http://www.amcity.com/buffalo/stories/1999/01/18/focus3.html January 18, 1999 Experts say stymie hackers by using several safeguards David Troester Business First If your company has a computer, a computer system or a series of computer networks with online Internet access, then it's vulnerable to "hackers" and "crackers." How do you safeguard a computer system? Firewalls are the most common method. Firewalls check passwords and other ID of users seeking system access from the outside. "It's a piece of equipment or a piece of software that runs on a computer," said Michael Rockwell, CTG principal consultant. Firewalls may filter by address or actually interrogate a message. Hackers often attach a file to e-mail which, when opened, can damage a system. "It's like placing a landmine somewhere and just waiting for somebody to step on it," said Natalie Neubauer, business manager at PC Expanders Inc. in Amherst. Firewalls can vary in price, depending on the system and needs, from hundreds to thousands of dollars. Passwords are another way to keep out hackers. Each system user should have a password, typically known by only the user and system administrator. Passwords should not be common, trite or familiar words, names or dates. "We suggest a combination of both characters (letters) and numbers," Neubauer said. "We always tell our users, `If you can't remember the password then it's a good password.' " System users should be required to change passwords on regular intervals, monthly is recommended for best safety. "Never send your password through e-mail. The e-mail can actually get snatched, and they can get the information out of the e-mail," Neubauer said. Encryption is another good way to safeguard a system from outside invaders. Encryption software essentially scrambles information sent across a network in a code, to be decoded by the intended receiver. Private and public keys are the most common form of encryption. "Essentially what happens is you generate a key pair. One of those keys you keep for yourself, which is a private key and then the public key you make available to everyone," said Rockwell. Tracking and recording of information and messages sent on a network also may avert potential hackers from hacking. Most systems, encryption programs or other software log network activity. For example, PC Expanders' ISP operating system uses Lynux software to monitor activity and has traced malicious users in the past. Tracking also can identify the password and equipment used to enter a system during an inside intervention. "What I keep hearing is most of the things that happen are internal," said Stephen Adorian, president of Cybernetic Communication Systems Inc. in Lockport. For example: "People want to find out what the guy is making down the hallway so they get into employee payroll records," he said. Smart Cards can protect a system in a method similar to passwords with much heightened security. About the size of a credit card, they are used for access to a system and generate new entry codes about every minute in synchronization with system entry points. "Those actually work really well," Neubauer said. "Even if you are on the Internet and someone snags that password, it changes within 60 seconds." Smart card software costs about $500, she said. The danger of smart cards arises if the card is lost or stolen. Biometrics is another sophisticated way to protect systems, but used only in high-security organizations. Biometric technology allows system access by scanning thumb prints, eye retinas or other physical characteristics. "There's not much of a request for it around here," Neubauer said. System administrators and computer professionals agree no system is hacker proof. System upgrades, software patches and monitoring need to occur on a regular basis to maintain defense against invaders. "You can set up different kinds of equipment so that just like moats of old it's going to take somebody to swim through the alligators to get to your machine," Adorian said. -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:16:29 PDT