Crimes And Misdemeanours: How to Protect Corporate Information in the Internet Age

5
128 0167-4048/00$20.00 © 2000 Elsevier Science Ltd. All rights reserved. The UK has various Road Traffic Acts and legisla- tion to protect us against crime, both against proper- ty and the individual. However, that doesn’t stop us from fitting 5-lever mortise locks and burglar alarms to our homes or maintaining a police force.In the same way,the law provides a framework to guide companies’ activities and a possible recourse in the event of damage to businesses. However, the only people who are really going to protect businesses are their management teams. This article looks at the steps companies need to consider when planning protection of their sys- tems, people and reputation. Information security is about risk management. An organization must estimate what value different infor- mation has and thereby decide what constitutes a rea- sonable cost to protect it. Increasingly today compa- nies are linking to the Internet via their Web-site, through E-business initiatives, ERP system etc.This is the equivalent of having an office on a busy thor- oughfare, like Oxford Street. Companies don’t know who is walking past their front door.To combat this threat companies should draw up a policy describing who they are going to allow into their offices and what they can do when they get there. Perimeter Security The first requirement is to implement ‘perimeter security’ — i.e. secure the gateway between the orga- nization’s network and the outside world.This is done with a ‘firewall’ — a dedicated computer (now likely to be a specially designed computer with high speed network interfaces) running ‘firewall’ software. The firewall obeys a firewall security policy which: Defines what logical connections, by both their source and destination, are allowed through the firewall Defines what network services are allowed through the firewall (e.g. E-mail,Web, file transfer etc.). In doing this companies limit who is allowed ‘through the door’ to their corporate network and what they can do when they get there. Similarly, corporates can limit who inside the organization is allowed to make connections out through the firewall. Crimes And Misdemeanours: How to Protect Corporate Information in the Internet Age Steve Webb Integralis Network Systems,Theale House,Theale, Reading, RG7 4AQ, UK, tel: +44 118 930 6060; E-mail: [email protected] . Computers & Security, 19 (2000) 128-132

Transcript of Crimes And Misdemeanours: How to Protect Corporate Information in the Internet Age

Page 1: Crimes And Misdemeanours: How to Protect Corporate Information in the Internet Age

128 0167-4048/00$20.00 © 2000 Elsevier Science Ltd. All rights reserved.

The UK has various Road Traffic Acts and legisla-tion to protect us against crime, both against proper-ty and the individual. However, that doesn’t stop usfrom fitting

5-lever mortise locks and burglar alarms to our homesor maintaining a police force. In the same way, the lawprovides a framework to guide companies’ activitiesand a possible recourse in the event of damage tobusinesses. However, the only people who are reallygoing to protect businesses are their managementteams.This article looks at the steps companies needto consider when planning protection of their sys-tems, people and reputation.

Information security is about risk management. Anorganization must estimate what value different infor-mation has and thereby decide what constitutes a rea-sonable cost to protect it. Increasingly today compa-nies are linking to the Internet via their Web-site,through E-business initiatives, ERP system etc.This isthe equivalent of having an office on a busy thor-oughfare, like Oxford Street. Companies don’t knowwho is walking past their front door.To combat thisthreat companies should draw up a policy describing

who they are going to allow into their offices andwhat they can do when they get there.

Perimeter SecurityThe first requirement is to implement ‘perimetersecurity’ — i.e. secure the gateway between the orga-nization’s network and the outside world.This is donewith a ‘firewall’ — a dedicated computer (now likelyto be a specially designed computer with high speednetwork interfaces) running ‘firewall’ software. Thefirewall obeys a firewall security policy which:

• Defines what logical connections, by both theirsource and destination, are allowed through thefirewall

• Defines what network services are allowedthrough the firewall (e.g. E-mail,Web, file transferetc.).

• In doing this companies limit who is allowed‘through the door’ to their corporate network andwhat they can do when they get there. Similarly,corporates can limit who inside the organization is allowed to make connections out through thefirewall.

