Do you think your company's computer systems are secure? Before you answer, test yourself against Craig Nulan. Nulan is a senior manager in Ernst & Young LLP's national information security services practice, in Kansas City, Missouri. One of his areas of expertise is penetration studies--the systematic probing of a company's electronic defenses. To date, more than 100 corporations have paid E&Y's staff of professional hackers--er, security experts--to attack their computers.
Nulan will come at you over the Internet, looking for chinks in firewalls. But he will also test every one of your headquarters' phone extensions until a friendly computer answers. And he'll practice "social engineering"--jargon for obtaining key information over the telephone, such as passwords, by posing as an employee.
The bottom line: you'll lose.
"We can locate every device on the network," boasts Nulan. "We can map your systems. Inevitably, we find a weak link.
"We can branch out and systematically take control," he continues. "We routinely take over payroll. We've acquired control of trading systems--every single one in a major trading bank. If you were a hacker, you could shut them down, or pipe money to your numbered account in the Antilles. We've taken control of an insurance company database. If you broke into an insurance company, you could rewrite your policy--set yourself up as deceased, and get a nice policy check.
"We even acquired control of a production facility, where every two hours these giant ovens have to be cleaned. What if someone turned on an oven while men were working inside?
"If it has an automated control," says Nulan, "we can acquire control of it."
Are you a little worried now about your computer security? That's OK--you have plenty of company. According to a recent survey of IT professionals conducted by Ernst & Young and InformationWeek magazine, security breaches are on the rise. Forty-two percent of the survey's U.S. respondents reported external attacks on their systems during the past 12 months, compared with only 16 percent the previous year. Likewise, 43 percent reported internal attacks, up from 29 percent. Industrial espionage is soaring, affecting 38 percent of the survey respondents, compared with just 6 percent last year.
The main reason these survey numbers are up, of course, is the Internet. The gold rush is on into a wild electronic frontier, where computer thieves and gunslingers abound. Last July, Forrester Research Inc., in Cambridge, Massachusetts, predicted the total value of goods and services traded between companies over the Internet would reach $8 billion by the end of 1997, and skyrocket to $327 billion by 2002.
But while public attention is riveted on Internet hackers, companies are beginning to appreciate the true scope of their computer vulnerabilities. Yes, corporate Web sites have been under siege, resulting in service disruptions. And intranets present a new set of vulnerabilities; some experts think it's only a matter of time before a major security breach of an intranet occurs. But the biggest exposures are elsewhere--in a company's internal computer and telecommunications networks.
"Electronic commerce is a set of distinct applications that live in and on a preexisting security infrastructure," explains Nulan. Companies looking to stake a claim in cyberspace are discovering that those infrastructures are already porous. Why? Blame distributed computing--PCs, workstations, and servers, all connected via networks, which in turn are being opened to customers and trading partners. In the age of mainframes, data was locked up in just a few places, and only MIS staff had the keys. Today, in a large corporation there are literally thousands of potential access points to sensitive information.
Unless a company secures its internal networks first, securing electronic commerce applications could well be a vain exercise. Furthermore, unless the use of those applications is backed by sound business controls, companies could suffer losses greater than any external hacker could inflict.
Sound statistics on computer crime are impossible to come by, since corporate victims may not reveal their losses, or even realize they have been infiltrated. (Unlike conventional burglars, computer criminals need not actually take the merchandise.) In 1997, the San Francisco-based Computer Security Institute, along with the Federal Bureau of Investigation, surveyed 563 organizations on computer crime; total quantifiable losses, from just 249 respondents, exceeded $100 million--a figure the institute labeled "very conservative."
As IT virtually becomes the business in industries such as financial services and telecommunications, computer crime becomes a more serious threat. But companies of all kinds have precious assets at risk:
- * information, whether financial, operational, R&D, or strategic;
- * business operations, through systems that conduct electronic commerce or regulate finance, manufacturing, distribution, and human resources activities;
- * employee privacy, especially concerning health and medical information; and
- * reputation, which may suffer grievously from theft or business interruption. A hot topic in business and computer law is "downstream liability"--the liability a company would assume if a hacker used its computers as a staging area to attack the systems of connected trading partners and customers. No such lawsuits have been filed yet, but it's only a matter of time before they are, says Victor Wheatman, vice president of Gartner Group Inc., in San Jose, California.
