[ISN] Security just got tighter

From: mea culpa (jerichoat_private)
Date: Thu Feb 11 1999 - 18:43:00 PST

  • Next message: mea culpa: "Re: [ISN] Hacker takes revenge on computer security expert"

    http://www.amcity.com/twincities/stories/1999/02/08/focus1.html
    Minneapolis/St. Paul CityBusiness
    February 8, 1999
    Security just got tighter
    Henry Breimhurst   Staff Reporter
    
    Computer security used to focus on the network; today it gets down to the
    desktop and disk
    
    While in a waiting area in the Los Angeles airport, a local executive felt
    the need to powder his nose. So he got up and headed off for the restroom
    -- leaving his laptop computer open and running on the waiting-area seat.
    When he returned, the laptop -- and all of its confidential, unprotected
    files -- were gone. 
    
    Such incidents are the stuff of nightmares for Darlene Tester, manager of
    the security-risk management group at Minneapolis-based Net Access. Tester
    was working at the time for the executive's company, and feared that a
    major security breach had just occurred. 
    
    Fortunately, Tester said, the story ended as happily as it could have when
    pieces of the dismantled laptop began turning up in the marketplace. The
    thief had been more interested in the value of the hardware than the
    documents stored in the computer's memory. 
    
    But issues like this underscore an often-underappreciated segment of
    network security: the individual machines, disks and even files that are
    the smallest parts of the network. As a result, consultants and
    manufacturers are coming up with new, more deeply layered security
    measures than ever before. Net Access, which does network integration
    consulting for clients with an eye always towards security, has grown as
    interest in security has grown. 
    
    The situation is analogous to a bank: Even though the front door to the
    bank is locked, the money is still kept in a vault within the building.
    With computer networks, the emphasis in the past few years has been on
    firewalls and security against intruders via the Internet -- locking the
    front door.  But with major security problems possible at the smallest
    level of the network, there is a resurgent interest in deep security
    layers. 
    
    "I've been in security for 20 years, and it has ebbed and flowed," said
    Tester. "Fifteen years ago they were more concerned about workstation
    security, because often they were stand-alone machines. As it developed
    into LANs, WANs and the Internet, there was more interest in firewalls,
    but now it's starting to move back to more granularized security." 
    
    When consulting with a client on security, Tester said, Net Access often
    discovers that the largest openings in the network are at the smallest
    level. Many companies, if not most, do not employ simple security measures
    such as requiring employees to have their workstations protected by a
    power-on password (a password needed to turn the machine on); encrypting
    files and e-mails on the hard drive; or setting up a regular schedule for
    changing passwords. "These are forms of security that are pretty cheap," 
    said Tester. Net Access works with its clients to develop and draft such
    policies, establishing security from the ground up. 
    
    (Sometimes the cheapest security is laughably ineffective, however. Tester
    mentioned the password feature on Windows 95, where a user is asked for a
    password. But if the user hits "cancel," the password challenge goes away
    and the user is in free and clear.) 
    
    Tester also noted that the need for individualized security is on the rise
    now because of the increasing mobility of the workforce. An employee might
    take data that is under the tightest security at work and bring it home on
    a laptop or disk. Anyone who gets that piece of equipment then gets the
    data with a minimum of effort. The answer Net Access recommends here is
    encrypted files, which require passwords and other encryption keys. 
    
    Imation Corp. of Oakdale has a solution of its own, the recently released
    encrypted Superdisk. This is a variant of the high-capacity Superdisk,
    which is the same size as a normal floppy but holds 120 megabytes of data,
    compared with 1.44 megabytes on a standard disk. Superdisk competes with
    Iomega's Zip and Jaz products for high-capacity storage. 
    
