[ISN] Enron: Security Woes, Too?

From: InfoSec News (isnat_private)
Date: Mon Mar 11 2002 - 00:53:06 PST

  • Next message: InfoSec News: "[ISN] Hacking al Qaeda's Secrets"

    March 8, 2002
    By  Mary Jo Foley, Baseline 
    Protecting a company from external computer hackers is not a job for
    the faint of heart. Even when the attacks are routine, it's tough, and
    it can be risky. Add a bunch of angry ex-employees and a slew of
    investigators who all want to get at your internal data and mess with
    it for their own varied reasons, and now you're sitting on a powder
    Just ask Enron.
    In early January, a would-be hacker figured he'd shine his own light
    on the internal workings at the giant—and failing—global energy
    trading company by getting hold of its top executives' travel records.  
    How best to find the details? Infiltrate the automated
    travel-and-entertainment software system used by Enron to keep track
    of executives' travel, according to Concur Technologies, which
    developed the system and has hosted it for Enron at several
    co-location sites across the country for the past two years.
    The good news is that Concur detected the attempt to intrude on the
    Houston company's internal records within 60 seconds, according to
    Concur Chairman and CEO Steve Singh. The company thwarted the
    potential breach within three to four minutes. Enron's data was not
    At least not this time. But the incident begs the question: Should
    Enron be doing more to prevent this kind of security risk,
    particularly as the company's image in the public eye darkens and the
    tales of its travails and questionable business deals angering former
    employees and investors drag on for weeks and months?
    Although Enron executives declined to comment for this story, a former
    Enron information technology consultant says security at the
    energy-trading firm was lax. If, as computer security experts claim,
    Enron epitomizes the state of internal and external security at most
    Fortune 500-level companies, then it also offers lessons that others
    would do well to heed. What's key to those lessons?
    Concur is just one of many tens or even hundreds of applications
    running at a global company such as Enron. Enron had thousands of
    desktop PCs and servers running operating systems including
    Microsoft's NT 4.0 and Windows 2000, Sun Microsystems' Solaris, other
    flavors of Unix, and the Linux free variant of Unix, say parties with
    knowledge of the company's systems.
    On the application side, Enron also was a hodgepodge, using Microsoft
    Exchange Server as its primary mail system, Oracle and Microsoft SQL
    Server databases, and enterprise-application integration software from
    Tibco. Concur wasn't the only hosted application run by Enron. At some
    point, the company employed, among others, sales force automation
    software from Salesforce.com. Executives with Salesforce.com, like
    those at most of the vendors on Enron's IT list, declined to talk
    about one of their former favorite customers.
    Passwords and Post-Its
    On the network and systems management fronts, "everything was
    custom-built," says Charles Turich, a former IT contractor with Enron
    Net Works, a division of Enron that provided help desk, hardware,
    trader, remote and executive support for the entire company.
    Security was fairly loose, says Turich, given the fact that Enron's
    primary business was trading millions of dollars worth of energy
    commodities in big chunks. Turich says he saw traders and other users
    in the EnronOnline trading division regularly running file-sharing
    applications—such as Napster, Gnutella clones, and Morpheus—that left
    open holes in the company's firewalls.
    "It was commonplace for traders, general users, and executives to give
    their passwords out freely to help-desk, desktop-support and
    trader-support personnel. Because of the complicated password policies
    at Enron, many users hid a piece of paper under their keyboard or
    mouse pad with the user names and passwords to the different
    applications run throughout the course of the day," says Turich. "It
    was not uncommon to find them stuck to the monitor, either, with a
    Post-it Note."
    Security fixes and patches were applied in an equally haphazard
    manner, Turich adds. During his tenure Enron was hit twice, extremely
    hard, by the Code Red and Nimda viruses, he says. Contractors and
    information technology employees spent many hours installing a new
    software configuration on hundreds of machines that could have been
    patched and protected by the timely application of a critical update
    beforehand, Turich says.
    If a company is under immediate threat of both internal and external
    attack, the best way to minimize risk is simply to cut all wires to
    the outside world, says David Raikow, an independent security
    consultant in San Francisco. "It would be best to just clamp down on
    outside connections," he says.
    This would involve taking down existing firewalls and replacing them
    with new, completely different ones; physically pulling the plug on
    all PC dial-up connections and wireless ports; changing all passwords
    and cleaning out authentication databases; and shutting down any
    unused machines, Raikow says. Once the dust has settled, the company
    should look at performing an audit with the help of a professional
    security-monitoring firm to search for places where internal or
    external hackers might have tried to lay traps or create back doors
    that would allow unauthorized access, Raikow adds.
    Gartner Inc., the Connecticut-based research firm, estimates that more
    than 70% of unauthorized access to information systems is committed by
    employees, as are more than 95% of intrusions that result in
    significant financial losses to a company. Yet a fundamental challenge
    for any company like Enron, with so many internal technology
    contractors and external trading partners, is discerning who has and
    who needs various levels of access to internal systems. Companies that
    are changing rapidly as a result of multiple mergers—or
    layoffs—particularly face this problem.
    "How do you identify who an insider is, these days?" asks Mark
    McClain, president of Austin, Texas-based Waveset Technologies, an
    identity-management software and services vendor. "A non-employee can
    sit on site every day, and an employee can work at home and never come
    in. There are non-employees who might have higher access levels to
    data inside a company than do employees."
    At the same time, companies often are not sure which employees have
    access to what. As a result, they are left unable to properly shut the
    door and halt access to a system. Enron IT staff, for example, wrote a
    piece of code designed to shut off the network access of laid-off
    employees upon termination, says Turich. But were administrators aware
    of all the permissions held by each and every severed IT employee?
    Companies need to prioritize the "three A's" in internal security:  
    authentication, authorization and administration, says McClain.  
    Otherwise, he noted, when companies lay off employees en masse,
    "you're going to get hacking, defacing of Web sites, posting of
    employee social security numbers—the electronic version of going
    Security experts say they aren't surprised by any of this. Enron's
    situation highlights the importance of securing not just a company's
    externally facing systems, such as its Web site and
    business-to-business hubs, but its internal systems, too. And there's
    not a moment to waste. "Enron (sounds like) a security basket case.  
    They need to do things that give them security now. Not in six
    months," says Bruce Schneier, founder of Counterpane Internet
    Security, a managed security-service provider based in Virginia. "It's
    not the time for vulnerability studies, or policy development, or
    product deployment. It's time to post a guard, and quickly."
    Security, from the Inside Out
    * Create a centralized system for detecting and reporting unusual
      activity that could signal a security breach
    * Maintain backup systems that can be switched on if your main systems
      are compromised
    * Train all employees on how to prevent compromising of systems 
    * Protect your facilities physically so intruders can't just walk in
    Source: Plural, IT professional services firm
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Mon Mar 11 2002 - 04:33:31 PST