Most organisations rely heavily on computer systems to actually run the business, so IT security is of fundamental importance. But computer security involves more than just installing anti-virus and encryption software on the company network. For effective security on a mainframe/PC set-up, a client-server, Internet-connected or even standalone PC, you need an agreed policy.
There are four main stages to setting up a security system - assessment, risk analysis, planning and implementation. You also need to put in place an ongoing review of security, because computer hardware and software is often updated and working practices change. Indeed, the assessment stage should map out the framework of a company's security policy over several years; it should not be considered as just a one-off project.
It is important for both the management and the IT department to work together to assess the best security strategy for the company. Most IT and administrative managers think that computer hackers and viruses pose the most serious threats to security, but there are other problem areas.
For example, there is potential for computer-related fraud; industrial espionage; use and misuse of electronic transmissions, especially with money; and the invasion of privacy.
What is the true cost of crime?
In the US, a recent study conducted by Michigan State University of 200 businesses found that 93.6 per cent have been victims of computer crime.
An astonishing 43.3 per cent of these have been targeted at least 25 times.
The research shows a substantial increase in computer virus infections and harassment of staff through computer networks, as well as a significant increase in hacking. The study also indicated that computer thefts are most commonly committed by employees and contract workers. There was also a significant increase in computer hacking.
David Carter, professor of criminal justice at Michigan State University, says: 'This will undoubtedly grow with the increased numbers of computers, more networking and wider computer literacy.' He adds that there is also an increasing threat of computer crime from organised groups in Eastern Europe.
Carter claims it is difficult to put a figure on many of the thefts because they represent intellectual property, such as client lists and pricing information. 'Other research does provide some insight,' he says. 'For example, the British Banking Association estimates that computer fraud is costing $8bn a year or $22.4m a day.' The study highlights the distinction between the average business fraud that amasses $23,000, and the average business fraud involving computers which tops $500,000.
The Michigan study concludes that there are some ways to protect your company against IT crime. It suggests that you should train employees in security-related issues while stressing their own responsibilities, and also control access to computers. It also highlights the benefits of operations security, which includes screening personnel, supervision, systems monitoring, cryptography and regular password changes.
The most common computer-related abuses reported by the survey's respondents were:
Credit-card fraud: 96.6 per cent
Telecoms fraud: 96.6 per cent
Staff using computers for personal reasons: 96 per cent
Unauthorised access to computer files for snooping: 95.1 per cent
Cellular phone fraud: 94.5 per cent
Unlawful copying of copyrighted or licensed software: 91.2 per cent
In addition, the report highlights that over the past five years there have been dramatic increases in:
Theft of client or customer information: 81 per cent
Theft or attempted theft of trade secrets: 77.6 per cent
Theft of new product plans: 76.7 per cent
Theft or attempted theft of product descriptions: 75.7 per cent
Unauthorised computer access to confidential employee information: 74.5 per cent
Unauthorised computer access to confidential business information: 74.4 per cent
Theft or attempted theft of money: 72.2 per cent
Theft or attempted theft of product pricing data: 71.8 per cent
Another survey, commissioned by Information Week and Ernst & Young in the US, claims there have been significant IT losses at several major US companies. This is mainly because of lack of confidence in information security, widespread Internet access and the increase in harmful attacks by insiders.
The survey shows that 54 per cent of the 1,320 respondents have experienced losses in the last two years because of IT problems and disasters. Adding computer viruses to the mix boosted the number to 78 per cent.
According to the report, significant losses were the result of malicious acts perpetrated by company insiders (32 per cent), malicious acts by outsiders (18 per cent), natural disasters (25 per cent) and industrial espionage (six per cent).
A total of 71 per cent of the executives questioned said they felt that their company's computer network was vulnerable to internal and external attack.
According to a survey by research and consultancy group Xephon, less than 60 per cent of large UK enterprises questioned have a formal IT security policy. Of the 351 organisations worldwide that took part in the survey, 210 had some kind of security policy. However, only one fifth of those sites with a policy based it on open standards, such as ISO or ANSI.
