You’ve installed a firewall. Is your network is secure? Think again. A firewall is not enough. Proper network security requires at least one (if not several) firewalls, anti-virus software and intrusion detection. That’s just the technology, which is not even the most important part. Security also
depends on policies and procedures, and without those, all the gadgets in the world will not be enough.
“”The average organization understands security requirements from the firewall and anti-virus perspective,”” says Ian Curry, vice-president and chief marketing officer at Entrust Inc. in Ottawa, “”but the average organization doesn’t understand what else you should do or could do.””
Firewalls and anti-virus software are designed to guard against threats from the outside — intruders and malicious code.
But external threats are just a small part of the security picture. Rene Hamel, head of the forensic technology group at KPMG in Toronto and a former Royal Canadian Mounted Police investigator, compares popular misconceptions about threats to computer systems to popular misconceptions about break-and-enter cases. He says most people picture break-and-enters being committed by gangs of big, rough-looking men with weapons, when in fact most are committed by skinny, unarmed teenagers. Meanwhile, many people think security breaches are committed by teenagers using PCs in their bedrooms, when in fact the real threat comes primarily from inside the business.
Threats from outside have increased in the last couple of years, but insiders still pose a more serious risk than outsiders, says Andrew Pridham, director of consulting services at Montreal-based CGI Group Inc.
Former employees can be a threat
Hamel says a federal government department got into trouble when some e-mail messages dealing with classified documents leaked out. Employees dealing with those documents had security clearances, but they shared one floor of an office building — and a network — with employees lacking security clearance. One of those employees was sniffing network traffic from his personal computer and obtained confidential material.
That employee presumably knew what he was doing was wrong, but there are also the innocent mistakes — for example, the employee who brings in a diskette inadvertently infected with a virus or someone who mistakenly forwards a sensitive document to the wrong person.
Fired employees are often a threat. Hamel tells the story of a real-estate firm that fired the technical worker responsible for setting up its e-mail system. What the business didn’t know was that the ex-employee was able for more than a year to monitor its e-mail system, spot major deals on the verge of closing and send anonymous e-mails to prospects that caused the firm to lose significant amounts of business.
How do you guard against nightmares like this? Technology, while it can help, is not the whole answer. “”Information security is primarily policies and procedures,”” Pridham says.
“”It’s not hardware. It’s not software.””
Hamel suggests that guarding against security breaches from inside starts with the hiring process. When hiring new employees, employers should check references and conduct background checks. Then, the organization needs clear policies telling employees what they should and should not do. This may do little good against malicious attacks, but it can help guard against the many security breaches that occur through simple thoughtlessness.
For instance, Deloitte Consulting LLC prohibits employees from storing documents from work on their home computers, says Karim Zerhouni, head of the consulting firm’s Canadian internetworking practice. That policy makes it less likely confidential information will fall into the wrong hands.
Yet policies and procedures are not the complete answer either. Hardware and software can help enforce the rules and make it easier for employees to comply with them.
Access controls and passwords can be used to limit employees’ access to the applications and data they need to do their jobs and keep them away from privileged material. Authentication technology can ensure that e-mails come from whom they appear to come from and that documents have not been tampered with.
“”If things are too hard to do, people won’t do them,”” Curry says.
“”If you’re going to say everything has to be encrypted if it’s going to be on your disk, then you have to have an easy way to do that.””
Tools that make it easy to take the proper security precautions can go a long way toward ensuring that employees follow procedures.
The talk in security circles these days is largely about layered security. Some compare the concept to a medieval fortress, with moat, battlements, drawbridge and soldiers at the ready to pour boiling oil through holes in the stonework on to invaders below.
“”The whole idea is to slow the attacker down,”” says Tom Slodichak, chief security officer at WhiteHat Inc., a Toronto security consulting and training firm.
Software firewalls are easy to disable
The firewall — and even multiple firewalls — is certainly part of this layered approach. In fact, many organizations go well beyond a single perimeter firewall. They use two firewalls, with a demilitarized zone between them. What should be accessible to outsiders, such as the company Web site, sits in the demilitarized zone, behind the outer firewall but separated by another firewall from internal systems.
A growing number of companies also place firewall software on individual PCs. This provides some further protection in case intruders or viruses get past the outer defences. Similarly, anti-virus software on every PC means that even if a virus gets into the organization, it may be prevented from spreading to every PC.
The trouble with software firewalls on PCs is that they may be too easy for users to tamper with or disable. Some vendors tackle this by offering firewall software designed for corporate use, with policies set from a remote console rather than on the protected PC itself.
3Com Corp. offers another option, which it calls an embedded firewall. The firewall is placed on a PC Card along with the network interface. A user can disable the firewall easily by removing the card, says Drew Terry, senior product manager for embedded firewalls at 3Com — but in so doing the user disables the network connection as well, so the computer is inaccessible anyway.
Besides firewall and anti-virus software, a corporate network should have access control, using passwords, for the network and for privileged applications.
Then, Slodichak says, there should be both network-based and host-based intrusion detection. This software watches for signs of unauthorized activity and reports it to a security console, warning IS staff when something suspicious is happening. “”If the enforcement and monitoring is there,”” says Slodichak, “”it gives the organization some advance warning that something is happening.””
Honey pots can foil hackers
Some organizations have begun turning to an even more clever security trick. In their demilitarized zones, they set up dummy servers called honey pots, configured to look like key corporate systems. A honey pot might contain fake customer credit data, for instance.
The idea of this is not that intruders will be fooled permanently. However, says Slodichak, they are likely to be fooled long enough that they will break out their system-cracking tricks to try to get into the dummy systems. By monitoring this activity, corporate security people will get an advance look at the cracker’s arsenal before he or she realizes the deception and moves on in search of the real data.
“”The hacker community really hates honey pots,”” Slodichak says.
Not surprisingly, given his law-enforcement background, Hamel emphasizes one further issue that arises once you detect an intruder. To be able to prosecute the individual — or even just provide solid grounds for dismissing an employee who violates security procedures — you need good evidence. That means gathering as much information as possible to make an open-and-shut case that it was this person who broke into the system at these times. He advises anyone dealing with a suspected security breach to gather all possible information, destroy nothing until the issue has been resolved and be very cautious about altering any data that might have a bearing on the case.
Taken together, all of these security measures add up to realistic approach to security. There is no silver bullet; no firewall or other security system can stop all attacks. Using a layered approach to security, placing multiple obstacles in the way of anyone inside or outside the organization who might be up to no good will stop many intruders, but not all. What it will do is buy you time to see the attack coming and defend your network.