Who are the criminals? Hackers are by far the best-publicized threat. Given the technical sophistication of some hackers and the sheer persistence of others, it's always premature to pronounce a system secure. Product weaknesses are ferreted out and posted on Internet bulletin boards, as are new modes of attack; once-exotic techniques such as packet sniffing, SYN flooding, and IP spoofing are now part of the up-to-date hacker's arsenal.
But a hacker doesn't necessarily need the Ping of Death (an insidious new weapon) to damage a system. "It's amazing how easy it is for someone with limited knowledge of technology to shut someone's systems down," says David E. Cohen, former manager in charge of electronic commerce security services at Coopers & Lybrand LLP in New York.
Business espionage is also an extremely serious threat, as the E&Y/InformationWeek survey indicates. The White House Office of Science and Technology estimates that business espionage costs U.S. companies $100 billion a year in lost sales. Much of the stolen information--software code, drug formulas, industrial designs, customer lists--resides on computers.
But the biggest threat to electronic security comes from the barbarians within the gate. Generally, security experts estimate that insiders--dishonest or disgruntled employees and contractors--account for well over half of the information stolen from companies.
"Whether you're talking about security in a client/server, LAN-based environment, a private WAN, or a public network, most security breaches are the result of an insider situation," asserts David Flaxman, managing director of electronic commerce solutions in the Conshohocken, Pennsylvania, office of Answer-Think Consulting Group. "Someone who knows a lot about the way the infrastructure is set up. I'll bet 95 percent of the time, security problems are insider based."
Many observers think that years of layoffs and low morale have fostered a climate conducive to employee crime. Whatever their motivations, insiders have all the advantages: knowledge, equipment, passwords, and, best of all, trust. No one thinks twice about an employee leaving work with laptop computer in hand--a laptop that can store a great deal of ill-gotten data.
Indeed, in exercises performed for clients, penetration experts have walked unchallenged into office buildings in the middle of the day. Once in, they can find empty offices with computers left on and logged in, close the door, and go to work. Imagine how much easier this can be for a dishonest employee, who knows the routines and schedules of colleagues.
Open Windows And Back Doors
As the above scenario suggests, insiders don't have to be malicious to cause a security breach, just careless. While Nulan's professionals are capable of penetrating a company's front door--firewall software that, properly configured, thwarts break-ins--they always find it easy to sneak in through windows that employees leave open.
"Every company has lots of modems," says Nulan, "and 95 percent have more than they know about." What's more, employees will have set up automated log-on routines, passwords included, that permit easy access to corporate systems. "We'll just dial their number into the system and we'll have privileges," Nulan says. "We don't have to use brute force."
The problem is, many companies don't take basic steps to educate their employees, such as instituting a security policy. As a result, employees don't take elementary precautions, such as protecting their passwords, or routinely backing up files, or running virus scans. Many will set up remote access to their desktops without bothering to tell IT personnel.
Moreover, IT environments are in a state of constant flux. Close one window today, and tomorrow two more may open.
"A security configuration you set up today may not be effective two weeks later," says Nulan. Programmers, users, and consultants are constantly banging on systems. A technical contractor may need remote access to a system to retrieve files and codes; the company can provide a portal, and the contractor may forget to close it.
Or--and this possibility keeps some IT managers awake at night--the contractor, or an employee, could create a secret back door to a system. Consider a large-scale implementation of an enterprise resource planning (ERP) system, with 30 or 40 developers busy configuring the software. It doesn't take much imagination to envision one of them creating a secret door to a payroll system and subsequently diverting money to a private account.
A paranoid scenario? Maybe. None of the consultants interviewed for this article could recall a back-door breach in a payroll, accounts payable, or ERP system. At the same time, they acknowledge that the threat exists, and few would be surprised if such a breach were to come to light.
A Security Rx
It's easy to develop a mild case of paranoia when talking to computer security experts. Of course, the experts are hardly Luddites; it's their job to ensure that companies take sensible precautions with their networks. And paranoia isn't stopping businesses from jumping on the Internet, particularly for business-to-business commerce.
Still, one can only hope that the phrase used to describe early adopters of new technology--the "bleeding edge"--won't cut too deep regarding Internet commerce.
