Halt, Hackers!

Intranets are exposing corporate networks to increased threat. Passwords and firewalls are no longer enough.

By Laura DiDio

Officials for the U.S. Coast Guard were incredulous. Despite all their precautions and safe security policies, the security of their corporate intranet had been breached, and breached badly. A savvy former network administrator, Shakuntla Devi Singla, had persuaded a fellow Coast Guard worker to loan out his password and had then dialed into the intranet remotely and reportedly (the Coast Guard still isn't sure) used a top secret password to gain access to a personnel database.

Once in, she had proceeded to delete personnel information from that database.

The hack itself took only a couple of hours, but the aftermath was much worse. It took 115 workers 1,800 hours to restore the lost data. Total cost: $40,000. It's a fact that corporate networks, designed to share and transmit data, are inherently insecure.

The Hartford's Bob McKee:

"When I started, security was much simpler"

The addition of intranets, which incorporate Web browsers for Internet access, and extranets, which enable outsiders such as customers and business partners to access the corporate network, as well as the emergence of electronic commerce can make the enterprise even more porous for unwary businesses.

Sometimes the culprits are unwitting end users who make errors that compromise network security on a daily basis. These errors range from the arcane, such as dialing into forbidden Internet sites and downloading freeware that can be riddled with viruses, to the mundane, such as sharing passwords and leaving systems unattended. These actions make the intranet easy prey for hackers.

So what can be done to combat these threats? Companies need to start with a good foundation. That means implementing strong security policies and procedures and making security an intrinsic part of network operations and daily life. We talked to security experts and corporate security specialists, asking for their suggestions and approaches. Some of their recommendations: Take inventory of corporate data, use more than firewalls for security, encrypt sensitive corporate data and conduct audits to assess security weaknesses. Basically, they say companies need to constantly review security procedures and practices.

That's what Bob McKee has done in response to the growing siege of intranets. McKee, director of information management security at The Hartford Insurance Co. in Hartford, Conn., and a 13-year veteran, has 26 people in his security organization. The 22 security managers and four disaster recovery and business contingency planning managers use a combination of education, accountability, common sense and good security products to safeguard the firm's data.

"When I started, security was much simpler. Our biggest worry was passwords and IDs for the mainframe," McKee recalls.

The introduction of intranets, Web browsers and Internet access has made security a 7 by 24 job. Education starts with the employee's first day on the job. Along with a booklet on benefits and corporate policies, employees are given handouts of company security policies governing computer usage, good security practices and all the no-no's.

And for the past three years, The Hartford, in conjunction with the Computer Security Institute, has also published Frontline, a quarterly security publication distributed to all 25,000 worldwide employees. It contains articles on security issues, Internet threats and vulnerabilities, and hackers. The end result, McKee says, is heightened awareness.

"We realize people will be reluctant to rat out their employees and to report security violations. We're not looking to nail individuals to the cross -- we want to educate them and make sure security is never far from their minds so they turn the computer off at night, don't keep their passwords pasted to the monitor and don't download freeware from the Internet," McKee says.

"It's also paid off with regard to the increasing number of virus hoaxes. We now get people calling us immediately when they suspect something," he adds.

McKee's biggest intranet security concern is ensuring that he has the right level of protection for all the servers.

"I determine that by knowing which departments have intranet servers up and running and making sure that we communicate and determine if the data needs to be protected," he says.

So far, he adds, the proactive measures have helped The Hartford avoid a serious hit.

Footing the Bill

Not every security specialist can get upper management to foot the bill for the type of intranet security The Hartford uses.

"I complain and complain and show my managers all the alarming statistics and clip the stories about the hackers, and it still does no good," says the security administrator at a Fortune 1,000 firm in the Northeast who requested anonymity.

While the firm does have firewalls and antivirus packages installed, the security manager says he still worries because "the virus products are three versions old, and we don't have the latest upgrades for the firewalls. You could say I pray a lot."

Corporations that ignore security and fail to implement security policies and procedures do so at their own risk, says Mark Gembicki, president of Warroom Research, Inc., a security consultancy in Annapolis, Md.

"If you're not proactive about safeguarding your data, it's a question of 'when,' not 'if' you'll get hacked," he says.

With such bleak prognostications, what can be done to ward off disaster? Plenty, security administrators and analysts say.

Warroom's Gembicki advises businesses to take inventory of all data, determine what needs protection, pinpoint areas of vulnerability and add appropriate security devices and policy measures. If you have a server with sensitive financial data on it, limit access or physically isolate the financial network from the Web server.

"Security activities like these are ongoing, constant processes, like weeding the garden. If you don't do it regularly, you will be overrun with weeds -- or hackers," Gembicki says.

