Shielding the Net

By David F. Carr Print this article Print

Judging the threats posed to computer security, and how to combat them, has never been more complicated. What are the big threats, and what do you have to do to be prepared in 2006.

2 - Unauthorized Network Access

Another protective strategy that's becoming increasingly important is known as network access control—protecting the network from the computers that connect to it, even (or maybe especially) if they are connecting from inside the firewall.

Here the idea is to check the integrity of each computer, particularly in terms of whether it has been cleansed of viruses and patched for known vulnerabilities. For example, a salesman who returns from months of travel bearing a laptop that is missing critical security updates and infected with a nasty virus, might be "quarantined" from the rest of the network—allowed to access only a minimal subset of network services, such as security update servers required to repair the laptop, and prevented from contaminating other computers.

Corporate network managers increasingly worry about remote access from home computers or library and airport Internet access terminals. Applications such as Web-based access to corporate e-mail may be "secure" in the sense of using HTTPS, the secure version of the Web's HyperText Transport Protocol (HTTP). But just because the network transmission of data is encrypted doesn't mean that the computer being used for Web access is secured against spyware or keyboard-logging software designed to steal passwords and other confidential information. So, you may need to employ additional security mechanisms, such as requiring the user to download a Java applet or other software that can be activated on the fly to protect against hackers capturing passwords or stealing other information.

The presence on the corporate network of non-company-owned computers and other devices, such as cell phones with data networking capabilities, is only expected to increase, according to Gartner, so network managers are going to have to learn to cope with it.

3 - Poor Identity Management

Organizations of all sorts need to put more effort into improving the quality of the identity data they maintain on users of their systems, according to information security consultant John Dubiel. ChoicePoint's data breach dramatized this problem because the company essentially allowed identity thieves to come in through the front door, establishing themselves as customers of its database services. "They should never have gotten access for who they were," Dubiel says.

Many organizations suffer from more subtle breakdowns in user identity management, such as assigning new system access rights to users who change jobs but forgetting to drop their access to systems related to their old jobs. For example, Dubiel recalls having an airline employee who worked in the operations department show off how he could still access the systems for reservations, where he used to work, and offer to get Dubiel a better seat on his flight home. Narrowing access rights to only the systems that users need to do their jobs is not necessarily a steep technological challenge but requires better coordination between human resources and information security, he says.

4 - Exploitable Code

Web applications that connect to a database can easily contain flaws that, for example, allow hackers to inject their own database programming code into a transaction. The result: A Web form meant to allow customers to look up their own purchase records can be hijacked to access other customers' records—or even to delete or alter records.

One way for companies to reduce their overall risk is to make sure any programmers they employ, particularly if they develop software that will be exposed to customers or partners over the Internet, get training in how to write secure software, Israel says.

Security flaws in vendor-produced software tend to attract more publicity, particularly when the vendor is Microsoft and the software is widely distributed. "But the exact same flaws exist internally, in homegrown applications—probably worse ones, because there's less scrutiny," Israel explains.

Security officers should be pushing both internal and external developers to reduce the number of flaws in software to be deployed on the corporate network by at least 50%, Gartner recommends.

"If we could get them to remove just the stupid bad programming tricks, we could reduce configuration management cost by 75%," Pescatore says. The classic example of a programming flaw with consequences for security is a "buffer overflow" error, which allows one program to overwrite the area of memory it rightfully occupies. Attackers can exploit this flaw to take control of the computer on which the vulnerable program is running. Programmers create a vulnerability of this sort when they allow users to enter data without making the software check for illegal input.

Just as manufacturers can improve the quality of their products and control costs by requiring higher quality from their suppliers, information managers can put pressure on their software vendors to deliver more secure code, and on their Internet vendors to deliver "clean bits" with spam and known attack code removed, the analysts say.

Story Guide:
Beware 2006

  • Targeted Attacks
  • Shielding the Net
  • Fallback Plain Failures

    Next page: Fallback Plain Failures

  • <1234>
    This article was originally published on 2005-12-13
    David F. Carr David F. Carr is the Technology Editor for Baseline Magazine, a Ziff Davis publication focused on information technology and its management, with an emphasis on measurable, bottom-line results. He wrote two of Baseline's cover stories focused on the role of technology in disaster recovery, one focused on the response to the tsunami in Indonesia and another on the City of New Orleans after Hurricane Katrina.David has been the author or co-author of many Baseline Case Dissections on corporate technology successes and failures (such as the role of Kmart's inept supply chain implementation in its decline versus Wal-Mart or the successful use of technology to create new market opportunities for office furniture maker Herman Miller). He has also written about the FAA's halting attempts to modernize air traffic control, and in 2003 he traveled to Sierra Leone and Liberia to report on the role of technology in United Nations peacekeeping.David joined Baseline prior to the launch of the magazine in 2001 and helped define popular elements of the magazine such as Gotcha!, which offers cautionary tales about technology pitfalls and how to avoid them.
    eWeek eWeek

    Have the latest technology news and resources emailed to you everyday.