Mark Lillycrop, research director at Xephon, says that few companies stick to security standards because IT security tends to be individually tailored to a company's needs.
He adds: 'It also suggests that standards are not keeping up with changes.
More formal security policies will be essential when large companies start to do serious business on the Internet.'
The Xephon survey shows that fewer than one in six sites surveyed have suffered some kind of system violation in the past five years. But the risk of an attack on the system coming from an employee, rather than from someone outside the company, was regarded as far higher.
One particularly weak spot highlighted in the research is portable PCs.
One in 10 sites in the survey reported that four per cent or more of their portable computers had gone missing in 1995. Yet about two-thirds of portable PCs had no form of data protection. A third of portables had access control packages, while only three per cent were covered by data encryption technology.
Is your company under threat?
Risk analysis assesses the threats to your corporate network. According to electronics giant, Siemens, telephone hacking is costing UK businesses millions of pounds every year. The company recently published a research report on the subject to support its claims.
The survey, Corporate Security: An Investigation into Telephone Fraud in the UK, is based on interviews with senior representatives from 300 of The Times' Top 500 organisations.
It claims that phone hackers take advantage of companies' ignorance of how their phone systems work. Because of this, organisations don't set up effective security measures. And, once hackers get into a company's phone system, they can sell access numbers to third parties, who then sell on the illegal phone time.
Barry Hannam, managing director at Siemens Business Communication Systems, says: 'Unless the UK decision makers act to eliminate this crime, telephone fraud will be a chink in UK industry's corporate security armour, and could dramatically affect its financial success.'
An extensive risk analysis should form the basis of an organisation's security plan. The analysis may show that computer users who have access to the LAN can steal, modify and even destroy valuable information.
The analysis should also work out the probability of this happening.
You can do a basic cost-benefit analysis by comparing the likely loss, weighed against the probability of the event happening, to the cost of taking effective security measures.
How do you develop a security plan?
A risk analysis may bring to light potential problems which lead naturally to their own solutions. For example, it could show that attaching your computer system to the public telephone network is a high risk. This can be reduced by switching to leased lines, especially if the data across those links is encrypted.
Some of the recommendations of an analysis may not be popular with staff.
All employees should be made aware that the company is undertaking a security review for long-term benefit. The best way to do this difficult job is to give staff a basic working document that outlines the parameters of the project.
There may also be managers who are reluctant to treat the security review seriously. To combat this you could use the analysis to produce a schedule of possible losses, balanced against the cost of protecting a system against such potential losses. This should alert them to the catastrophic consequences of ignoring security risks. It will also persuade financial managers of the cost-effectiveness of implementing a security policy. It's worth noting that the cost of electronic, as opposed to physical security systems is falling all the time.
Setting up a policy as the result of a security review often involves educating staff about the reasons for a change. For your security policy to be effective, you need to give staff guidance notes. These can include broad details of the security setup in the computer system, and can also be included in information given to new employees.
Defining the types of security
It is important to categorise the main types of security systems. We've chosen four main areas of IT security in this feature - anti-virus, telecoms and Internet/LAN.
How can you protect against viruses?
Although viruses are not a major problem, they do pose a threat to the integrity of a computer system. This is because, when they strike, they can devastate the whole system and, worse still, can be passed on to other PCs as a result of disk swapping.
Dr Solomon's Software, previously S&S International, is one of the oldest anti-virus software solution companies in the IT security industry. It has recently developed a Management Edition of its anti-virus toolkit which aims to help IT departments manage anti-virus software on networks.
The first release of the software caters for Windows NT-based servers, Windows for Workgroups systems, Windows 95 and Windows NT systems. There are plans for future versions to provide similar facilities for Novell Netware-based networks.
Mike Hill, director of product marketing at Dr Solomon's, says: 'The key purpose of the Management Edition is to co-ordinate and control the protection of the entire network by treating it as a single entity. This is particularly helpful for companies with increasing numbers of workstations and servers.'
