Introduction

The explosive growth in the Web over the last few years is well known and phenomenal though it is, it is not without areas of difficulties. Chief amongst these is the issue of security.

KPMG in a recent highly critical and unflattering survey of the auto industries lack of preparedness for e-business stated that suppliers had been paralysed by a number of major concerns; heading the list was security and in particular the fear that proprietary information would be exposed to competitors. In the consumer field NFO Interactive cited security as the largest barrier to on-line purchasing. Bindview Corporation, a supplier of business software solutions, following a survey of 1000 professionals, the results of which were announced in March noted that 78% were concerned about security and concluded that high-profile security lapses have caused lasting damage to consumer confidence in e-commerce.

Now it has to be said that whilst absolute security is an impossible goal, good technology exists in terms of software and hardware to provide at least a reasonable level of security (i.e. when compared with other activities) and arguably in some cases a high level of security. This begs the question as to whether the concerns expressed above are well founded or based on misconceptions and perhaps ignorance.

Is it Safe?

On Christmas Eve last year the Naval Research Laboratory (NRL) in Washington DC was penetrated via the Internet by a hacker living in Sweden. The hacker gained access to vital programme codes controlling aspects of the US space programme in particular rockets and satellites. The codes could be used to upset the computer systems guiding various space programmes or for commercial advantage.

It is tempting to believe that a highly secure site succumbed to a sophisticated successful attack. If so logic suggests that less secure sites could also fall prey. In fact the security measures deployed by the NRL are not known but given that the culprit was traced and apprehended with some speed it is likely that a relatively simple security loophole was overlooked and left unprotected. This is an important consideration to which we shall return.

How great is the Risk

The Computer Security Institute and the FBI in research conducted with 563 companies concluded that the average corporate network is subject to attack 12 to 15 times each year. This disturbingly high number is mitigated by the fact that 90% of attacks are promulgated by amateurs who are for the most part cyber-joyriders. The remaining 10% comprise professionals potentially available for hire and of those perhaps 0.1% are regarded as World Class cyber criminals.

The fact is that networks are in general vulnerable; Security Experts Inc attacks the networks of its clients to identify security weaknesses. In 2300 sanctioned attacks they have only failed twice. A further consideration is that attacks may go unnoticed. According to the US Defense Information Systems Agency 98% of attacks will be undetected in many companies. Even security conscious government agencies have a typical detection rate of only 30%.

Those who know better can fall prey. Mighty Microsoft acknowledged they had been subject to an initially undetected hack that exposed critical source code to external agencies. Some reports suggested that Microsoft have had to check all changes made in the last three months to ensure that the code was not corrupted.

The bottom-line if you believe the statistics it that the risk of attack is both real and probable.

What is at Risk?

The primary targets at a strategic level are easy to identify:

• Hardware
• Software (systems and applications)
• Data

It is useful however to also consider:

• Networks (a hybrid of hardware and software)
• Processes

All are potentially vulnerable. In the extreme you could lose control of your hardware or find your computers crashed and difficult to reboot; your network and servers might be overwhelmed and rendered inoperable; your website might be defaced; software can be corrupted along with the processes they support; communications can be compromised whilst data can be destroyed, corrupted or stolen.

A recent survey by the US Computer Security Institute and the FBI suggested that the cost of cyber crime is rising rapidly. Of 538 organisations questioned, 85% had detected security breaches in the past 12 months, two thirds of which had resulted in financial loss. Most were unwilling to reveal details of the loss but the third that did reported losses in the region of £260M, attributable primarily to stolen proprietary information or financial fraud. Based on the available data the magnitude of the loss has increased by 90% over the previous year.

Primary Attack Vectors

Attacks can originate from a wide variety of sources. For example Russia due to an unfortunate cocktail of high technical skills, low wage costs and limited employment opportunities has been identified as the Mecca of hacking. According to the FBI unscrupulous organisations are known to hire the readily available skills to attack primarily Western companies. Indeed Russian hackers were recently blamed for the theft of more than a million credit card numbers. They were also suspected in the Microsoft hack referred to above.

