Is your network secure? Danger lurks everywhere, but there are plenty of things businesses can do to protect their networks.
RISKS EVERYONE FACES
If you attach a computer, other hardware or install software that has already been compromised, you endanger the network as well. The computer you attach that has been used elsewhere could be infected with a Trojan Horse (a file that has been dropped inside the computer system, often through chat programs or other access, which allows an outsider to get in with ease, even if you have a firewall).
The software you install, even directly from a CD, can have a virus embedded in it.
You need to protect against social engineering. Here's a scenario of successful social engineering as depicted by Charles Preston, principal analyst with Information Integrity, who is a security consultant in Anchorage:
"When doing security audits, I have walked into businesses and not been challenged because people are friendly. I walk into somebody's empty office, sit down and plug my computer into the network. Having done that, I can capture data-so can anybody."
In this scenario, the companies hire Preston to see how easily he can get access so they can be aware if they have a problem. If he can walk right in, so can someone else.
Businesses can unwittingly create security holes. "People open up ports (a path for data) to the outside for testing (of software that might use that path) and they forget that these are open," says Preston. Later, a hacker can discover the open port and gain access.
How are Alaska businesses most at risk?
LACK OF EXPERIENCE
"People install equipment that they don't understand," says Preston. Driven by good business sense, companies get the latest, most-useful networking tools at the cheapest cost. A good example is when some rush to the computer store to buy a discounted wireless router: "I just located someone who had an outlying office and they've got something like this set up. I checked it for them, just the outside address, and discovered that they had left remote management on for this device. Potentially, people can get in. People aren't changing default passwords (for these devices), which anyone can get a list of," says Preston.
"Businesses with 400 to ,500 people and up tend to have someone knowledgeable about computers on full-time. For small businesses, with 10 to 40 people, they typically don't have someone fulltime," says Preston. Even if you do have someone, most admins and technicians, even with a degree, don't have enough security expertise.
The lack of availability and high expense of security training in Alaska means that hiring someone qualified, even if only from time to time, can cost thousands.
SECURITY PRACTICES THAT LEAVE OPENINGS
Some Internet service providers don't use PPPoE authentication (a means of securing your connection to the ISP) for high-speed Internet service. This allows hackers to get access to your system. Other ISPs leave security entirely to the customer, providing no firewall protection.
EVEN MORE UNIQUE TO ALASKA
Another problem, "is the amount of remote communications we do," says Todd Clark, president of DenaliTEK in Anchorage. Because it is not practical to deploy wired infrastructure to the villages, mobile, wireless and satellite technologies proliferate there. Wireless networks are susceptible because people can roam around near your network and log onto it if you don't have the security turned on. This security, for 802.11 networks, also known as Wi-Fi, is called WEP.
Sensitive information particular to Alaska includes oil and gas company data, which can be worth millions. If transmitted over a wired or wireless network, it would definitely be a target.
TYPES OF COMMUNICATIONS
A lot of corporations are moving toward Instant Messaging. One of DenaliTEK's clients uses IM as a business application. It should be noted that in its default condition, IM is one of the most at-risk applications on your network, even if it is just installed and you don't use it.
However, smart businesses will be hiring companies like DenaliTEK to insure that their installation of IM is secure, and that it is in any condition but default. Businesses are looking at the value of IM, including the time savings of instant communications, and cost savings. Businesses succeed by staying positive. As such, their thinking is along the lines of what they should adopt for its positive benefits, not what they should avoid because of the negative. Still, many businesses will also be avoiding IM.
SECURING IM (INSTANT MESSAGING)
IBM has an IM system that's based on a server that does allow decent security. That is the way to go. Using Lotus' IM system, a secure platform can be implemented for the technology. There are enough business reasons to use IM in this state to overcome the communications costs. With the geographic diversity, it makes sense for some companies to go ahead and invest in that secure infrastructure, says Clark. Make sure to firewall around remote communications infrastructure as well.
Tools you can use to cope include hardware and software firewalls (which help prevent outside access), anti-virus, anti-trojan and anti-spyware software (which detect and destroy harmful programs that get in) and software patches (software updates that fix holes in your programs that would otherwise leave opportunity for hackers and harmful software like a virus).