The software splits neatly into four main modules - scheduler, task scheduler, response manager and messaging agent. All these facilities are set up and configured by the management console, which distributes operational elements of the Management Edition and anti-virus toolkit to selected machines. The package is expected to ship in the first quarter of 1997, with a price tag of about u400.
Mimesweeper
Mimesweeper 2.4 for Windows NT 4.0 is the latest version of Integralis' email security/anti-virus application.
The software claims to offer network managers tighter security and fast-email analysis rates. The company says it is also the only content security package that can intercept and analyse Microsoft CDA and Binhex attachments.
Mimesweeper supports secure Internet mail, cc:Mail and Novell Groupwise email. Integralis claims it is transparent to the mail system and the associated network.
Designed as an anti-virus package for email systems, Mimesweeper automatically scans all inbound and outbound email. It breaks down messages and complex components before analysing them for viruses.
With this package, network managers can control email users, add legal disclaimers, archive email contents, limit the size of attachments, stop junk email and prevent unauthorised transmissions of confidential information.
David Guyatt, business development manager at Integralis, says: 'The most important news about Mimesweeper 2.4 is that it can process messages faster than any other package on the market, without affecting detection rates.'
According to Guyatt, migrating Mimesweeper to the Windows NT platform means that business users of PCs linked on a network can ensure their workstations are free from viruses arriving via email attachments. Integralis' Web site is at www.integralis.co.uk.
Verdict: available in many different versions, Mimesweeper 2.4 is a useful hybrid - an anti-virus system designed for real-world, automatic, email scanning. It is virtually unique in the market.
How can you protect telecoms?
Telecoms fraud is fast becoming a major problem. The scams employed by criminals are highly complex, drawing on technologies that switchboard managers don't understand. Today, DP and IT managers are being called in to solve this growing problem.
Because telecom charges represent a significant slice of a company's expenditure, the potential of a fraud, or series of frauds, bringing a company down, is almost as great as that of a computer disaster.
One of the latest telecom frauds to hit companies is 'looping'. This involves thieves breaking into telephone junction boxes in the street and tapping into the lines of businesses and homes. The lines are then used for unauthorised international phone calls which are sold at cut-down rates.
This crime has been made possible as a result of a little-known change in BT's network system. Most telephone subscribers in the UK are not directly connected to the exchange. Instead, local loop circuits are terminated on a nearby digital concentrator that converts the analogue signals of a standard phone line into a digital datastream.
The concentrators then route the call, multiplexed with others, across single or multiple 2Mbits/sec links into the exchange proper. The system works with the concentrator flagging a call with the appropriate ID number of a given subscriber line.
Because it is the concentrator that decides which account to charge for calls, more than one concentrator can flag the same account as billable for the calls. A knowledgeable hacker or telecoms engineer could use their skills to carry out such a theft.
Until spring 1996, telecoms companies knew where a call originated, and programmed their networks accordingly. Since then, however, UK telecoms companies have had to allow for number portability on their networks.
This means that BT subscribers, for example, can migrate their line to a cable company, but keep the same phone number.
In theory, calls from a given number can originate from almost any point on the UK phone network, rather than from a given digital concentrator.
Secure-out
Secure-out is a secure modem pool system aimed at organisations that need secure and controlled modem dial-out facilities for their LAN or enterprise-wide network.
The system can be customised and configured to work with almost any Hayes-compatible modem or ISDN device. It can also be tailored to work with non-standard communications channels, such as leased line links to specialist services.
This kind of flexibility makes Secure-out a very powerful system. Yet it is relatively cheap for a security dial-out solution, with prices starting from u3,995 for an eight-line version. Informer Systems, who manufacture Secure-out, claims this should be adequate for a company network with 200-plus terminals.
The driver software for Secure-out is programmed in Modula 2, a language that supports customisation to a high degree.
There's also an enhanced version of Secure-out available that supports ISDN Primary Rate lines, and copes with Primary Rate's main security flaw - that of spoofing.
