|
|
When a large international corporation decided to
set up an Intranet, or private network of inter-connected computers, to
share information between offices, it appeared to have done all the right
things to secure its data.
The company set up a firewall, a set of programs designed to
protect the resources of a network from users of other systems, and issued
passwords to its offices. But there was one risk factor it overlooked: its
own employees. “The human factor is definitely the weakest link in any
security system,” says Manuel Beltran, chief technology officer of Online
Labs Inc, a Los Angeles-based Internet company that specialises in security
and computer forensics. “With programs like PC Anywhere, for instance, the
Intranet becomes immediately available to anyone with a modem who can hit
the right number.” Add that to e-mail communication and you have a problem,
he says.
“The days of viewing security from the perspective
of ‘securing the perimeter’ are over,” says Erik Laykin, founder of
OnlineSecurity.Com. “This practice has kept tacticians and strategists busy
since before the time of the Roman Empire. Now we have a new frontier to
contemplate; that of the ‘Internally Integrated Asset Matrix’ ( I.AM ).”
Roughly speaking I.AM should be understood as the
structure by which digital assets are distributed throughout the Internet
and through localized systems such as corporate Intranet networks, Laykin
explains. “In today’s age of information technology, purveyors of
information want users to access content and data through the use of the
international telecommunications network. However, that very act
constitutes the fundamental risk issue facing companies in their quest to
protect their digital assets,” he says.
“As fundamental as the changes have been for the
distribution of information over the past five years, the same fundamental
axis shifts will take place in the policies and procedures adopted by
companies, individuals and governments in the securing of their digital
assets,” believes James Gordon, executive vice-president of
OnlineSecurity.Com.
Max Smith, a reformed hacker, and now a consultant
for OnlineSecurity.Com says a range of procedures must be put in place to
provide comprehensive security. “While firewall products can erect barriers
to traffic, the software can do nothing to protect the traffic in transit
or to monitor employee access. To provide the most complete protection in a
security framework, a company must have policies, monitoring and
enforcement. As an active hacker in the underground community, I rarely
encountered a system that I could not crack in some manner.”
Constant vigilance on the part of each company doing business (not just on
the web but any kind of digital activity at all) is also vital to security,
the industry experts believe.
“One company pulled its files nightly to determine
where certain individuals (staff members) were spending their time and to
make a decision about whether or not these individuals were compromising
security,” Beltran says. “That is how you figure out if you have a
problem.”
“Responsibility rests at home for each and every
computer/Internet user. The world of tomorrow will resemble a ‘digital’
town square, where neighbours can greet each other, albeit electronically. In
this world of instant access to all and from all people, social structures
and laws will develop, and will bring a degree of common sensibility and
respect which people will adhere to around the globe. This will be the
result because the price of ‘acting out’ and getting caught will be too
high, just as the price of acting out in the town square context may be too
high when you know all of the townsfolk and they are your neighbours.”
Early days of the Internet
The rapid surge of Internet usage by the mid-1990s
gave rise to a sweeping change in how information systems were built.
Corporations quickly adapted Intranets, which allow employees to share
company information and computing resources.
Now, Intranet servers are far more numerous than
Internet servers, with industry analysts predicting there will be five
million of the former against less than one million of the latter by the
end of this year.
Intranets can operate in a number of ways. They
may consist of many interlinked local area networks, a small network of
computers that share the resources of a single server within a small
geographic area (such as an office building). Or, in the case of big
companies with multiple offices, they may employ a wide area network,
connecting staff via a private or public phone line.
Efficiency, ease-of-use, the ability to lower
costs and gain a competitive advantage all make digital business the only
viable option now. But how does a company really protect its data?
To be truly secure, the approach must be to allow
computers within the Intranet system to mutually authenticate or approve
one another. And security administrators must be allowed to exercise almost
surgical control over network traffic allowed in and out of each system,
Beltran says. This can be aided by the establishment of so-called internal
firewalls, protective barriers within an outer firewall that help to
further isolate sensitive data and provide security administrators with the
ability to directly control what data should be accessible to each party
using the system. Beltran emphasizes though “the biggest risk is not in the
transmission of the data but in the securing of it.”
If information is being passed over a telephone or
cable line, then it must be encrypted. However the downside is that
securing data with encryption keys can slow down communication.
This performance problem can be overcome by
increasing transmission bandwidth, though that is a relatively expensive
solution. “Opening up the pipe, so to speak, will allow for faster
communication with encryption,” Beltran says. “Of course, that will also
increase the cost of your overheads.”
“While some mid-sized companies invest moderate
amounts for establishing and monitoring their security systems, most credible
systems are of sufficient size as to rival the cost of say, opening a new
office branch, hiring a couple of new executives, or running a full page ad
in Time magazine,” Laykin says.
However as Beltran points out, the amount spent on
security is unlikely to be anything like the costs resulting from lost or
stolen data. “For less than the price of a new BMW a company can have a
good security model and can protect data that is potentially worth millions
of dollars in business to it.”
|
