Home > Cover
 Print Friendly Page ||  Email this story

Cover Story: Enterprise Security

Enterprise Under Attack!

In the information economy, IT infrastructure and the Internet form the pulse for business. In this scenario, can you allow a single person to hold your business to ransom? by Brian Pereira

Internet banking brings in a lot of business for banks, besides being a big convenience for its customers. Naturally, customers have faith in the systems that secure the bank's website, and also the associated back-end systems. So how does a customer react when the home page of its website has a few lines that shouldn't be there in the first place? Recently, the website of a well-known banking institution contained a message from a hacker, which said he was "testing the security" of the website.

For the bank, this embarrassing incident translates to loss of credibility, possibly loss of business. Customers would immediately lose faith in its security arrangements, and may defect to another bank.

Real Life Incident

A few months ago, a leading platform vendor discovered a vulnerability in its server operating system. It immediately posted a patch on its website, and informed its customers through a security bulletin.

Alarmingly, many customers missed the bulletin or did not react as advised. Meanwhile, a talented and unemployed software professional noticed the announcement. He reacted by writing a piece of malicious code that became an Internet worm.

The worm was unleashed on the Internet and 'crawled' through the numerous 'pipes' that form the Net's backbone. It entered a corporate server (the one that wasn't patched), and then all hell broke loose. The worm replicated, all by itself, and in a few seconds infected other computers on the same network. The infected computers in turn unleashed their fury on other networks in the region. And this had a cascading effect. In just 10 minutes 100,000 computers were infected.

As this happened, thousands of copies of the worm crawled the corridors of the Internet, looking for the next vulnerable server. That's a lot of useless code unnecessarily clogging network pipes. The result: network traffic slowed down causing denial of service for many businesses. And customers were unable to avail of network-dependent services. This resulted in reduced online transactions and loss of business. For instance, one airline's reservation system was severely compromised and its airport check-in systems were down for a few hours—thereby causing big delays (and a bad image for the airline).

Ten days later, a new virus spread through e-mail, infected computers, and clogged networks worldwide. Infected computers automatically dispatched millions of e-mail messages over the Internet, generating unnecessary traffic and slowing down networks.

A major railroad company in the US halted freight and passenger operations after this virus slowed a telecommunications network that controls train dispatching and signals.

All three incidents have actually occurred and were triggered by an individual. In the information economy, IT infrastructure and the Internet form the pulse for business. In this scenario, can you allow a single person to hold your business to ransom?

What are the threats?

Threats exist because systems are vulnerable. And systems are vulnerable usually because software code isn't perfect. CERT (Computer Emergency Response Team) a center of Internet security expertise, reports new software vulnerabilities everyday.
Hackers and those who write malicious code (viruses, worms, Trojans etc), look for 'holes' in server software and operating systems. They use these as entry-points to corporate systems.

There are tools available that make virus or worm creation child's play. But virus writers are getting more innovative. New viruses and worms can slip through firewalls, slither in undetected by anti-virus software, and then strike systems at the core of the network. Mutating viruses, for example, continuously change form (and behavior) to evade detection. The latest technique is the Blended threat—viruses that will try various attack techniques (basic virus, worm, Trojan Horse) to infect systems and propagate. The Nimda virus, which spread just after the 9/11 incident, had five different ways of replicating and attacking computer networks.

Malicious code writers often employ crafty techniques like social engineering to trick users into spreading infections.

Take the SoBig virus for instance. The e-mails carrying this lethal payload (attachment) had enticing subject lines like Re: That movie, Re: My Details, Re: Approved. Curious recipients who clicked on such messages unleashed the virus, which then replicated and spread.

Internet worms on the other hand, don't require users to open e-mail messages or programs. All it takes is an open connection to the Internet. If one's security software or operating system isn't updated, the system will catch the infection. The Blaster or MS Blast worm is an example.


Then there are Trojan Horses or Backdoors. Lured by the word 'free' users are enticed to download a free program. When that program is executed it sends a communication back to the author with details about open ports to the target system. This creates a kind of backdoor entry-point for the hacker. The infamous QAZ Trojan helped hackers gain access to secret source code on Microsoft's servers in July 2000. Imagine if a Trojan on your corporate server sent confidential company or employee information to a hacker employed by a competitor.