Spoofing is the name given by a network device, such as an ISDN card, to the job of fooling a network into thinking that an on-demand, virtual link, such as an ISDN channel, is open all the time. In fact, the ISDN channel is usually only open while data is flowing, because ISDN channels can be established in fractions of a second.
However, the problem with spoofing is that, when the link is broken and re-established, hackers can get to work. Informer Systems claims that Secure-out provides a safeguard against spoofing because of its authentication procedures.
The Secure-out system can be engineered to support simple password protection and audit trails. This is for LAN access to the dial-out modem pool, right through authentication and, if appropriate, the use of biometrics and/or independent PIN systems.
Verdict: Secure-out is an extremely secure and robust dial-out system that is several steps beyond conventional and insecure modem pool systems.
Any company that is considering the added security of dial-out technology should take a look at this.
How can you protect your LAN
One of the main reasons the Internet is so successful is because it is based on a relatively simple set of standards. Unfortunately for users, while the Net is a global village, most of its doors are wide open.
Slough-based IT company On Technology has issued a security industry White Paper called Taking The Threat Out Of Network Security. Company officials claim it will stimulate discussion on some of the security issues facing the industry.
Chris Huggett, vice president of European operations at On Technology, claims that, with a portfolio spanning the firewall, anti-virus and IP address markets, the company is acutely aware of the risks to Internet-connected organisations.
'The Internet's strength is that it doesn't discriminate - but neither do Internet hackers. To a hacker, the world is a universe of IP address space waiting to be explored,' he says.
Huggett claims that 99 per cent of the Internet's services belong to regular businesses, 90 per cent of whom have no Internet security.
According to the company's White Paper, many organisations fail to make their network secure because very little computer crime is actually reported.
The White Paper notes: 'Another reason may be the perceived difficulty of making PC LANs secure.' It concludes that this is unfortunate for two reasons. 'Firstly, the risk of break-ins is rising as hackers gain access to an increasing arsenal of tools with which to do their work. Secondly, LAN security solutions have become much more accessible and more powerful.'
According to the White Paper, a PC LAN security solution that matches the profile of its user community must be drawn up. Such a solution, the paper notes, would provide real security against most threats; would be easy to implement by the organisation itself; would be inexpensive and carry a low cost of ownership; and would not intrude on the normal behaviour of users.
Network administrators can protect themselves with an Internet firewall, including packet filters and circuit gateways, which can block most hacking attempts.
Copies of the White Paper are available from the On Technology Web site, which is at: www.ontech.co.uk.
Session Key
Session Key uses a simple set of DOS routines to access the DES (Data Encyription Standard) algorithm housed in a Type II PC-Card to encrypt or decrypt data on the hard disk. This means that the data cannot be accessed without the card.
PPCP is the only authorised distributor of the 56-bit DES encryption card, which is only sold to approved parties in the UK. These peculiar sales restrictions are because the encryption system requires a licence from the US Government, so potential purchasers have to be vetted. However, in reality, the process of obtaining a licence is relatively easy, as PPCP handles the paperwork for you.
Using the PC-Card card is equally straightforward because the supplied software for installation on the user's hard disk communicates directly with the BIOS of the host PC and the Session Key card.
The relatively simple installation program uses 20Kb of conventional memory or, if high memory is available, 8Kb of conventional plus 20K high memory.
Once installed, the card communicates with the PC at BIOS level and employs DES private key encryption and public/ private key encryption. Therefore, you need Session Key authorisation to access the data protected by the card.
As well as encrypting some or all of the files on a PC, the Session Key card can be configured to act as a highly secure electronic token, without which the encrypted data cannot be used. This is possible because the card combines BIOS level access controls and an encryption engine in one single Type II PC-Card.
Verdict: Session Key is a specialist product that requires a relatively high level of PC expertise for correct installation. However, once set up, it is as simple to use as inserting and removing a PC Card. There are other token-based systems that encrypt data, but not to the high level of security offered by this 56-bit DES card.
SoftID
Security Dynamics' SoftID is a software security system that is claimed to provide one-time password authentication. The package is designed to secure access across LANs and WANs.
