
their home wireless LANs, Klein said.
Vernier offers an authentication solution that sits at the
wireless access point. The solution allows corporations to set
policies for individual users, which restrict some employees
from accessing certain information.
While security consultants are fielding calls from new customers,
they are also getting more inquiries from existing customers
about additional security. Most of those involve authentication,
the practice of ensuring that individuals who log onto the network
are who they say they are.
"One thing we do see now is the request for more biometrics,
and customers asking how an organization implements biometrics,"
said Marlina Yee-Hales, a product manager of Novell. "Companies
have been talking to our consulting business asking how we can
Biometrics is only one portion of a "two-factor" authentication
system in which employees use proofs other than a password to
gain access to the corporate network. The other factor could
be a smart card or a token - a tiny device with a digital number
that gets punched in along with the password - used with biometrics.
Software from security provider Safewww places a digital signature
on the computer so if someone steals or guesses a password,
they also must be sitting at that user's machine.
While a number of new technologies can help shelter companies
from cyberattacks, many security experts feel recent events
simply placed more attention on what businesses should have
been doing all along: getting serious about security.
"It's not so much about the latest and greatest technology,
it's more of a focus on the fundamentals of security," said
Ed Skoudis, vice president of security strategy of Predictive
Systems, a security consulting business in New York. Skoudis
is also the author of Counter Hack: A Step-by-Step Guide to
Computer Attacks and Defenses.
Skoudis said most of the inquiries he's getting from I-managers
now are about shoring up security policy. Most also want to
tighten disaster recovery plans so an event doesn't wipe out
Setting up intrusion detection and response practices, establishing
mandatory security settings for all servers and software that
reside on their networks, and going through those networks to
make sure those settings are in place are also getting top priority.
Said Skoudis: "The fact people are returning to the basics
to make their systems more secure - that's a good thing."
Senior Writers Robert Bryce, Nancy Gohring, Brian Ploskina,
Bill Scanlon and Max Smetannikov, and Matrix Editor Todd Spangler
contributed to this report.
10 Tips for Creating a Network Security Policy
- Identify and locate your assets. Assess the importance of
both information and material goods. Example: A computer may
cost $3,000 to replace. The information on that computer might
cost $60,000 to replace.
- Perform a threat risk assessment. Categorize the likelihood
of assets being stolen and the resulting damage. So, if a
company has a public Web server,he cost of it going down from
a denial-of-service attack might be the time required to bring
the system back online - let's say, two hours from the IT
department. If this Web server is used to perform financial
transactions, then the cost must also include the number of
purchases lost while the server is down.
- Adopt a "need-to-know" philosophy. The CEO does not need
a password to enable him to gain access to the accounting
system. If he has access and someone finds out his password
- e.g., he uses one password for all systems - it can be misused.
- Perform an informal site survey of your organization. You
can either relocate valuable assets to more secure areas or
take extra measures - additional locks, smart cards, security
personnel, etc. - to guard these assets.
- Institute a standard for classifying all information. An
advertising plan might be restricted to specific people in
the marketing and business development departments. An engineering
document that details trade secrets would be restricted to
- Ascertain who needs access to external resources. This is
an extension of the need-to-know philosophy. Although cumbersome,
it may be necessary to adopt strict policies regarding the
use of the Web and the downloading of third-party software
from unknown sites.
- Create a disaster recovery plan. Pick a worst-case situation
- usually such plans assume the building has burned down -
and consider how you will stay in business and service your
customers. This exercise will serve to highlight the data
and equipment that is critical to your operation. It will
also make you think about how long your operation can be "down"
without suffering irreparable harm.
- Appoint someone to be responsible for security policy enforcement.
This can be one person or a group of individuals.
- Review the impact of any intended procedural changes on
your employees. Will they be capable of shutting off alarm
systems, changing passwords every month, locking their drawers
every night and using password-enabled systems?
- Understand that the implementation of any security policy
needs regular validation. Reviewing the security policy six
months after it was written will frequently uncover a few