Speaking of hackers, the guys with software skills no longer hack so that they can brag about it to others in their tribe. Today hackers want to be paid for their skills. 'White hat' hackers may indulge in ethical hacking and act as security consultants. 'Black hat' hackers on the other hand, may steal sensitive corporate information (security codes, passwords, financial or technical information, plans and strategies), and sell it to competitors—they call it industrial or corporate espionage.

Most people expect hack attacks to come from outside. But the astonishing fact is that your own employees may be hacking into systems and stealing critical information, after office hours. Employees entrusted with systems administration will have access to customer details, product technical specifications, and corporate strategies—all regarded as classified information.
Spam or unsolicited e-mail is yet another threat. Corporate servers and networks are overwhelmed with thousands of junk mails everyday. This not only slows down networks and affects online transactions, but also results in loss of work productivity.
There's a scary thought that crosses the minds of governments these days. It's the possibility of terrorists engaging in cyber warfare (cyber terrorism). Imagine the implications if terrorists wiped out millions of hard disks or shut down thousands of servers.

It's real serious

We live in times when viruses and worms spread rapidly and infect computer systems around the world in a few hours. Businesses with global operations have interconnected networks—call them 'private Internets' if you may. If one part of the network gets infected, that infection could quickly spread across the enterprise network in a matter of hours. Just imagine the implications of that to your business—especially if it's so heavily dependent on IT infrastructure.

There are desperate thieves and vandals in the cyber world who will engage in cyber crime for financial gain. So the key question is: Are you doing enough to protect your infrastructure from the scum of the Net?

What needs to be done?

To protect itself from various cyber threats, an enterprise needs to be more proactive in patching server software and updating desktop operating systems. Security software should be updated every year; virus definitions need to be downloaded on desktops every fortnight (or as soon as an outbreak occurs). Configure operating systems and security software for automatic updates. If possible, a server on your network should push the updates to the desktops and other servers on the corporate network.

Also, one should consider multiple layers of protection. It's not enough to deploy just an anti-virus solution and a firewall. Go in for a mix of hardware-based security (embedded security in routers for instance) and security software. Don't forget about physical security (securing server rooms with access control devices). And of course, it’s important to have a security policy and to keep it updated.

Look for security systems that are well integrated, and systems that simplify security management. Innumerable and lengthy logs are difficult to analyze.

Vendors need to get together and work out ways in which different security software can be tightly integrated. There needs to be consensus on standards.

Hardware and software companies in the IT industry need to come together and form security standards that are certified and approved by security bodies like CERT. These standards can then be assimilated into networking components that make for an armor-plated, bullet-proof network.

Many users do not patch up even after reading announcements about the availability of patches. Possible reasons for this are that patching may seem too technical or cumbersome. Also, software vulnerabilities are announced often and patching is a regular task.

So, the process of patching and updating software has got to be automated. Software companies have already initiated such measures. But IT Managers will never feel completely safe. After all, will there ever be software code that's 'uncrackable?' Will there ever be networks that are invulnerable?

Brian Pereira can be reached at brianp@networkmagazineindia.com

Legal aspects of security

The Indian law does not offer much in terms of enterprise security. One of the main reasons behind this is either almost non-existent laws or the vague nature of existing laws, specifically the Indian IT Act.

This is not made easier by the wide connotations that the term Security implies. There is no law or policy, which takes care of all the issues. "There is no law that specifies what has to be done if an organization's systems are breached or as to who is the liable party," said Vaibhav Parikh, Head (Technology Law Team), Nishith Desai Associates (Legal & Tax Counseling). However, one consolation is that blackhat hacking is a criminal offence penalized under the Indian IT Act.

The next issue that has many gray areas is encryption. The Acts which have a say about encryption are the Telegraph Act of 1885 and the Indian IT Act. The former is way too outdated being from a time when software was unheard of. So it has absolutely no control over software. India does not have any import or export policy on encryption devices.

India has almost no control on data encryption except in the use of public and private keys. If this technology is being used, the user has to provide the government with the necessary private key and decrypt it if required. However, this also has its own bugs. "Problems arise if the person is outside the country. The government has no way of forcing them to comply. If people are using some other technology other than the public and private key, then the chances of forcing them is less since this is also a gray area," said Vaibhav Parikh.

Under the IT Act, the government can block any site or messages. However, it is interesting to see that the Act provides absolutely no protection to enterprises from Spam.

It is interesting to observe that RBI and SEBI guidelines have done a much better job than the IT Act for enterprise security. Although not laws, they have made more of a difference than the much-touted 'Act' has.

— Anil Patrick R