http://www.southcoasttoday.com/daily/03-05/03-15-05/l02ca072.htm By JERRI STROUD St. Louis Post-Dispatch March 15, 2005 ST. LOUIS -- Ted Flom prepares for a security audit by trying to hack into a client's network. Often, it's surprisingly easy. One Web site tipped Flom to the location of the company's servers. He and his team were able to sign onto the server using a generic password and user ID. Within a half-hour, they had access to virtually everything on the company's network. The client's executives "were shocked," said Flom, a principal with Brown Smith Wallace LLC, an accounting and business-consulting firm in Creve Coeur, Mo. "It ended up being a server that they don't normally use. Someone just forgot to take it off their network." Flom addresses corporate-information security, a hot topic now as government regulations and a litigious public push companies to prove their networks are secure. Even smaller companies could be asked to comply if they work for governments or larger companies in fields ranging from health care to banking. Some consultants say the new emphasis on information security stems from the Sarbanes-Oxley Act passed in the wake of scandals at Enron Corp. and WorldCom Inc. In addition, the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act put the security onus on health-care and banking companies. But Sarbanes-Oxley doesn't actually mandate information security, said Ira Solomon, head of the accounting program at the University of Illinois at Urbana-Champaign. It does require managers to attest that they have adequate controls on systems related to financial reporting, but it doesn't specify what kinds of controls. Still, Solomon said, companies are being held to a greater level of accountability for privacy and data integrity. "Companies are collecting more and more data, so there's more and more at risk," he said. Because of that risk, accounting firms, computer consultants and major network providers, such as Savvis Communications Corp. and SBC Communications Inc., are offering security-audit services and advising clients on ways to prevent attacks from outside -- and inside -- a company. Many companies think they've protected themselves from hackers by installing a firewall or a piece of equipment with built-in security features, said William Hancock, security chief for Savvis. But they aren't secure if the company hasn't changed the factory-installed passwords, which usually are well-known to hackers. Hancock said companies need layers of security, additional hurdles behind a firewall that can slow attempts to penetrate a company's network. These can include access-control lists on routers, additional firewalls on servers, intrusion-detection systems, stronger user-authentication systems and access-filtering technology. "By using a layered defense, the chances of an intruder getting all the way to an asset, undetected and undeterred, goes way down as more layers are added," Hancock said. Equipment and computer ports that are unneeded should be turned off, and software patches should be kept up to date. The bulk of computer system vulnerabilities to attacks result from failure to install such patches. Hacking, viruses, spam and denial-of-service attacks are on the rise as more computers, cell phones and other devices are connected to the Internet, Hancock said. Still, attacks from the inside cause more damage than those from outside a company. "Amateurs hack systems; professionals hack people," said Dustin Dykes, a senior consultant at Callisma, a network-design firm owned by SBC. "I spend a half-hour on the phone, and I most likely have all the passwords I need," Dykes said. "Companies tend to test the technical systems but not the people and the processes." The most-likely perpetrators of attacks are disgruntled employees or recently fired ones who know how a company's computers are set up, said Josh Crowe, vice president in the St. Louis office of Calence Inc., a network-consulting firm based in Phoenix. Companies must confiscate identification or access cards and deactivate passwords and e-mail accounts as soon as an employee leaves the company, Crowe said. Active employees should have access only to the information and systems they need to do their jobs. Vendors and consultants should be granted access only after their computers have been scanned for viruses -- and their access should be limited to the task at hand. Even good employees can leave the company open to security breaches if they give passwords to outsiders, use unsecured home or public networks or respond to "phishing" e-mails purportedly from banks, credit-card companies or other organizations. Employees should be suspicious of any e-mails asking them to update records, especially if they don't recognize the person or company requesting the updates. Smart companies work out deals that give their employees access to antivirus software for laptops and home computers, Hancock said. He also recommends using spyware, adware and firewalls, many of them available free on the Internet. Keith Fear, infrastructure director for Oakwood Systems Group Inc., said he's been able to walk into a major company in St. Louis, sit down at a computer and start exploring its network without being challenged by a receptionist or other employees. Oakwood, a computer-consulting firm in west St. Louis County, checks for breaches of physical security as well as technical security when it conducts security audits, Fear said. Some companies still use ordinary locks on rooms housing their servers and other sensitive equipment, for example. Few have video cameras watching critical computer operations. Even high-tech systems can be compromised, Fear said. The first thing companies need to do is determine which assets and intellectual property are most critical, Fear said. Then, they need to look at the risk of compromising those assets and find out how to reduce those risks. A security audit should look at external and internal vulnerability, risks of penetration and also at policies and procedures. Audits should be redone -- or at least reviewed -- every six months. Companies also need to look at security flaws that occur because of the way applications and systems are designed, said Ray Seefeldt, director of technology risk management in the St. Louis office of Jefferson Wells, an auditing and consulting firm based in Milwaukee. A company might have 12 different groups of people who work on 12 functions, but their system is designed for just eight groups or functions. "People can't do what they need to do, and they will blame it on security," Seefeldt said. "A lot of security issues are caused not by the security tools," he said, "but because security is an afterthought, and the designers didn't get it right in the first place." Tips for safeguarding company information: 1. Keep software up-to-date and security patches installed, as appropriate. 2. Use anti-virus software on all computers -- desktops, laptops, employees' home computers and those of any vendors who connect to the company network. 3. Install firewalls and change security codes from default settings. 4. Give employees access only to the data they need to do their jobs. Use access control lists and passwords that aren't easy to guess. Passwords that combine letters and numbers are harder to hack. 5. Develop consistent, practical policies on the use of data, the Internet and e-mail -- and enforce the policies. 6. Educate employees, including executives, on the importance of security and how to work securely. Remind them of the dangers of providing information to outsiders, especially those posing as insiders. 7. Check physical security to make sure unauthorized persons can't get in to tamper with your network. 8. Turn off unused computer ports and peripherals. Make sure older equipment has the same protection as newer devices. 9. Map critical assets and understand where they are at risk. Develop plans to address their vulnerability. 10. Assess security on a regular basis, automate it where possible and review changes made since the last assessment. _________________________________________ Bellua Cyber Security Asia 2005 - http://www.bellua.com/bcs2005
This archive was generated by hypermail 2.1.3 : Wed Mar 16 2005 - 03:47:22 PST