    With the new encryption feature, files saved on a Superdisk cannot be
    accessed without the proper password. The encryption is hardwired into the
    disk, and will be recognized by any Superdisk drive, eliminating the
    concern of having compatible encryption on multiple machines. Such
    encryption can be used in different ways; in addition to protecting files
    that are on the move, for example, Imation told of one case in which a
    personnel director has taken to saving all review files onto an encrypted
    Superdisk instead of keeping any on the hard drive or the network, where
    they might be more accessible. The downside is that if the password is
    lost or forgotten, there isn't a back door into the data. 
    
    "Its most obvious use is in areas where there is a high security concern," 
    said Jim Judge, Imation's marketing manager for the Superdisk media. 
    Government, law and financial services have been among the first to make
    use of the technology, he said. 
    
    The mobility issue also played a role in the development of the encrypted
    Superdisk. One of the areas where Superdisk has had successful penetration
    is in the laptop market, so coming out with a product that added to the
    peace of mind of all those laptop users seemed a natural next step, said
    Judge. 
    
    Imation is using 64-bit encryption on its Superdisks, which it claims
    would take 585,000 years of brute force to crack. While no one has
    actually confirmed this number empirically as yet, it is notable that the
    federal government won't allow 64-bit encryption to be shipped out of
    North America, as it could provide a security advantage to outside
    interests. 
    
    "We pitch the Superdisk first, and then this feature becomes the frosting
    on the cake," said Judge. "The encoded disks cost more, a premium of $3
    per disk more. That's small change compared to the security you get."
    Superdisks cost between $10 to $15. Imation is throwing a free encrypted
    disk in with its multipacks to get people using it. 
    
    Superdisk is likely only the beginning for Imation's encryption business. 
    Judge said that there are efforts underway to introduce encryption
    features into other Imation desktop-storage products. 
    
    When it comes to securing files, another Twin Cities company has spent
    years developing ever-more-foolproof ways to make sure only the right
    people have access to certain things. Datakey Inc. of Burnsville offers a
    security system built around actual physical keys or other so-called "hard
    tokens"  which have the holder's electronic signature on it. This
    electronic signature, coupled with passwords and other security devices,
    help to eliminate any doubt about who is getting access. 
    
    "We say that software [security] in most cases is not good enough," said
    Alan Shuler, vice president and chief financial officer of Datakey. A
    password does not encrypt, for one thing. Once an intruder gets past it,
    all the data is free and clear. For another, the physical key makes
    security breaches easier to detect. "If someone learns my password, I
    don't know it.  The physical possession of the card can tip the holder of
    security problems." The card or key can also be programmed to shut down
    after a set number of failed attempts to guess its password. 
    
    Shuler said that the same groups identified by Imation have been the early
    adopters. In fact, passkey encryption was developed by the military to
    secure the transmission of data. 
    
    Datakey's system involves the key or card (the key is only superficial;
    the actual unlocking system is based on reading a code, not a mechanical
    unlocking) and a device that plugs into the computer; the key or card is
    then inserted into that device. The key has the user's electronic
    signature, which can be purchased from a number of signature certificate
    vendors, and that is where some difficulty creeps in. 
    
    Datakey and other encryption systems use what is called a "public key" 
    system. When sending an encrypted e-mail, for example, the public key or
    code will be sent in the clear. The receiver will have a private key that
    interacts with the public key to decode the message, but only if using the
    same verification system as the sender. This incompatibility between the
    different security vendors has slowed the acceptance of the public key
    system. Until more people and companies buy electronic signatures, they
    won't have a need for hard-token systems like Datakey's. 
    
    Net Access' Tester said that the different certificate vendors are
    starting to set some standards for interoperability, which may help
    encryption become more popular. As it is, different vendors have different
    standards for selling their certificates. Those used by banks often
    require a person to physically come in and confirm who they are before
    being assigned a certificate, while others take orders over the Internet
    and don't confirm them. 
    
    There likely will be some resolution of the certificate issue as companies
    get more interested in deeper security, always egged on to a certain
    degree by none other than the security experts themselves. "We're Chicken
    Littles with attitudes," said Tester. "The sky is always falling, and
    that's what makes us money." 
    
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:18:45 PDT