Crimes And Misdemeanours:How to Protect CorporateInformation in the Internet AgeSteve WebbIntegralis Network Systems,Theale House,Theale, Reading, RG7 4AQ, UK, tel: +44 118 930 6060;E-mail: [email protected] .

Computers & Security, 19 (2000) 128-132

Page 2: Crimes And Misdemeanours: How to Protect Corporate Information in the Internet Age

129

Computers & Security, Vol. 19, No. 2

There are a number of extra benefits that installing afirewall provides to companies:

1. It can support multiple network interfaces — upto sixteen, or more, on a large firewall.This meansthat different systems can be on different inter-faces. For example, the public Web server can beconnected to one, a partner Web server (extranet)to another, the corporate network to a third and soon. A firewall security policy can have differentrules for each interface thereby increasing the levelof ‘selectivity’ of the security.

2. It can encrypt/decrypt any/all traffic being trans-mitted to a specific destination. Provided that asimilar device is located on the destination site,companies can establish a virtual private network(VPN) between the two sites.This means that anytraffic to, say a business partner, or supplier can beencrypted as it passes over the Internet or anyother network.

3. It can support a VPN to a dial-in user where theyare connecting via a remote access server (RAS) orthrough a private Internet account. This is usefulfor mobile staff travelling anywhere in the world.

It is important that companies concentrate connec-tions to the ‘outside world’ through the firewall andprohibit staff from installing modems or other con-nections in other systems. An unauthorized modemprovides a potential ‘back door’ into the corporatenetwork circumventing all the security implementedon the firewall.

The most important thing is to have a carefullythought out corporate security policy which definesall security rules. From the corporate security policyorganizations’ can define their perimeter security pol-icy and from that define the firewall security policy,sometimes with the help of external companies.

So how might perimeter security be compromised?

1. The policy is weak (gaps in firewall security policy).

2. A hardware or software bug in the firewall is notknown about or responded to.

3. A user compromises their password(s).

4. A frustrated hacker may attempt a denial of serviceattack (DoS).

The solution is to seek advice on establishing aneffective firewall security policy (which can also pro-tect against DoS attacks), to ensure that the firewall ismanaged effectively (perhaps consider a managed ser-vice) and look at user authentication.

User AuthenticationA firewall will allow a permitted user to connectthrough the firewall.An analogy is that anyone in pos-session of a key can open a locked door. Passwords canprovide some protection, but not much. The reasonsfor this are:

• Users frequently forget passwords, so they writethem down. This also makes them insecure. Theyare also susceptible to ‘social engineering’ attacks.1

• Users choose easily remembered passwords, whichare relatively easy to crack with modern computers.

A better approach than passwords is to use ‘strong au-thentication’.This involves something that a user has (aphysical, or digital token) and something that the userknows (a PIN, or password). This is analagous to anATM bank card. The bank customer needs both ele-ments to withdraw cash and similarly the computer userneeds both elements to gain access through the firewall.

To compromise strong authentication, a hacker needspossession of both elements — the token and thePIN. The other thing that is often overlooked is todelete the user accounts of everyone who leaves theorganization — immediately.

Content SecurityA firewall will allow the passage of anything that isauthorized and in many cases it will allow the passage

1 Social engineering is the use of impersonation (e.g. telephoning ahelpdesk pretending to be a bona fide user) or subtle questioning (e.g.finding out names of systems administrators etc.) to gain informationabout user names, passwords, system names or any other information ofuser to a hacker.

Page 3: Crimes And Misdemeanours: How to Protect Corporate Information in the Internet Age

130

of everything except that which is explicitly disal-lowed — a subtle, but important difference.

An analogy is to compare perimeter security with thesecurity that travelers experience at airports. Whenthey travel through an airport the staff at passportcontrol have no idea what they are carrying in theirluggage. So it is with firewalls. If companies allow auser to send and/or receive E-mail, then the firewallwill allow him/her to do just that. It will not exam-ine the contents of the E-mail – which might beoffensive, illegal, confidential, or which might containa virus etc. etc. This problem of content security ismost apparent with E-mail,Web traffic and file trans-fer protocols (ftp) as they are the main ‘informationcarrying’ protocols.

