Shielding the NetBy David F. Carr | Posted 2005-12-13 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
Judging the threats posed to computer security, and how to combat them, has never been more complicated. What are the big threats, and what do you have to do to be prepared in 2006.
2 - Unauthorized Network Access
Another protective strategy that's becoming increasingly important is known as network access controlprotecting the network from the computers that connect to it, even (or maybe especially) if they are connecting from inside the firewall.
Here the idea is to check the integrity of each computer, particularly in terms of whether it has been cleansed of viruses and patched for known vulnerabilities. For example, a salesman who returns from months of travel bearing a laptop that is missing critical security updates and infected with a nasty virus, might be "quarantined" from the rest of the networkallowed to access only a minimal subset of network services, such as security update servers required to repair the laptop, and prevented from contaminating other computers.
Corporate network managers increasingly worry about remote access from home computers or library and airport Internet access terminals. Applications such as Web-based access to corporate e-mail may be "secure" in the sense of using HTTPS, the secure version of the Web's HyperText Transport Protocol (HTTP). But just because the network transmission of data is encrypted doesn't mean that the computer being used for Web access is secured against spyware or keyboard-logging software designed to steal passwords and other confidential information. So, you may need to employ additional security mechanisms, such as requiring the user to download a Java applet or other software that can be activated on the fly to protect against hackers capturing passwords or stealing other information.
The presence on the corporate network of non-company-owned computers and other devices, such as cell phones with data networking capabilities, is only expected to increase, according to Gartner, so network managers are going to have to learn to cope with it.
3 - Poor Identity Management
Organizations of all sorts need to put more effort into improving the quality of the identity data they maintain on users of their systems, according to information security consultant John Dubiel. ChoicePoint's data breach dramatized this problem because the company essentially allowed identity thieves to come in through the front door, establishing themselves as customers of its database services. "They should never have gotten access for who they were," Dubiel says.
Many organizations suffer from more subtle breakdowns in user identity management, such as assigning new system access rights to users who change jobs but forgetting to drop their access to systems related to their old jobs. For example, Dubiel recalls having an airline employee who worked in the operations department show off how he could still access the systems for reservations, where he used to work, and offer to get Dubiel a better seat on his flight home. Narrowing access rights to only the systems that users need to do their jobs is not necessarily a steep technological challenge but requires better coordination between human resources and information security, he says.
4 - Exploitable Code
Web applications that connect to a database can easily contain flaws that, for example, allow hackers to inject their own database programming code into a transaction. The result: A Web form meant to allow customers to look up their own purchase records can be hijacked to access other customers' recordsor even to delete or alter records.
One way for companies to reduce their overall risk is to make sure any programmers they employ, particularly if they develop software that will be exposed to customers or partners over the Internet, get training in how to write secure software, Israel says.
Security flaws in vendor-produced software tend to attract more publicity, particularly when the vendor is Microsoft and the software is widely distributed. "But the exact same flaws exist internally, in homegrown applicationsprobably worse ones, because there's less scrutiny," Israel explains.
Security officers should be pushing both internal and external developers to reduce the number of flaws in software to be deployed on the corporate network by at least 50%, Gartner recommends.
"If we could get them to remove just the stupid bad programming tricks, we could reduce configuration management cost by 75%," Pescatore says. The classic example of a programming flaw with consequences for security is a "buffer overflow" error, which allows one program to overwrite the area of memory it rightfully occupies. Attackers can exploit this flaw to take control of the computer on which the vulnerable program is running. Programmers create a vulnerability of this sort when they allow users to enter data without making the software check for illegal input.
Just as manufacturers can improve the quality of their products and control costs by requiring higher quality from their suppliers, information managers can put pressure on their software vendors to deliver more secure code, and on their Internet vendors to deliver "clean bits" with spam and known attack code removed, the analysts say.