"We take computer security very seriously, not only the threat from the outside, but the risks from the inside," says the chief financial officer of a large financial services firm. "But can you eliminate every risk? I doubt it." Too much security can have a downside, he points out. "It makes you a consumer-unfriendly company." (The CFO also believes too much publicity can have a downside; he declined to discuss his company's security measures on the record, for fear that they would become a challenge for hackers.)
No company can be perfectly secure; there will always be a trade-off between security, cost, and availability. What, then, should companies do in this imperfect world?
Many of the answers will come in the form of new technologies, from access control to network monitoring to single sign-on. Electronic commerce has spawned a growth industry in Internet security technologies (see "Making Cyber-space Safe,"). The Internet Engineering Task Force is working on both the IPsec protocol, which will provide a secure link for virtual private networks, and the next generation of IP, IPv6, which will have encryption built in.
In the meantime, there are other things companies can do:
- * Conduct a security audit. All the major accounting firms offer computer security and electronic-commerce assurance services. Security firms can be found through trade associations, such as the International Computer Security Association or the American Society for Industrial Security. An initial up-front assessment for a large corporation might cost about $30,000 to $40,000, according to John D. Spain, vice president of information technology security at Asset Management Solutions Inc., based in Raleigh, North Carolina.
- * Allocate finite security resources according to a value- based model, not a weakest-link model. The most important systems get the most protection (see "How Digital Stays Secure,"). Similarly, electronic commerce systems should be protected according to the degree of liability in-volved. Will you be selling books over the Internet, or taking orders to buy stock?
- * Craft a security policy and make sure that all employees follow it. The policy should spell out not only preventive measures, but also what to do when computer crime is discovered and how to preserve evidence.
- * Trust but verify. Background checks should be standard when hiring key systems personnel, although clever thieves can make fabricated work histories difficult to verify. If you can help it, don't hire ex-hackers, whether as employees or consultants. "I would say not only never hire a hacker, but never, never hire a hacker," says Spain. "I wouldn't say that every ex-hacker is a potential crook, but there's a great potential for them to work both sides of the fence."
- * Review business controls. Access control software can be purchased and configured to keep unauthorized employees off systems. But old-fashioned business controls still have a role. "The solution isn't just technology, it's processes and procedures," says consultant David Cohen. "You need rules to say that administrators can't get access to data files, that equity traders can't get into fixed-income systems."
"What's emerging from electronic commerce is the need for a traditional operational audit," maintains Karl Nagel, a principal at Karl Nagel & Co., a Los Angeles accounting and consulting firm specializing in electronic commerce. "The security guys focus on hackers," he says. "But you also need to look at business management issues." Assume, says Nagel, that your 1,000-employee firm is completely networked and completely secure. "But does that secure firm work smoothly? All those different people are interacting on systems, with different skill sets, different problems. How do you ensure management control?
"Now open up your systems to your trading partners--you're relying on them, and they can also screw up," says Nagel. "That has nothing to do with hackers, and everything to do with reality."
The American Institute of Certified Public Accountants recently introduced CPA WebTrust, a seal of approval for Web sites whose sponsoring vendors pass standards of business practices, transaction integrity, and security (see "Cyber Seal of Approval," CFO, January). While WebTrust is intended to reassure consumers, Nagel predicts the AICPA will eventually devise a similar program for electronic trading partners. "Electronic commerce deals with integrating different enterprises," he says. "You're going to see a requirement to conform with established standards of operating behavior."
Be realistic. Don't demand 100 percent security, which by all accounts is unattainable. You'll not only run your IT budget through the roof, you'll risk defeating the virtues of Internet computing--such as interconnectivity, ease of use, and accessibility. Crime, after all, has always been a cost of doing business. The key with computer crime is to make it an acceptable cost.
Edward Teach is a senior editor of CFO.
Nothing boosts awareness of computer security better than a few widely publicized breaches.
------------------------------------------------------------------------ ------------- The Smell of Money. Companies doing business on the Internet worry about thieves using "sniffers"--surreptitiously inserted programs that look for particular information on a computer, such as passwords or credit-card numbers. Last year, a so-called packet sniffer was used to steal more than 100,000 credit-card numbers stored on the server of an Internet service provider. The culprit was arrested when he tried to sell a diskette containing the information to an undercover FBI agent. Indicted in May 1997, the man pleaded guilty to federal charges in August.