Taking inventory of all corporate data is pragmatic from a cost savings basis as well, says Mark Fabro, director of risk assessment at Secure Computing, Inc. who performs ethical, or "white hat," hacks for his business clients. Many firms, he notes, have limited funds and can't afford the latest and greatest firewall or antivirus version.

"Taking inventory of all corporate data helps the manager decide which data most needs to be secured. If you have people who rarely access public data networks or do a lot of messaging, chances are they can get by with older virus packages."

Firewalls have become something of a two-edged sword. On the one hand, they do represent a good first line of defense and a necessary component in the overall intranet security infrastructure. But they can also lull businesses into a false sense of complacency.

"Firewalls are like a gate around your property: They guard the perimeter. But they can also be like France's Maginot line: If there's a security hole in your network operating system, operating system or application, the hacker will simply bypass the firewall and get right to your sensitive data," Fabro says.

Scaling the Firewall

Fabro also recommends that security managers and network administrators thoroughly check and test their firewall configurations on a test network before installing them on a production server.

"Errors in firewall configurations are very common. Use common sense - don't just take it out of the box and put it on your network. A firewall that's configured improperly is useless," he says.

One obvious solution: Encrypt sensitive corporate data to make it harder for prying eyes to see. This usually means two-factor authentication that includes encrypted data and user PINs.

Keep Pace with Growth

That's what Reliant General Insurance Services, Inc. did to batten down the hatches on its corporate intranet. The San Diego-based firm, which insures high-risk motorists, has seen explosive growth in its business in the wake of California making insurance mandatory in 1997. But with that growth, Reliant had to find new ways to safeguard its data because all of the company's underwriters worked from home using insecure, dial-up modems, says Cary White, Reliant's director of MIS.

"We can't afford a hack. There's too much sensitive customer information being transmitted from our remote underwriters to our intranet via the Internet. If we got hacked, there would be big fallout. I'd expect customers to go to our competitors for their insurance," he says.

Reliant's solution was to install a virtual private network from Axent Technologies, Inc., which provided the company with encrypted passwords and data, as well as encryption at the firewall.

As for the applications, operating systems and network operating systems, they too should be thoroughly tested. And network administrators and security managers need to familiarize themselves with the ins and outs of the system. Windows NT, for example, has lately become a favorite hacker target. But NT security is no better or worse than that of most rivals.

The problem is that NT comes out of the box in an inherently "trusting" manner. It's up to the network administrator to turn on the existing security controls. NT Server does contain things such as intruder account security, which lets the network administrator lock an account if the password is entered incorrectly a specified number of times.

But first you have to know it's there, and there's no substitution for hands-on training. Jeff Dazell, LAN network services administrator at Dana Corp., a $7 billion automotive parts manufacturer with 45,000 employees worldwide, says his network administrators took "18 months to get fully up to speed" on NT security. Part of the issue was that NT 4.0 was a new operating system with 16 million lines of code. And as with any new operating system, there are always issues of backward compatibility with older operating systems and applications.

If the network administrator isn't savvy enough to implement the security default parameters, internal and external hackers could get carte blanche supervisory rights to access, delete, write and execute other users' files that share the same Windows NT domain directory.

The fix for this is simple and free. The network administrator must remove the full access control at installation and then grant users more appropriate read/write access privileges. Another smart move is to disable the Guest accounts and rename the Administrator accounts.

Point solutions for securing the intranet all work well, but to really minimize the chances of a successful intranet hack, experts advise businesses to get a security audit or risk assessment check. Prices range from thousands to hundreds of thousands of dollars, depending on the size and scope of the organization. For a fee, security consulting firms, including all Big Six accounting firms, will come in and perform an ethical hack designed to pinpoint the strengths and weaknesses in the organization.

Gary Loveland, a partner in Price Waterhouse's IS risk management group, says an initial sweep of a user's premises uncovers no lack of antivirus software or protective devices, such as router- or Internet-based firewalls.

"Users have girded for battle and are generally armed to the teeth with the latest security devices. The biggest vulnerability we see is that businesses don't take the time to really assess where their weaknesses are. They're usually tripped up by some silly backdoor that's been left open," he says.

In this era of mergers and acquisitions, a company that has taken all the right precautions might unwittingly compromise its entire enterprise network by adding a newly acquired subsidiary network to the enterprise.

"A newly acquired company, especially if it's small, could have big gaps in its network. So we advise companies to scrutinize security before adding new networks onto the enterprise," he says.

Look at the Coast Guard: They took all the right precautions and still got attacked. Sad to say, the Coast Guard was lucky, according to Chris Klaus, chief technology officer at Internet Security Systems, Inc. in Atlanta.

"Not only did they get off cheap - $40,000 data losses from intranet hacks are nothing these days - but they got off easy. They were able to identify the data that was lost and restore it," he says.