Speak to many financial companies implementing IT-based risk management projects and they will tell you that when IT staff resign, they are escorted from the premises. This is because organisations do not want to risk any data theft while the employee works out their notice period. They may be paranoid, but it is better to be paranoid than persecuted. With the threat of external or internal infiltration, companies cannot afford to be too careful.
The Information Security Breaches Survey 1996 is the third bi-annual report published by the National Computing Centre. The latest edition, sponsored by the DTI, ICL and the UK IT Security Evaluation and Certification scheme (ITSEC), reveals the number of companies experiencing logical security breaches is increasing. The proportion of companies reporting incidents of computer misuse has increased from 9% in 1994 to 16% in 1996. The majority of individual incidents involved PCs, either networked (54%) or standalone (37%). Thefts and viruses were the most common security breaches on both standalone and connected PCs.
Tim Moore, deputy head of ITSEC, explains that the PC is a highly vulnerable architecture. "Traditional PC design lacks security features and it allows you to get into it relatively easily. With security you are trying to add on after the event which is not always the best way," he says, explaining that much software writes directly to the screen, avoiding any DOS security routines.
The general consensus is that DOS is highly ineffectual at protecting systems from infiltration, as are Windows 3.1 and 95. It is only when you get up to the multi-user systems that you start finding effective security measures, and even then you have to be careful what you choose, says Moore. "You would have to say that if security is really an issue and there is the potential for access to the system then don't use basic Unix," he says, adding that there are many versions of Unix specifically designed to include security measures.
Moore adds that ITSEC certifies operating systems from E1 (the lowest level of security) to E6 (the highest). NT has been certified E3, while Novell Netware is being certified E2, which he says is adequate for commercial organisations.
Keeping your operating system secure is difficult enough when it is only attached to an internal network, but when you throw that network open to the outside world on the Internet, things become doubly difficult.
Firewalls are one way to protect your system, but Colin Flegg, Group IT security co-ordinator at Clerical and Medical Insurance Group, counsels caution. "If we were to have a presence on the Web it would be through a third party. We have to try and get a toe in the water, and so from a service point of view we have released Internet Email with a firewall and we have released no other services," he says.
Neil Barrett, senior consultant at Bull Information Systems and author of The State of the Cybernation explains that one way to protect your network data is to use a checksum to make sure that it hasn't been changed by malicious hackers or viruses. It is also useful to avoid subtle changes to Web sites - if a hacker compromises your Web site by slightly altering the wording of your corporate statement or taking a zero away from some items in a price list, the results could be disastrous. Using checksums could reduce this threat, he says.
Another protective measure you can take is to monitor what is happening on your telnet ports to ensure no-one is trying to turn your software against you. "What some hackers do is run a series of tests on connected machines. This is more of an issue for Unix (desktop) machines than it is for Unix servers," he says. "They look at all the ports that a Unix machine is offering. Some ports will be set up to take HTTP or FTP requests.
What the program does is to scan each of those ports to see what version of software is running on them."
If a program finds the port running your SMTP program, then it is theoretically possible to manipulate the software to gain administrator rights, says Barrett, because the SMTP program will be using certain privileges.
Users can employ other devices to help secure their system such as the one-time security card from Security Dynamics. Designed to be used on remote clients, these cards contain a password which changes rapidly, while the server is synchronised to change its password simultaneously.
This means that even if the password is "sniffed" en route over the Internet or a private network to the server, it rapidly becomes useless.
While very secure, even these systems are not watertight. Barrett points out that someone "sniffing" the line could disconnect the client, assume its identity and use the password to gain access quickly before it is changed at the server end.
Just as dangerous are physical breaches of security, or logical ones caused by internal blunders. Throwing computer manuals and passwords in the garbage without shredding them first, letting unauthorised staff near valuable equipment and not vetting people are common reasons for security breaches. The NCC report also cites examples such as; the member of staff who stole a copy of a company's client list and exposed its annual customer policy renewal business to competitors; and the IT employee who inadvertently deleted a week's worth of work from 15 people, costing his company #12,000.
ITSEC's Moore encourages companies to take a regimented approach to the problem. "The way to address it is to put a security policy in place which addresses what all the threats are, stating what the security measures are that you're putting in to counter those threats, whether they are software or hardware or whether they are written procedures," he says.
"Security measures stopping people loading software is difficult to do logically, for example - it has to be a company procedure."
Making sure you implement proper disaster recovery procedures is vital according to Barrett. He explains that simply having a backup procedure is not enough. Companies need to ensure they can load the data too - he cites one company he knew that used the same magnetic tape for years to backup data onto, without ever checking that the backup data was intact.
"The other thing is that people don't plan a disaster management service," he says. "How can you recognise that a denial of service attack from a hacker is occurring?
"If someone plants a virus news of it may appear in dribs and drabs, reporting to the helpdesk gradually. Eventually, the management may start to wonder what's going on," he says. By which stage, it may be too late. So it is important to look for potential security breaches proactively rather than wait for them to occur.
The data in the NCC report supports this view. Only 7% of companies which had security plans said they were ineffective, with 54% saying they were highly effective. Half of the security breaches that were not covered by contingency plans were said by the respondents to be serious, while only 13% of the breaches that were covered by contingency plans were said to be serious. Security breaches, whether logical or physical, are costing companies dearly. According to the report, the average cost of a security breach was #15,720. The highest cost, for one computer theft, was #750,000, followed a close second by a #650,000 fraud.
Significantly, theft of physical devices was the most frequent type of security breach, highlighting the need for strong physical security in the form of alarm systems, security guards and computers with safeguarded RAM. The fact that 89% of respondents to the report had experienced at least one security breach proves system security is an issue that no-one can ignore. Coming to terms with it now will save you valuable resources when faced with an intentional security breach or potentially costly user error in the future.
Hacking: the story of a reformed man
They say fire is best fought with fire, and nowhere is this more true than in the IT security market. Richard Harrison is managing director of security consultancy and software development house Zaretto. Although he now makes his living attempting to break into his clients' security systems to test them, he used to do it for fun, before getting caught.
Harrison explains that when working as a subcontractor at a large flight simulation company in 1988, he managed to break into the system and got administration rights to the server. He says that he was being employed to develop Unix software for the company. "Being a naturally inquisitive sort, I noticed a Sun sitting in the corner. I turned it on and needed a password, but I didn't have an account," he says. From the boot prompt, he managed to get into single-user boot mode, and was able to create a boot disk which used the Set User ID process to give him full Super User access.
With full privileges, Harrison created a normal account and ID. He then discovered that, because the files were mounted on an NFS volume, he could transfer the file that gave him Super User access onto every other machine.
In addition, because the systems administrator liked to be able to gain Super User access to the server from any machine on the network, he hadn't disabled this access. Harrison found that his workstation privileges gave him Super User access to the server, too.
In a short time, he had attained the ability to wipe the entire system if he so desired. "Unbeknown to me they had some security auditing running. I wasn't trying to not be caught - I was just having a play about and doing a little investigating," says Harrison, who explains that if he had really been serious he would have deleted any trace of his activities in the log files. He was hauled up before the engineering director, who reprimanded him.
The systems administrator took away his account, and eventually rectified the fault.
By borrowing colleagues' accounts, however, Harrison found yet another security bug on the system. But having been chastised once by the company, he feared for his job, and so refrained from telling the systems administrator.
For all he knows the fault is still there.
Quza: managing your security
Quza is an ISP formed as a joint venture between Racal and Bull subsidiary Integralis. The company was intended to be one of the next generation of ISPs, providing Web hosting and Email services along with other managed services such as firewalls. It is also rolling out its pan-European Internet architecture.
The company's ability to provide managed firewall services for its customers is one of its main strengths, according to technical director Clive McCafferty.
He explains that Quza uses three different firewalls - Checkpoint's Firewall One, the Eagle Raptor and Harris Cyberguard. "We have a network which we are liable to call an untrusted network, which is the Internet backbone that connects to our computer room," says McCafferty. "That network is separated from the internal network by the Checkpoint Firewall One." When managing his users' firewalls, McCafferty can use them to restrict access to certain parts of the Unix host. Shutting down the telnet ports that are not used restricts the potential access to the system. "Instead of going through the relevant configuration to shut down all the other ports (the firewall) shuts it for you," he says. "We might have a WWW and an FTP server running on the same machine for example. Then we tell the firewall that anyone can get to port 80 or port 20 from the Internet."
The company uses a one-time pass card from Security Dynamics so that its users' passwords change constantly. It also employs an encryption system which scrambles communications between itself and the user, and it puts its users into a firewall rules table which stops unauthorised users getting through.
Security: top 10 tips on your computer environment
1 Adopt a realistic attitude to computer theft: don't assume it will never happen to you.
2 Ensure your security measures protect both the outside and the contents, of your building; one without the other is not sufficient.
3 Keep all outside doors securely locked and introduce a buzzer/key pad entry system if you do not already have one. Don't allow security to be compromised by leaving doors on the latch.
4 Encourage staff to be vigilant and security-minded by involving them in the measures you are taking to counter computer crime and rewarding them for suggestions that help improve security.
5 Make sure staff and visitors are badged as soon as they arrive on site and challenge anyone who is wandering around the premises unbadged.
6 Keep equipment in open or public areas, such as receptions, down to a minimum and make sure such areas are staffed at all times during office hours.
7 Place meeting rooms as close as possible to your office's entrance to reduce the opportunity for visitors to case the joint.
8 Make an inventory of all your company's computer and office equipment noting makes, models, locations, serial numbers and configurations. If you have no record of what you've got, you may have no way of telling what's gone missing. Worse still, if you cannot prove it is yours, the police may not be able to return it to you - even if they recover it.
9 Don't advertise your equipment to passers-by by placing it near ground-floor windows, by leaving empty packaging outside, or by leaving it on the back seat of your car.
10 Adopt the above measures today. Every day of inaction brings you closer to becoming another crime statistic!
By Nick Simms, marketing director of disaster recovery firm Computer Stand-By.
Cotton seedling freezes to death as Chang'e-4 shuts down for the Moon's 14-day lunar night
Fortnite easily out-earns PUBG, Assassin's Creed Odyssey and Red Dead Redemption 2 in 2018
Meteor showers as a service will be visible for about 100 kilometres in all directions
Saturn's rings only formed in the past 100 million years, suggests analysis of Cassini space probe data
New findings contradict conventional belief that Saturn's rings were formed along with the planet about 4.5 billion years ago