Surprisingly even personal computers (PCs) unconnected to a network or the Internet are potentially vulnerable. Viruses can be spread by floppy disc and have even been known to be included on free issue compact discs (as distributed with various magazines) as an unexpected and unwelcome "bonus". Further PC monitors radiate the equivalent of a television signal and with the right equipment the data displayed can be intercepted and read up to 100 metres away. Security difficulties increase exponentially when connected to a network and the Internet.

The problem unfortunately is ultimately buried in the guts of how computers and networks (including the Internet) work. The seeds of vulnerability are essentially "built-in." The whys and wherefores are beyond the scope of this article but suffice it to say if you are connected then you can be found. Your PC when connected to the Internet opens various ports (communication channels) indeed all sorts of software programmes that you may have installed might do so without you either asking or knowing. Amongst a hacker's toolkit is software to detect open ports, once detected access can be gained to your system. Open ports however provide just one means of entry amongst many. A favourite technique is to use buffer overflows to attack a system. For example a field on a Web based submission form might be designed to accept say 75 characters but what might happen if the field is overloaded with say 10000 characters. Such techniques are commonly used to insert malicious code with the primary objective of usurping the programme currently being run and or if that programme is sufficiently privileged taking control of the host.

Another favoured attack vector is e-mail. The proliferation of viruses is well known and the damage they can cause well publicised. Increased integration with the Web however has given rise to new vulnerabilities. Damaging payloads can be delivered via scripts attached to e-mails and increasingly there is concern over semantic viruses. These target data and the meaning of data. Once attacked your data may no longer be fully valid. One version known as a "data diddler" has already appeared. It could for example identify numerical data in a file and change it by multiplying by say 0.975. Such a small change may not be obvious but it could cause plenty of problems for banks, retailers, engineering companies and others.

Data transmitted over the Internet is vulnerable to interception. Indeed many problems arise through transmitted passwords being intercepted by sniffer programs thus compromising security. The exposure extends to other forms of confidential information such as credit card details.

Hackers also exploit known potential weaknesses is common software. Microsoft's Internet Information Server (IIS) has a component called Remote Data Services (RDS). If IIS is not properly set up RDS could permit a hacker, who gains access, to run remote commands with administrator privileges. In other words to do anything they please. "Backdoors" or secret entry points to programs often left by developers for administrative (or sometime less savory) reasons are more common than they should be. Cart32 developers of shopping cart transaction software were embarrassed when the password to one of their backdoors was published on a Web site potentially exposing the credit card details of anyone using the software.

That being said the primary attack vector is from within. It is a worrying fact that some 75% to 80% of security breaches are initiated in-house. Insiders know the security, what kind of information there is and where it is stored. Statistically the greatest threat originates from (some) of your employees or former employees.

Protection

Fortunately being a (potential) "hackee" is not all bad news. There are defence mechanisms readily available capable of providing a level of protection that should defeat all except perhaps the hacker elite. These include:

• User names and passwords
• Data encryption
• Anti virus software
• Firewalls
• Knowledgeable users
• Intrusion detection software
• ICT good housekeeping standards

There is however a catch. We hackees have to commit to being serious about security. Current evidence suggests we are not:

Recent research by Mori covering 300 UK Internet companies revealed a "dangerously low level of awareness of risks from technology". Corporate Britain in so far as security is concerned was described as naive and in the grip of widespread uncertainty stemming from ill informed management structures. Only 24% of larger organisations and 18% of small companies even acknowledged that they were exposed.

Complacency is rife with over half of the 300 companies questioned believing that most risks were covered whilst not actually having sufficient measures in place. Safeonline a security firm sponsoring the study added that most businesses found it hard to identify exposures with the result that the majority run the risk of unnecessary financial loss.

A swinging condemnation but few organisations can truly claim the following:

• User names and passwords are properly controlled. Passwords must be at least ten digits and must contain a mix of alpha and numeric characters. Passwords are changed on a regular basis. Passwords are never written down or divulged to anyone. The user names and passwords of leavers are immediately deleted from the system and cannot be reused. Passwords when transmitted over the network are encrypted
  
  Hackers will often use databases of commonly used passwords to crack security. Check the following site to see if your password is listed: http://www.outpost9.com/files/WordLists.html. A common method of finding a password is to pose as a member of the IT department and phone a user suggesting that the password is needed for a systems test
  
  
• All sensitive data is strongly encrypted. Encryption when properly set up is relatively inexpensive and highly effective. Many transactional Web sites (e.g. for credit card details) use strong 128 bit encryption. It is important to understand however that often the encryption is only one way. The details that you submit may be encrypted but information received back may not be.
  
