The
price we pay
for better networks is greatly increased security risks--especially
from within
by Alan Zisman (c) 1995 First published
in Business in Vancouver
, Issue #313 October 24, 1995 High Tech Office column
If you've
got computers
in your workplace, the odds are they're connected to some kind of
network. Except in the smallest of offices, it's unusual to find a
computer that's entirely on its own.
And
perhaps it's no
coincidence that as we get more connected, we become more vulnerable
to various kinds of attack--break-ins, viruses or data loss from within
our organizations. A 1995 study by Ernst and Young, polling
more than 1,000 major corporate information officers and managers
involved with technology issues here and in the U.S., clearly
illustrates
the risks involved: more than half of respondents reported that their
businesses has suffered losses due to incidents of this type, with
a number of the losses exceeding $1 million.
The
reported rate of
attacks is increasing. Despite that, the same survey suggests that
a surprising 42 per cent of those surveyed believe that security is
either "not important" or only "somewhat important."
More
networks and more
connected machines equals more targets. At the same time, products
aimed at increasing ease of use often result in increased security
risks. And with many companies feeling under increased pressure to
cut costs, security is often given a lower priority. There are no
reliable statistics on the number of incidents affecting Canadian
businesses: in many cases, companies would rather not report problems.
And while we're most likely to hear about hackers in reports conjuring
up images of teenage rebels and groups with names like "Masters of
Deception," these make up a minority of the losses. (Still, the clichéd
adolescent hacker has some basis in reality: recently, the RCMP in
Ontario arrested a 20-year-old who had broken into more than 60
networks, including those of Harvard University, IBM and the Canadian
government.)
But most
data loss happens
internally--the result of actions by a company's own employees. Most
often, these incidents are covered up. RCMP commercial crime
investigator Bob Davis says this makes his job harder: "If we
continue
on the path where victims terminate employees and absorb the losses,
then this situation continues in the same fashion, just at a different
level," he points out.
All too
often, however,
when a company's own employees use the network to steal money or data,
infect computers with viruses or damage databases, the business would
rather write off the loss than face bad publicity.
Recently,
there was
a brief flurry of interest in network security focusing on the
reassuringly
named SATAN (System Administrator Tool for Analyzing Networks), a
program that was released onto the Internet last April 5 by its authors,
Dan Farmer and Wietse Venema. While it was purportedly
designed to help network administrators probe their own systems for
weaknesses, many feared that the free software could just as easily
be used by outsiders seeking networks prone to attack.
The media
reports about
the SATAN controversy most likely pushed sales of security-related
products such as Internet firewalls--combinations of hardware and
software designed to act as a barrier between your company's internal
network and the wide-open access of the Internet. By restricting what
can come in and what can go out, these can help protect your company's
data from intruders--but not from your own employees. Probably the
biggest single improvement in computer security that most businesses
can introduce is password management. And unlike high-tech fixes like
firewalls, some of the most effective measures involve no direct costs.
Users need to be better educated on how to pick effective passports
(don't use easy-to-guess passwords like your middle name, your date
of birth, or--please--words like "peace"). Passwords need to
be changed often. Most of all, however, users must learn to keep their
choices a secret: no technological system can be effective if an
employee
keeps a password written on a Post-It note stuck to a computer monitor.
These
sorts of behaviour
will lead to problems in even the most technologically sophisticated
system. Often, however, companies pass over education of their
employees
for more expensive, high-tech measures that may be less effective.
(Of course, the best response will include both better employee
training
and sophisticated technology.) Between naive users, sometimes malicious
or vindictive employees or former employees, and the increased tie-in
of networks to international systems like the Internet, no system
is safe.
But if all of
us--network
users, network administrators, and our companies--start to take data
security more seriously, many of these budding problems can be
minimized
or avoided.