DenaliTEK's Clark recommends Cisco Pix or Sonicwall firewalls, Sonicwall being the more cost effective. Both units would implement VPN (Virtual Private Networking), which encodes transmissions in order to implement another level of security, says Clark. Both firewalls can be used for data coming in and going out by satellite or other wireless. At least one hardware firewall needs to be implemented on any network, between your connection to the Internet and your first device on the internal network.
"Few companies protect themselves on the inside, which would include personal (software) firewalls on each machine," says Preston. A good example of one of these is Sygate (http://www.sygate.com/).
AV (ANTI-VIRUS) SOFTWARE
AVG from Grisoft, Norton Anti-Virus and McAfee's are good choices. Norton's is the most secure, but can be over cautious and create various conflicts. McAfee's is a nice compromise on that point.
Examples of these include TDS-3 from DiamondCS. Though many AV programs do some protection for this, you can be more thorough with a good program dedicated to it.
Spyware is software that looks at what you do on the Internet and provides that information to its company so it can then send you ads by e-mail and on the Internet that correspond with your interests. Get rid of these with Ad-Aware or SpyBot Search and Destroy. SpyBot should be setup by someone with more experience.
Microsoft is not the only vendor, but the most frequent. Sign up for Microsoft Security Bulletins and install Windows Update to partially automate update retrieval.
AUDITING AND TESTING
"Companies should be getting someone from the outside to actually test and audit the network to see where the security holes are, not only in hardware, software and services, but in opportunities for people just to walk right in and get access," says Preston.
"A business needs someone in charge of information security, regardless of whether a company appears to be an attractive target. The person in charge of security could be a company employee, trained and/or experienced in information security," says Clark.
"Intrusion detection systems, sometimes called intrusion protection or intrusion prevention, have been relatively hard to configure and give a lot of false positives," says Preston. These devices or software check incoming data to make sure it is safe. Because these send alerts about many things that may not be of concern, it is good practice to have someone dedicated to monitoring the detection logs and alerts to see when something comes through that is of concern. These systems are generally pretty expensive. One IDS solution, "Snort", is free but it is complicated to learn how to use it.
One worth paying for is Black Ice Protector. "Black Ice Protector is a good intrusion-detection software package to use on a per-machine basis," says Preston.
SIMPLE, LOW-COST PREVENTION TECHNIQUES
Software patches and updates and AV updates are generally free and go a long way. Microsoft's are at: http://windowsupdate.microsoft.com. Use hard-to-guess passwords that are not constructed from familiar words or phrases. Don't open e-mails from unknown parties or with attachments.
Turn on the default WEP security that comes with Wi-Fi hardware and learn to use it. Delete old employee passwords and passwords once used for remote access that are now a security threat. Use free software solutions. "LANguard GFI allows you to scan your networks for computers that have open shares (permissions to share resources like drives, folders and applications) that other people on the network can see," says Preston.
An inexpensive answer for social engineering? "Without being paranoid or suspicious, employees need to be extra helpful when people come in. When they see somebody they don't know, they can offer to help them, they can offer to escort them to where they are going. That would assist in a case where people just walk in, pretend like they are supposed to be there and nobody challenges them," says Preston.
WHERE TO FIND HELP
Computer-outsource technical companies like Network Business Systems and CTG can help secure business networks. DenaliTEK (http://www.denalitek.com) is an available security consultancy, sourced for this article. For network auditing, contact Information Integrity (http://www.information-integrity.net).
|Printer friendly Cite/link Email Feedback|
|Publication:||Alaska Business Monthly|
|Date:||Dec 1, 2003|
|Previous Article:||Need to expand? Move? Offer a new product? Banks across Alaska can help.|
|Next Article:||Black gold: the goal of every Alaska exploration company: developers are searching cook inlet, the north slope and other areas for new developments,...|
|Pierce, Tamora. Trickster's queen.|
|Pierce, Tamora. Trickster's Queen.|
|Saving the Griffin.|