The Central Stupidity Agency? Internet vandals have defaced a number of Web sites, resulting in service interruption. One of the most notorious cases was the attack on the Central Intelligence Agency's home page in September 1996. Swedish hackers made a number of alterations (many obscene), including the message, "Welcome to the Central Stupidity Agency." The site was temporarily shut down while the graffiti was erased. Because the CIA's Web site is a stand-alone system for informational purposes only, no harm was done--except to the agency's pride.
No Good Deed Goes Unpunished. In March 1997, in an effort to improve customer service, the Social Security Administration set up a service on its Web site that permitted easy access to personal financial information. Too easy, as it turned out. To view detailed earnings records--anyone's earnings records--a visitor simply had to enter a few pieces of information, including Social Security number and mother's maiden name. Critics pointed out that such information wasn't difficult to obtain. Despite the popularity of the service, the agency shut it down a month after it was launched.
The Globalization of Crime. Over a span of several months in 1994, thieves diverted $10 million from Citibank's cash management system, which connects branches worldwide. The money was transferred to accounts in at least six countries. Awaiting trial as this issue went to press is a Russian hacker, who allegedly masterminded the theft from his computer in St. Petersburg. Authorities were still trying to figure out how the thieves overcame the system's numerous security features. While all but $400,000 of the $10 million has been recovered, the Citibank caper is the most serious reported instance so far of online bank robbery.
Krazy Glue. Last November, federal prosecutors charged a man with sabotaging computers at Forbes Inc. The accused allegedly sought revenge for his dismissal in April 1997, during a 55-minute phone call from his home to a Forbes computer line. One expert told the New York Times that the sabotage was "the electronic equivalent of putting Krazy Glue in the locks." Estimated damage: $100,000. (The criminal case was pending at press time.)
How Digital Stays Secure
------------------------------------------------------------------------ ------------- Digital Equipment Corp., the Maynard, Massachusetts-based computer giant, is a major presence in the Internet security marketplace. Scores of corporations use Digital's products to help secure their Internet gateways and create virtual private networks.
But Digital itself is not immune to computer crime. The vast majority of its 59,000 employees have PCs, connected either to the company's intranet or internal network. Also, Digital has an extranet, Digital Business Link, which links it to the computers of thousands of trading partners.
"You can't talk about the four walls of Digital as the protected environment anymore," says Wayne Hall, a computing and communications security manager in Digital's IS organization. Thus the company must employ technologies, policies, and business controls to fend off security threats.
Digital's internal network is protected from the Internet by firewalls. Encryption software is used throughout the organization. If a manager in a hotel room wants to access his E-mail across the Internet, Digital's own commercially available software, AltaVista Tunnel, enables creation of a so-called virtual private network--a secure, authenticated connection.
But while Digital and its resellers practice safe messaging and E-mail, other companies don't, which concerns Digital's security managers. "A lot of them are not using any form of encryption-- whether it's an E-mail encryption tool like PGP [Pretty Good Privacy] or Entrust," says Victor E. Thuotte Jr., corporate information security manager.
How does the company defend itself from hackers bypassing the Internet? First, all remote users must be authenticated (via personal security keys) in order to gain access to network systems. Dial-in traffic to Digital networks must come through either AltaVista Tunnel or Windows NT RAS (Remote Access Services).
Second, Digital monitors traffic (patterns of activity, not content) into and on its networks. "We regularly analyze traffic patterns to pick up any anomalies," says Thuotte, "whether caused by network congestion, or some file transfer that clogs the network, or something intentional."
Attaining perfect security throughout a large corporation is prohibitively expensive--and, for that matter, unnecessary. Many companies, like Digital, now allocate security resources according to the value of the assets under protection.
"We went from a weakest-link model to a value-based model," says Thuotte. Which systems would result in the greatest financial, operational, or reputational loss to the company if they were hacked? The company identified such "jewels," including its financial and human-resources systems and research-and-development centers, and surrounded them with its strongest controls. From the jewels, security cascades down the organization as far as possible, based on budgets and resources. But network protection is never absent. "We still use a baseline [of security] on all our network nodes," says Thuotte. "You must have a user password to gain access."
Policies and Standards
Digital's computer security policy is actually a set of policies and standards that have evolved over the years. They are archived on the company intranet. At the highest level are policy guidelines regarding information security and employee responsibilities as network users. Security standards give specific instruction--for example, how long a privileged password should be used, or which antivirus package to use.
