Computer Security in Business
It is 1994, a Russian hacker named Vladimir Levin and a group of accomplices are siting at a desk of a computer office somewhere in St. Petersburg. There, Levin electronically transfers $11 million from Citibank’s New York-based mainframes to Finland, Israel, and California. This all occurred under the watch of one of Citibank’s top information officers in charge of security, Colin Crook. This frightening occurrence is not a rare event; many businesses are finding that their computer system’s security is being bypassed and that their private files are being invaded. As Businesses begin to rely more heavily on the Internet for information exchange and sales, these events are only likely to increase.
Just a few companies which have fallen victim to these malevolent hackers are AOL, Boeing, Intel, Netscape, Sun Microsystems, and ironically enough the Pentagon which just a few decades early had made the Internet for military use. In a recent survey of Corporations, it was found that these Businesses are not alone and that approximately 53% of 428 U.S. Corporations fell victims to viruses and 42% had had some unauthorized use of their systems. (These figures may also be small due to the fact that some Corporations do not want information about their company’s files being intruded upon because it could cause some uneasiness in their clients and stock holders). It is also estimated that the cost to U.S. corporations each year exceeds $63 billion and that one half of these attacks comes from the outside, normally through the Internet.
Companies like the Bank of Montreal, Toronto Dominion, Master Card, and Visa
who wish to take advantages of the Internet and their clients and potential clients who would use the services provided by these companies must do to something to aid in the defense of their files. It is literally warfare. “We need the equivalent of the Manhattan Project to help us harden our data infrastructures against attack,” says U.S. Deputy Attorney General Jamie Gorelick at last February’s National Security in the Information Age Conference.
Companies are implementing firewalls which they hope will be their equivalent of the Manhattan Project. These firewalls act as gatekeepers that check the passwords and identification of anyone trying to gain access to a network. However, firewalls are not entirely effective against the malicious attempts of hackers. They rely primarily on passwords to determine who has access to what files and often the users choose very simple passwords like a date of birth or a child or some loved ones name. These passwords alone are fairly easy to guess but more complex passwords can also be bypassed. In one situation, a hacker used a program which simply ran through every permutation of characters until the system let him in. Hackers may also send e-mail to a network which will install malignant coding which may shut down the network or allow them to gain access at a later time. Most good firewalls do not allow the e-mail systems to touch the rest of the network and in this manner they eliminate the risk. Another, more practical downfall of a firewall is that they are very expensive; often they run around
$15,000 per site. It is also important to remember that Firewalls should be placed at all critical and vulnerable junctures in a system. An analogy made by Mr. Lipsett in December of 1996's issue of Client/Server World on page 9 states the importance of the use of firewalls with other security programs:
“A firewall is like the lock on the front door. But if I had important information in my desk, I’d also lock the door to my suite, my office door, and my desk drawer. If it’s very valuable, I’d probably have alarms in case someone broke in through the windows. I might also use night watchmen and motion detectors.”
Encryption is often the next line of defense against the hacker. Firewalls simply block out certain files for certain users and their passwords while encryption changes these files to encoded text and no one can read them unless they have the correct encryption program and the correct key to unlock those files. Encryption has proven itself to be useful to Master Card and Visa who wish to allow their customers to use their services on the Internet. “If encryption were universally used, it wouldn’t matter how secure Firewalls, browsers, or Java were. Nobody would be able to read what they stole,” says Information Security’s Matchett.
Encryption also has some serious historical downfalls. During the American Civil War the Union had a very unique encryption system but not complex enough to stop the Confederates from decoding it and learning their plans which turned out to be deadly for the Union. As well, during the Second World War the Germans had an encryption code which the English called Enigma which was eventually broken and German plans were revealed. These can be used as examples for the encryption industry which serve as reminders that no system is invulnerable.
The biggest threat to some corporations is the dishonest employee who may be disgruntled and becomes a prime target for use by other corporations in corporate spying.
You may have the best encryption and firewall systems but they can do you no good if an authorized user turns coat. (An example of such a treachery is available in PC World Online’s magazine in their November 1996 issue on pages four and five which states that William Gaede, a disgruntled Intel supervisor who a couple of years ago was intent on stealing the blueprints for the Pentium chip and selling them to the competition. He attempted to do say but was caught).
Often an important point of view is neglected, that of the hacker’s. From my point of view they are contemptible malcontents who do not deserve a place in society. However, they see themselves in a considerably different light. Here is a quote taken from an article I found online in November at http://www.acilink.net/~pmazuc/txt/hack_em.txt (if you wanted to visit the page).
“Welcome to the world of hacking! We, the people who live outside of the normal rules, and have been scorned and even arrested by those from the ‘civilized world’, are becoming scarcer every day. This is due to the greater fear of what a good hacker (skill wise, no moral judgements here) can do nowadays, thus causing anti-hacker sentiment in the masses. Also, few hackers seem to actually know about the computer systems they hack, or what equipment they will run into on the front end, or what they could do wrong on a system to alert the ‘higher’ authorities who monitor the system.”
He goes on to outline the how-to’s of hacking VAXs and Networks. Hackers seem to hold themselves in high regard and believe that they have the ‘right’ to do what they do. Some of their actions include stealing or destroying data, disabling protection systems and shutting down networks. They may often just break into system to get
passwords to sell to other hackers. More benign hacking can include personalization and use of computers in a manner that they are not meant to be used.
Compounding the problem of hacking is often the unwillingness of business to prepare themselves properly. This may seem illogical at first but when all factors are considered for some business it is the only possible course of action. The cost of a good security system can be phenomenal. Here is a price list taken from a November of 1996 issue of PC World Online (no author indicated):
- $1 250 — Smart Card-based password system.
- $ 5 000 — Anti-virus software, $100 per workstation.
- $ 15 000 — Firewall to protect the internal network and e-mail and Internet connections.
- $ 75 000 — Encryption Hardware and software-usually a card, but sometimes a standalone box, at $ 1 500 per workstation.
$ 96 250 TOTAL PRICE FOR SECURITY SYSTEM
Plus additional costs to maintain the system.
In the future, electronic commerce will gradually play a more and more important part in our lives. Several trends will emerge such as “the integration of functionality into monolithic programs that do everything imaginable” as stated by V-ONE Electronic Commerce & Security. As well, in a few years you will be able to perform bank
transactions, edit files, and send e-mail using a common interface and the security market will most likely become massive (again, as stated by V-ONE Securities).
It becomes clear that the computer systems of businesses are vulnerable structures. They require considerable improvement to keep out the hacker whose sole intent is to cause harm. We have made some significant advances in Computers to date. However, our methods of securing these systems from prying eyes are still catching up. I am confident that we will eventually reach a point of relative security but it is important to remember that there are always imperfections in any system and there are always people lurking in the shadows who would exploit these deficiencies. Only in preparing ourselves for the worst is it possible to feel secure.
Bibliography
Glen, Ron. “Firewalls: The Perimeter Defense”. Client/Server World. December 1996. pp. 8-9 & 12-13.
Imrryr, Elric. “The Basics of Hacking: Intro”. The Basics of Hacking. Http://www.acilink.net/~pmazuc/txt/hack_em.txt (November 1996).
Rothfeder, Jeffrey. “Hacked! Are Your Company’s Files Safe?”. PC World Online. http://www.pcworld.com/s...nov96/1411p1/va.html. November 1996, pp. 1-7.
Unstated. “Show Report: Firewalls, Web and Internet Security Conference”. PC World Online. http://www.pcworld.com/s...nov96/1411p1/va.html. November 1996, pp. 1&2.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment