Cover Story: Enterprise Security
Enterprise Under Attack!
In the information economy, IT infrastructure and the Internet
form the pulse for business. In this scenario, can you allow a single person
to hold your business to ransom? by Brian Pereira
Internet banking brings in a lot of business for banks,
besides being a big convenience for its customers. Naturally, customers have
faith in the systems that secure the bank's website, and also the associated
back-end systems. So how does a customer react when the home page of its website
has a few lines that shouldn't be there in the first place? Recently, the website
of a well-known banking institution contained a message from a hacker, which
said he was "testing the security" of the website.
For the bank, this embarrassing incident translates
to loss of credibility, possibly loss of business. Customers would immediately
lose faith in its security arrangements, and may defect to another bank.
Real Life Incident
A few months ago, a leading platform vendor discovered
a vulnerability in its server operating system. It immediately posted a patch
on its website, and informed its customers through a security bulletin.
Alarmingly, many customers missed the bulletin or did
not react as advised. Meanwhile, a talented and unemployed software professional
noticed the announcement. He reacted by writing a piece of malicious code that
became an Internet worm.
The worm was unleashed on the Internet and 'crawled'
through the numerous 'pipes' that form the Net's backbone. It entered a corporate
server (the one that wasn't patched), and then all hell broke loose. The worm
replicated, all by itself, and in a few seconds infected other computers on
the same network. The infected computers in turn unleashed their fury on other
networks in the region. And this had a cascading effect. In just 10 minutes
100,000 computers were infected.
As this happened, thousands of copies of the worm crawled
the corridors of the Internet, looking for the next vulnerable server. That's
a lot of useless code unnecessarily clogging network pipes. The result: network
traffic slowed down causing denial of service for many businesses. And customers
were unable to avail of network-dependent services. This resulted in reduced
online transactions and loss of business. For instance, one airline's reservation
system was severely compromised and its airport check-in systems were down for
a few hoursthereby causing big delays (and a bad image for the airline).
Ten days later, a new virus spread through e-mail,
infected computers, and clogged networks worldwide. Infected computers automatically
dispatched millions of e-mail messages over the Internet, generating unnecessary
traffic and slowing down networks.
A major railroad company in the US halted freight and
passenger operations after this virus slowed a telecommunications network that
controls train dispatching and signals.
All three incidents have actually occurred and were
triggered by an individual. In the information economy, IT infrastructure and
the Internet form the pulse for business. In this scenario, can you allow a
single person to hold your business to ransom?
What are the threats?
Threats exist because systems are vulnerable. And systems
are vulnerable usually because software code isn't perfect. CERT (Computer Emergency
Response Team) a center of Internet security expertise, reports new software
Hackers and those who write malicious code (viruses, worms, Trojans etc), look
for 'holes' in server software and operating systems. They use these as entry-points
to corporate systems.
There are tools available that make virus or worm creation
child's play. But virus writers are getting more innovative. New viruses and
worms can slip through firewalls, slither in undetected by anti-virus software,
and then strike systems at the core of the network. Mutating viruses, for example,
continuously change form (and behavior) to evade detection. The latest technique
is the Blended threatviruses that will try various attack techniques (basic
virus, worm, Trojan Horse) to infect systems and propagate. The Nimda virus,
which spread just after the 9/11 incident, had five different ways of replicating
and attacking computer networks.
Malicious code writers often employ crafty techniques
like social engineering to trick users into spreading infections.
Take the SoBig virus for instance. The e-mails carrying
this lethal payload (attachment) had enticing subject lines like Re: That movie,
Re: My Details, Re: Approved. Curious recipients who clicked on such messages
unleashed the virus, which then replicated and spread.
Internet worms on the other hand, don't require users
to open e-mail messages or programs. All it takes is an open connection to the
Internet. If one's security software or operating system isn't updated, the
system will catch the infection. The Blaster or MS Blast worm is an example.
Then there are Trojan Horses or Backdoors. Lured by
the word 'free' users are enticed to download a free program. When that program
is executed it sends a communication back to the author with details about open
ports to the target system. This creates a kind of backdoor entry-point for
the hacker. The infamous QAZ Trojan helped hackers gain access to secret source
code on Microsoft's servers in July 2000. Imagine if a Trojan on your corporate
server sent confidential company or employee information to a hacker employed
by a competitor.
