Lax SecurityBy Baselinemag | Posted 2002-03-08 Email Print
Potential breaches at the troubled energy trader show that security pitfalls are often dug from within.
Passwords and Post-Its
On the network and systems management fronts, "everything was custom-built," says Charles Turich, a former IT contractor with Enron Net Works, a division of Enron that provided help desk, hardware, trader, remote and executive support for the entire company.
Security was fairly loose, says Turich, given the fact that Enron's primary business was trading millions of dollars worth of energy commodities in big chunks. Turich says he saw traders and other users in the EnronOnline trading division regularly running file-sharing applicationssuch as Napster, Gnutella clones, and Morpheusthat left open holes in the company's firewalls.
"It was commonplace for traders, general users, and executives to give their passwords out freely to help-desk, desktop-support and trader-support personnel. Because of the complicated password policies at Enron, many users hid a piece of paper under their keyboard or mouse pad with the user names and passwords to the different applications run throughout the course of the day," says Turich. "It was not uncommon to find them stuck to the monitor, either, with a Post-it Note."
Security fixes and patches were applied in an equally haphazard manner, Turich adds. During his tenure Enron was hit twice, extremely hard, by the Code Red and Nimda viruses, he says. Contractors and information technology employees spent many hours installing a new software configuration on hundreds of machines that could have been patched and protected by the timely application of a critical update beforehand, Turich says.
If a company is under immediate threat of both internal and external attack, the best way to minimize risk is simply to cut all wires to the outside world, says David Raikow, an independent security consultant in San Francisco. "It would be best to just clamp down on outside connections," he says.
This would involve taking down existing firewalls and replacing them with new, completely different ones; physically pulling the plug on all PC dial-up connections and wireless ports; changing all passwords and cleaning out authentication databases; and shutting down any unused machines, Raikow says. Once the dust has settled, the company should look at performing an audit with the help of a professional security-monitoring firm to search for places where internal or external hackers might have tried to lay traps or create back doors that would allow unauthorized access, Raikow adds.
Gartner Inc., the Connecticut-based research firm, estimates that more than 70% of unauthorized access to information systems is committed by employees, as are more than 95% of intrusions that result in significant financial losses to a company. Yet a fundamental challenge for any company like Enron, with so many internal technology contractors and external trading partners, is discerning who has and who needs various levels of access to internal systems. Companies that are changing rapidly as a result of multiple mergersor layoffsparticularly face this problem.
"How do you identify who an insider is, these days?" asks Mark McClain, president of Austin, Texas-based Waveset Technologies, an identity-management software and services vendor. "A non-employee can sit on site every day, and an employee can work at home and never come in. There are non-employees who might have higher access levels to data inside a company than do employees."
At the same time, companies often are not sure which employees have access to what. As a result, they are left unable to properly shut the door and halt access to a system. Enron IT staff, for example, wrote a piece of code designed to shut off the network access of laid-off employees upon termination, says Turich. But were administrators aware of all the permissions held by each and every severed IT employee?
Companies need to prioritize the "three A's" in internal security: authentication, authorization and administration, says McClain. Otherwise, he noted, when companies lay off employees en masse, "you're going to get hacking, defacing of Web sites, posting of employee social security numbersthe electronic version of going postal."
Security experts say they aren't surprised by any of this. Enron's situation highlights the importance of securing not just a company's externally facing systems, such as its Web site and business-to-business hubs, but its internal systems, too. And there's not a moment to waste. "Enron (sounds like) a security basket case. They need to do things that give them security now. Not in six months," says Bruce Schneier, founder of Counterpane Internet Security, a managed security-service provider based in Virginia. "It's not the time for vulnerability studies, or policy development, or product deployment. It's time to post a guard, and quickly."