According to officials at the Wokingham-based company, many network managers are running applications across their companies that demand a higher level of security than is offered by a re-usable password. However, they don't require as high a level as that offered by a 56-bit DES hardware token system.
Used on physically secure PCs, SoftID's one-time password software is claimed to address this need by providing the most advanced level of security that is available with a software-only solution.
SoftID is actually a software version of Security Dynamics' two-factor hardware security system. Each end of the link generates a password based on a base number to which a fixed security algorithm is applied. Every 60 seconds, this encryption system is changed by using a second number, unique to both the sender and recipient.
Therefore, SoftID generates a new access code every 60 seconds that combines with a secret PIN to authenticate users who want to access a protected network.
According to Security Dynamics, SoftID is easy to use, because you simply enter your PIN, and SoftID transmits a one-time pass code to Security Dynamics Ace/Server software at the distant end of the network.
An administrator installs SoftID by creating a series of installation disks for distribution to users. These disks are then used to install or de-install the SoftID program on users' PCs.
Verdict: SoftID is one of the most secure PIN-protected authentication systems on the market. The system is ideal for secure remote access, across LAN, WAN and remote dial-up links, without overkill in the security stakes.
Conclusion
Finding the right approach to IT security is not an easy job, as shown by the 1996 National Computer Security Survey from KPMG. According to the research, the majority of companies fail to meet the three key controls affecting physical security. These are particularly important in the light of recent terrorist incidents.
The report identifies that 75 per cent of companies don't have a designated security officer; 77 per cent have no formal procedure for reporting security incidents; and 65 per cent don't have a business continuity plan.
Michael Bacon, director of information security services at KPMG, says that, in 1995, the British Standards Institute specified 10 key controls defining the minimum standards for computer security.
He adds: 'When you consider how valuable equipment and data is to organisations, it is extremely disturbing that such a large number have failed to implement these basic security requirements. Effective security procedures, particularly business continuity plans, should be of paramount importance to companies.' According to Bacon, failing to have an effective, up-to-date plan can have serious implications for businesses.
Bacon further adds that one of the main causes for concern highlighted in the report is the boom in unauthorised and unknown Internet connections used by employees. As he puts it: 'Inappropriate access to the Internet is one of the greatest information security threats facing the business community today. Yet few companies have adequate security measures to cope with this growing problem.'
Contacts
Dr Solomon's Software: 01296 318700
KPMG: 0171 311 1000
On Technology: 01753 673333
Siemens Business Communications Systems: 01908 855000
Why do companies suffer data loss?
In order to clarify the actual symptoms of data loss and so help prevent it, Ontrack Data Recovery commissioned a study that looked at more than 50,000 hard drives and other storage devices which contained data that users could not access.
The result of this detailed research was the Ontrack Data Recovery Lab Report, which lists the causes of data loss and the signs that users need to watch out for, as well as advice on how to minimise the damage. According to Richard Keech, general manager at Ontrack Europe, 'many users won't know anything about losing their valuable data until they try to access it again.'
The report also reveals that data losses today are potentially much more serious and damaging than in recent years, which is partly due to the amount of mission-critical data being stored, as well as the sheer volume of data often stored on a single device.
Some of the study's key findings include the fact that 80 per cent of those questioned back up their data, although none check their restore capabilities. In addition, Ontrack found that about 75 per cent of data initially thought to be lost could be recovered by taking sensible precautions and contacting an expert when problems arise.
Contact: Ontrack Data Recovery on 01372 741999 or www.ontrack.com
Is your company switchboard a target for abuse?
According to a report from IT specialist Benchmark, UK companies are losing millions of pounds to telecoms fraud. The report stresses that, unless the problem is resolved, the losses will continue to rise.
Although only six per cent of respondents say they have knowingly been victims of hacking, a third of the organisations polled also admit they would not know if someone had hacked into their systems.
The report notes that one of the most common types of telecoms fraud involves PABX dial-through systems. Benchmark claims this problem arises because the four-digit PINs on most PABXs are numeric only, so can be cracked in repeated hacking attempts.