Speaking of hackers, the guys with software skills
no longer hack so that they can brag about it to others in their tribe. Today
hackers want to be paid for their skills. 'White hat' hackers may indulge in
ethical hacking and act as security consultants. 'Black hat' hackers on the
other hand, may steal sensitive corporate information (security codes, passwords,
financial or technical information, plans and strategies), and sell it to competitorsthey
call it industrial or corporate espionage.
Most people expect hack attacks to come from outside.
But the astonishing fact is that your own employees may be hacking into systems
and stealing critical information, after office hours. Employees entrusted with
systems administration will have access to customer details, product technical
specifications, and corporate strategiesall regarded as classified information.
Spam or unsolicited e-mail is yet another threat. Corporate servers and networks
are overwhelmed with thousands of junk mails everyday. This not only slows down
networks and affects online transactions, but also results in loss of work productivity.
There's a scary thought that crosses the minds of governments these days. It's
the possibility of terrorists engaging in cyber warfare (cyber terrorism). Imagine
the implications if terrorists wiped out millions of hard disks or shut down
thousands of servers.
It's real serious
We live in times when viruses and worms spread rapidly
and infect computer systems around the world in a few hours. Businesses with
global operations have interconnected networkscall them 'private Internets'
if you may. If one part of the network gets infected, that infection could quickly
spread across the enterprise network in a matter of hours. Just imagine the
implications of that to your businessespecially if it's so heavily dependent
on IT infrastructure.
There are desperate thieves and vandals in the cyber
world who will engage in cyber crime for financial gain. So the key question
is: Are you doing enough to protect your infrastructure from the scum of the
What needs to be done?
To protect itself from various cyber threats, an enterprise
needs to be more proactive in patching server software and updating desktop
operating systems. Security software should be updated every year; virus definitions
need to be downloaded on desktops every fortnight (or as soon as an outbreak
occurs). Configure operating systems and security software for automatic updates.
If possible, a server on your network should push the updates to the desktops
and other servers on the corporate network.
Also, one should consider multiple layers of protection.
It's not enough to deploy just an anti-virus solution and a firewall. Go in
for a mix of hardware-based security (embedded security in routers for instance)
and security software. Don't forget about physical security (securing server
rooms with access control devices). And of course, its important to have
a security policy and to keep it updated.
Look for security systems that are well integrated,
and systems that simplify security management. Innumerable and lengthy logs
are difficult to analyze.
Vendors need to get together and work out ways in which
different security software can be tightly integrated. There needs to be consensus
Hardware and software companies in the IT industry
need to come together and form security standards that are certified and approved
by security bodies like CERT. These standards can then be assimilated into networking
components that make for an armor-plated, bullet-proof network.
Many users do not patch up even after reading announcements
about the availability of patches. Possible reasons for this are that patching
may seem too technical or cumbersome. Also, software vulnerabilities are announced
often and patching is a regular task.
So, the process of patching and updating software has
got to be automated. Software companies have already initiated such measures.
But IT Managers will never feel completely safe. After all, will there ever
be software code that's 'uncrackable?' Will there ever be networks that are
Brian Pereira can be reached at firstname.lastname@example.org
The Indian law does not offer much in terms
of enterprise security. One of the main reasons behind this is either
almost non-existent laws or the vague nature of existing laws, specifically
the Indian IT Act.
is not made easier by the wide connotations that the term Security implies.
There is no law or policy, which takes care of all the issues. "There
is no law that specifies what has to be done if an organization's systems
are breached or as to who is the liable party," said Vaibhav Parikh,
Head (Technology Law Team), Nishith Desai Associates (Legal & Tax
Counseling). However, one consolation is that blackhat hacking is a criminal
offence penalized under the Indian IT Act.
The next issue that has many gray areas is
encryption. The Acts which have a say about encryption are the Telegraph
Act of 1885 and the Indian IT Act. The former is way too outdated being
from a time when software was unheard of. So it has absolutely no control
over software. India does not have any import or export policy on encryption
India has almost no control on data encryption
except in the use of public and private keys. If this technology is being
used, the user has to provide the government with the necessary private
key and decrypt it if required. However, this also has its own bugs. "Problems
arise if the person is outside the country. The government has no way
of forcing them to comply. If people are using some other technology other
than the public and private key, then the chances of forcing them is less
since this is also a gray area," said Vaibhav Parikh.
Under the IT Act, the government can block
any site or messages. However, it is interesting to see that the Act provides
absolutely no protection to enterprises from Spam.
It is interesting to observe that RBI and
SEBI guidelines have done a much better job than the IT Act for enterprise
security. Although not laws, they have made more of a difference than
the much-touted 'Act' has.
Anil Patrick R