E-mail is probably the most widespread means ofexchanging information and one of the most vulner-able. In addition to the legal issues of libel and harass-ment surrounding the content of E-mail, there arealso technical and other security threats to consider.These include E-mail-borne viruses, employees clog-ging up corporate networks by sending large imagefiles (potentially of an undesirable nature) andemployees not keeping proper records of E-mails thathave been sent (directives, proposals, quotations etc.).

Technology is available to help address these issues.These products are installed as a piece of central serv-er software which then monitors all E-mail activityon the network and also acts as a ‘gatekeeper’ to anyother networks (e.g. the Internet).This software doesfour things:

Identification. The software identifies all E-mail usersand can therefore assign levels of privilege to thoseusers. This allows management to control who cansend/receive E-mail and to/from which destinations.For example, employees might be restricted to onlyexchanging E-mail with others in the same company,or with named suppliers/ customers. Users can beidentified as individuals as well as being members ofgroups, such as ‘marketing’ or ‘service’.

Analysis. The software can analyse the E-mail message to determine what it contains e.g. a simple

text message, what types of attachments it has (e.g.a Word document, a spreadsheet), the message sizeetc.

Validation. It can then pass the various componentsof the E-mail message to other software packages for further action. Examples include: scanning forviruses; lexical scanning of the message and anyattachments for specific words, or phrases (e.g.“Confidential”, “CV”); checking for restrictedattachments such as images; adding legal notices/disclaimers.

Decision. The last stage in the process is to make adecision to deliver/dispose of the message. Dependingon the results from the earlier stages the software candeliver the message; delay it for out-of-hours trans-mission, automatically store an archive copy of themessage, hold the message and send a warning to thesender (and perhaps their manager) advising of aproblem or breach of company policy.Good examplesmight be:

Only members of ‘marketing’ are allowed to sendimages as E-mail attachments.

Only members of ‘personnel’ are allowed to receiveE-mails containing the strings ‘CV’ or ‘CurriculumVitae’.

The content of Web traffic can also be checked, usu-ally in one of two ways.

1. The URL being browsed by an employee can beautomatically checked against a database of Web-sites that has been catalogued by content type(e.g. sports, weapons, drugs, travel, adult etc.).These products allow managers to specify accessby genre and by time of day. For example, youmay allow employees to access sport sites after5.30pm, but not allow them to access ‘adult’ sitesat any time.These databases are normally updat-ed daily as new sites are catalogued.

2. The second approach is to interpret the Web traf-fic ‘on the fly’, checking the text for specificwords or strings of words.

Crimes And Misdemeanours/S. Webb

Page 4: Crimes And Misdemeanours: How to Protect Corporate Information in the Internet Age

131

Computers & Security, Vol. 19, No. 2

System Security

Although most publicity (and press coverage) is givento so-called hacking attacks, it is a simple fact thataround 80% of all incidents concerning the compro-mise of information security are perpetrated by peo-ple inside the organization (e.g. employees, ex-employees, contractors).

It is important to establish proper administration ofservers. This includes restricting administrator (root)access and removing programs that are unnecessaryfor a particular server (e.g. remote access programs, E-mail etc.). Servers that hold very sensitive data mayhave their security strengthened by ‘secure shells’ ortrusted operating systems. File systems can be protect-ed by tools which keep audits of when files arechanged and by whom.

The technologies described earlier may also bedeployed inside the organization where it is appropriate. Firewall technology can be used to log-ically partition a corporate network. For example,some companies may want to restrict access to thenetwork where payroll and accounts systems areheld.

User authentication can be implemented inside theorganization. Some technologies, such as vicinityauthentication, link a PC to a ‘radio badge’.When theuser moves more than 3 metres from their PC a screensaver is invoked, or they can be logged off.This pre-vents PCs containing sensitive information frombeing left logged on, but unattended over a lunchperiod for example.