The policies and standards cover all employees, from the very top on down. New employees learn the security policy during initial training. Since the company's computer networks are constantly changing and evolving, Digital frequently updates its security standards. The changes are communicated through E-mail.
But policies, says Thuotte, are maximally effective only when business units and corporate functions share responsibility for maintaining security. At Digital, "the people in the field are incorporated into the ownership of information and network security," he says. "We don't want them to think we [security and IT] do it alone."
After the technology issues are solved and the policy points addressed, the unpredictable human element remains. There can be no ultimate answer to personnel problems, observes Ray Suarez, AltaVista marketing manager for Internet security products. At some point, "you have to trust."
And you also have to recognize the inevitability of error, which can cause more damage than any hacker can. "We use the best business practices we can," says Hall. "But you're never going to be able to prevent human error. There's so much technology, so much complexity out there." The best a company can do, adds Thuotte, is to "make sure the checks and balances are there. If someone does make a mistake, and if you can detect it as it's occurring, then you can prevent a major disruption."
Making Cyberspace Safe
------------------------------------------------------------------------ --------------- Consultants and vendors in the electronic commerce marketplace are confident of their ability to deliver secure business solutions. And they don't detect much anxiety in their would-be clients, either.
"I'd love to play a contrarian role and say [businesses are] paranoid," says David N. Dungan, managing director of CFO Solutions in the Chicago office of AnswerThink Consulting Group. "But I don't see that." Dungan says there is tremendous pent-up appetite for leveraging electronic commerce, centering around three areas: procurement, workflow, and information delivery. What about security concerns? "The perception is that it is a risk area," he responds, "but it is an area that can be managed, and managed effectively."
The evolution of electronic commerce has raised awareness of security exposures, "but it has fast-forwarded a lot of security solutions, too," adds Victor E. Thuotte Jr., corporate information security manager at Digital Equipment Corp.
Firewall technology, for instance, is rapidly improving. Encryption techniques are already strong enough to frustrate sophisticated hackers. The Secure Sockets Layer protocol used by Netscape and Microsoft in their Web browsers provides a widely available mechanism for securing point-to-point transmissions.
Authentication--is this buyer or seller really who he says he is?--is as critical to electronic commerce as encryption. Together, they make nonrepudiation possible. Authentication can be provided by digital signatures, which use public-key encryption techniques to "sign" messages; and digital certificates, which are issued by third parties to certify that a digital signature belongs to a specific owner. For credit-card transactions, the Secure Electronic Transaction protocol, which uses a digital certificate technology under development by MasterCard and Visa, will be available for merchant servers and Web browsers this year.
The electronic commerce application suites that are on or coming to the market--such as Actra's Commerce-Xpert, Sterling Commerce Inc.'s Gentran Web Suite, and Pandesic LLC's e-business solution--incorporate a number of security technologies. Such software suites enable companies to buy, sell, merchandise, and send messages and EDI over the Internet.
Pomeroy Computer Resources Inc., a computer reseller and system integrator, is currently rolling out SpaceWorks Inc.'s OrderManager, an Internet order processing, management, and fulfillment system. Pomeroy calls its version Pomeroy Online.
"Our customers will use it for product lookup, availability, and pricing," says Larry Lokey, director of professional services marketing. "We'll give them particular levels of authority to get into the system." Internet orders will be received by SpaceWorks's service bureau, in Rockville, Maryland, and then relayed to Pomeroy's Hebron, Kentucky, headquarters via a T-1 line.
As for security, "We're not really concerned about it," says Lokey. "Our orders come from commercial customers on a purchase-order basis. Everyone has a unique password to get beyond our Pomeroy Online icon. We don't have sensitive financial information going over the Internet."
Like Pomeroy's, much Internet commerce seems to be on pretty firm ground. Buyer and seller are yoked together by passwords and purchase orders, making fraud and theft difficult.
But it's never wise to assume that an application is secure. Security consultant David E. Cohen recalls a financial services firm with a bond-trading system that allowed customers with proper IDs and passwords to pass through its firewall--on a secure, dedicated line, no less. "But once they got to the internal system, they could get command-line access," he says, "and voilà--they had access to any other system. And all the user IDs were people's initials."