[ISN] Hacking away at the hackers

InfoSec News isn at c4i.org
Wed Mar 16 03:09:24 EST 2005


http://www.southcoasttoday.com/daily/03-05/03-15-05/l02ca072.htm

By JERRI STROUD
St. Louis Post-Dispatch
March 15, 2005

ST. LOUIS -- Ted Flom prepares for a security audit by trying to hack
into a client's network.
 
Often, it's surprisingly easy.
 
One Web site tipped Flom to the location of the company's servers. He
and his team were able to sign onto the server using a generic
password and user ID. Within a half-hour, they had access to virtually
everything on the company's network.
 
The client's executives "were shocked," said Flom, a principal with
Brown Smith Wallace LLC, an accounting and business-consulting firm in
Creve Coeur, Mo. "It ended up being a server that they don't normally
use. Someone just forgot to take it off their network."
 
Flom addresses corporate-information security, a hot topic now as
government regulations and a litigious public push companies to prove
their networks are secure.
 
Even smaller companies could be asked to comply if they work for
governments or larger companies in fields ranging from health care to
banking.
 
Some consultants say the new emphasis on information security stems
from the Sarbanes-Oxley Act passed in the wake of scandals at Enron
Corp. and WorldCom Inc. In addition, the Health Insurance Portability
and Accountability Act and the Gramm-Leach-Bliley Act put the security
onus on health-care and banking companies.
 
But Sarbanes-Oxley doesn't actually mandate information security, said
Ira Solomon, head of the accounting program at the University of
Illinois at Urbana-Champaign. It does require managers to attest that
they have adequate controls on systems related to financial reporting,
but it doesn't specify what kinds of controls.
 
Still, Solomon said, companies are being held to a greater level of
accountability for privacy and data integrity. "Companies are
collecting more and more data, so there's more and more at risk," he
said.
 
Because of that risk, accounting firms, computer consultants and major
network providers, such as Savvis Communications Corp. and SBC
Communications Inc., are offering security-audit services and advising
clients on ways to prevent attacks from outside -- and inside -- a
company.
 
Many companies think they've protected themselves from hackers by
installing a firewall or a piece of equipment with built-in security
features, said William Hancock, security chief for Savvis. But they
aren't secure if the company hasn't changed the factory-installed
passwords, which usually are well-known to hackers.
 
Hancock said companies need layers of security, additional hurdles
behind a firewall that can slow attempts to penetrate a company's
network. These can include access-control lists on routers, additional
firewalls on servers, intrusion-detection systems, stronger
user-authentication systems and access-filtering technology.
 
"By using a layered defense, the chances of an intruder getting all
the way to an asset, undetected and undeterred, goes way down as more
layers are added," Hancock said.
 
Equipment and computer ports that are unneeded should be turned off,
and software patches should be kept up to date. The bulk of computer
system vulnerabilities to attacks result from failure to install such
patches.
 
Hacking, viruses, spam and denial-of-service attacks are on the rise
as more computers, cell phones and other devices are connected to the
Internet, Hancock said.
 
Still, attacks from the inside cause more damage than those from
outside a company.
 
"Amateurs hack systems; professionals hack people," said Dustin Dykes,
a senior consultant at Callisma, a network-design firm owned by SBC.
 
"I spend a half-hour on the phone, and I most likely have all the
passwords I need," Dykes said. "Companies tend to test the technical
systems but not the people and the processes."
 
The most-likely perpetrators of attacks are disgruntled employees or
recently fired ones who know how a company's computers are set up,
said Josh Crowe, vice president in the St. Louis office of Calence
Inc., a network-consulting firm based in Phoenix.
 
Companies must confiscate identification or access cards and
deactivate passwords and e-mail accounts as soon as an employee leaves
the company, Crowe said.
 
Active employees should have access only to the information and
systems they need to do their jobs. Vendors and consultants should be
granted access only after their computers have been scanned for
viruses -- and their access should be limited to the task at hand.
 
Even good employees can leave the company open to security breaches if
they give passwords to outsiders, use unsecured home or public
networks or respond to "phishing" e-mails purportedly from banks,
credit-card companies or other organizations.
 
Employees should be suspicious of any e-mails asking them to update
records, especially if they don't recognize the person or company
requesting the updates.
 
Smart companies work out deals that give their employees access to
antivirus software for laptops and home computers, Hancock said. He
also recommends using spyware, adware and firewalls, many of them
available free on the Internet.
 
Keith Fear, infrastructure director for Oakwood Systems Group Inc.,
said he's been able to walk into a major company in St. Louis, sit
down at a computer and start exploring its network without being
challenged by a receptionist or other employees.
 
Oakwood, a computer-consulting firm in west St. Louis County, checks
for breaches of physical security as well as technical security when
it conducts security audits, Fear said. Some companies still use
ordinary locks on rooms housing their servers and other sensitive
equipment, for example. Few have video cameras watching critical
computer operations.
 
Even high-tech systems can be compromised, Fear said.
 
The first thing companies need to do is determine which assets and
intellectual property are most critical, Fear said. Then, they need to
look at the risk of compromising those assets and find out how to
reduce those risks.
 
A security audit should look at external and internal vulnerability,
risks of penetration and also at policies and procedures. Audits
should be redone -- or at least reviewed -- every six months.
 
Companies also need to look at security flaws that occur because of
the way applications and systems are designed, said Ray Seefeldt,
director of technology risk management in the St. Louis office of
Jefferson Wells, an auditing and consulting firm based in Milwaukee.
 
A company might have 12 different groups of people who work on 12
functions, but their system is designed for just eight groups or
functions.
 
"People can't do what they need to do, and they will blame it on
security," Seefeldt said.
 
"A lot of security issues are caused not by the security tools," he
said, "but because security is an afterthought, and the designers
didn't get it right in the first place."

Tips for safeguarding company information:

1. Keep software up-to-date and security patches installed, as
   appropriate.

2. Use anti-virus software on all computers -- desktops, laptops,
   employees' home computers and those of any vendors who connect to
   the company network.

3. Install firewalls and change security codes from default settings.

4. Give employees access only to the data they need to do their jobs.
   Use access control lists and passwords that aren't easy to guess.
   Passwords that combine letters and numbers are harder to hack.

5. Develop consistent, practical policies on the use of data, the
   Internet and e-mail -- and enforce the policies.

6. Educate employees, including executives, on the importance of
   security and how to work securely. Remind them of the dangers of
   providing information to outsiders, especially those posing as
   insiders.

7. Check physical security to make sure unauthorized persons can't get
   in to tamper with your network.

8. Turn off unused computer ports and peripherals. Make sure older
   equipment has the same protection as newer devices.

9. Map critical assets and understand where they are at risk. Develop
   plans to address their vulnerability.

10. Assess security on a regular basis, automate it where possible and
    review changes made since the last assessment.





More information about the ISN mailing list