  Care in particular should be taken with e-mails. It is all too easy to send e-mails to the wrong people. Attachments can also pose problems. One commonly used e-mail programme sent not just the required attachments but the file names of other documents stored in the same directory; potentially embarrassing if descriptive file names are used. The file names were not ordinarily visible to the recipient of the e-mail but could be viewed with a particular e-mail reader
  
  
• Anti virus software has been installed on all computers. Virus signatures are updated at least weekly.
  
  New viruses are discovered with alarming regularity. Many are relatively harmless but some are not. Anti virus companies release updates at least weekly. If your virus software is not up to date then you risk needless exposure
  
  
• Personal firewalls have been set up on all PCs connected individually to the Internet. The entire corporate network is protected by a robust firewall. Firewall settings have been customised by a knowledge individual based on perceived risks; default settings unless appropriate are not used. Firewall customisation is periodically reviewed.
  
  Even individual PCs connected to the Internet are vulnerable; particularly when connected via an always-on connection such as ADSL. A free firewall is available from www.zonealarm.com. The highly rated professional version costs about $20 and can render your PC "invisible" to hackers and block a multitude of attacks not necessarily covered by anti virus software. Networks need a more sophisticated approach
  
  
• Users receive appropriate and periodic training on security awareness. They are for example aware of the need for rigorous password procedures. They are alert for suspicious e- mails. They know what is inside and what is outside the firewall and would not post sensitive documents to an unsafe area.
  
  The recent "naked wife" virus transmitted by e-mail carries the message "my wife never looks like that! :-) Best Regards." Its payload if delivered to a naive user will trash your system files. Users must be educated to know better than to open such messages.
  
  A few months ago Barclays Bank inadvertently displayed publicly the confidential account information of some of its clients. The mistake they claimed was not the result of a system breach but of clerical error
  
  
• The network and system are regularly checked to ensure that they have not been penetrated. Investigators should be alert for the following: an excessive number of log-on failures and dial-in attempts; unexpected network or system crashes; unidentified accounts added to the system and file server; unusual or high system activity when users are not logged on (e.g. after normal hours) and unauthorised changes made to system files and system software. Network intrusion software should also be used for performing protocol analysis and content searching/matching. It is also useful in detecting a variety of attacks and probes, such as buffer overflow, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
  
  Hackers once they penetrate your system will often seek to "keep a foot in the door." One technique is to create a series of accounts using assumed names. Frequently they will try to grant themselves administrator level permissions, giving them the run of your computer whenever they choose.
  
  
• The IT department has robust "housekeeping" routines involving data backup, network maintenance, security procedures and software verification. In particular all security related fixes and updates are immediately applied.
  
  Even the best get it wrong some of the time. Microsoft, it is reported, were hacked when they fell victim to the "QAZ Trojan" virus delivered by e-mail. One security expert was quoted as saying "a decent firewall or updated anti virus software should have stopped this happening." It has also been suggested that Microsoft would not have been vulnerable had they applied one of their own freely available patches.
  
  Microsoft however are not alone, RSA Security Inc "the most trusted name in e-security" failed to adequately protect their web site. Rather embarrassingly for the company it was hacked; see http://www.2600.com/hacked_pages/2000/02/www.rsa.com/ ]
  

The Bottom Line

The need for security measures is real however a lack of awareness as to the risks often results in misapplied countermeasures. Technology in terms of hardware and software are available to provide a good degree of protection (so "y curse IT") but people are the key. Any connected organisation should increase the level of security awareness amongst its employees and introduce rigorous procedures that are not solely the province of the IT department although clearly IT staff are crucial to the process. In short the organisation must develop a security "culture" or risk the consequences. To quote a Russian hacker:

"Let me say that we know very well the insides of the software used on many websites. And so we know where the holes are. But you make it easy by not fixing even what you can fix. And so we visit. Hello!"

Author: Chris Fleetwood

(Y curse IT is of course an anagram of security)

This document is copyright and may not be reproduced in whole or in part without the permission of io solutions who retain full rights.