VPNs can be established over an internal network torestrict access not just to a specific server, but also to aspecific application on that server.

Will Public Key Infrastructure (PKI)Solve the Security Problem?PKI seeks to establish a regime whereby all entities(users, applications, etc.) are identified by a digital cer-tificate. Each access/transaction etc. can then be

authorized according to the validity of these digitalcertificates.

It works by creating a certificate to identify a user andalso contains the user’s ‘public keys’. PKI works byusing two key pairs — one pair for data encryptionand one pair for digital identification and for signinga message or transaction. As an illustration, supposeAlice wants to send a message to Bob.To encrypt themessage contents, the sender,Alice does the following:

1. She encrypts her message with a random encryp-tion key.

2. She then encrypts this random key with Bob’spublic encryption key that he has previously madefreely available to everyone.

This encrypted message can only be read by gainingaccess to the original key that Alice used.This is doneby decrypting it with Bob’s private encryption key(the other key in the pair referred to earlier). Bobmust keep this private encryption key confidential, oranyone will be able to read confidential messages sentto him.

How can Bob be sure that it was Alice who sent him the message and that it hasn’t been tamperedwith? Before encrypting the message, Alice does thefollowing:

1. She uses a program (a hashing algorithm) that cre-ates a unique code according to the message con-tent.This ‘hashing algorithm’will produce a differ-ent result even if only one letter in Alice’s messageis changed.

2. She then encrypts the result from the hashingalgorithm with her private authentication key.

3. She attaches the result as her digital signature tothe message prior to encrypting it and sending itto Bob. Alice’s public signature key is freely avail-able.

When Bob receives the message:

1. He decrypts the random encryption key.2. He uses the random key to decrypt the message

contents.

Page 5: Crimes And Misdemeanours: How to Protect Corporate Information in the Internet Age

132

3. He decrypts the digital signature in the messagewith Alice’s key.

4. He then re-creates the unique code with the hash-ing algorithm in the same way that Alice created itand compares the two codes.

This process tells Bob that a) the message can onlyhave been sent by Alice (only she has access to herprivate signature key), and b) the message has notbeen tampered with (the two codes are the same)2.

So, PKI can provide four very important benefits toE-business.

1. It provides confidentiality — evidence that thecontents of a message have not been disclosed to athird party.

2. It provides proof of the sender — a guarantee thatthe message really did come from the personclaiming to have sent it.

3. It provides proof that the message has not beenaltered (accidentally or deliberately) in transit.

4. It provides non-repudiation of transactions — thecertainty of knowing that the sender of the mes-sage cannot later deny having sent it.

However, PKI is an infrastructure and requires anamount of support, namely: processes to authenticateusers and issue digital certificates. The organizationproviding this function must be explicitly trusted byall parties that rely upon the certificates that it issues.A mechanism to revoke certificates that are with-drawn, or which have expired.

Summary — Six Key Steps toInformation Security1. Conduct an information value assessment to

identify the different types of valuable informa-tion within your organization and there location.Rank the importance of these different types ofinformation and focus on the most importanttypes.

2. Establish a corporate security policy. Develop sub-policies from this including:Information security policyPerimeter security policyContent security policyComputer usage policy.

3. Conduct a security audit to establish what theorganization’s current position is. Don’t forgetphysical security.

4. Progressively implement the security policies.5. Regularly test that the company’s information

security actually works! Tools are available to testthe vulnerability of a server and some securitycompanies offer services whereby they can beengaged to conduct an ‘ethical penetration test’against a server, or against a network.This type ofservice seeks to emulate the activities of a hackerby attempting to breach an organization’s infor-mation security defences.

6. Review these policies on a regular basis.

Crimes And Misdemeanours/S. Webb

2 A more complete explanation of public key cryptography can be foundfrom: http://www.baltimore.co.uk/library/whitepapers/mn_key_cryp-tography.html