Enron: Security Woes, Too?

By Baselinemag  |  Posted 2002-03-08

Protecting a company from external computer hackers is not a job for the faint of heart. Even when the attacks are routine, it's tough, and it can be risky. Add a bunch of angry ex-employees and a slew of investigators who all want to get at your internal data and mess with it for their own varied reasons, and now you're sitting on a powder keg.

Just ask Enron.

In early January, a would-be hacker figured he'd shine his own light on the internal workings at the giant—and failing—global energy trading company by getting hold of its top executives' travel records. How best to find the details? Infiltrate the automated travel-and-entertainment software system used by Enron to keep track of executives' travel, according to Concur Technologies, which developed the system and has hosted it for Enron at several co-location sites across the country for the past two years.

The good news is that Concur detected the attempt to intrude on the Houston company's internal records within 60 seconds, according to Concur Chairman and CEO Steve Singh. The company thwarted the potential breach within three to four minutes. Enron's data was not compromised.

At least not this time. But the incident begs the question: Should Enron be doing more to prevent this kind of security risk, particularly as the company's image in the public eye darkens and the tales of its travails and questionable business deals angering former employees and investors drag on for weeks and months?

Although Enron executives declined to comment for this story, a former Enron information technology consultant says security at the energy-trading firm was lax. If, as computer security experts claim, Enron epitomizes the state of internal and external security at most Fortune 500-level companies, then it also offers lessons that others would do well to heed. What's key to those lessons?

Concur is just one of many tens or even hundreds of applications running at a global company such as Enron. Enron had thousands of desktop PCs and servers running operating systems including Microsoft's NT 4.0 and Windows 2000, Sun Microsystems' Solaris, other flavors of Unix, and the Linux free variant of Unix, say parties with knowledge of the company's systems.

On the application side, Enron also was a hodgepodge, using Microsoft Exchange Server as its primary mail system, Oracle and Microsoft SQL Server databases, and enterprise-application integration software from Tibco. Concur wasn't the only hosted application run by Enron. At some point, the company employed, among others, sales force automation software from Salesforce.com. Executives with Salesforce.com, like those at most of the vendors on Enron's IT list, declined to talk about one of their former favorite customers.

Passwords and Post-Its

On the network and systems management fronts, "everything was custom-built," says Charles Turich, a former IT contractor with Enron Net Works, a division of Enron that provided help desk, hardware, trader, remote and executive support for the entire company.

Security was fairly loose, says Turich, given the fact that Enron's primary business was trading millions of dollars worth of energy commodities in big chunks. Turich says he saw traders and other users in the EnronOnline trading division regularly running file-sharing applications—such as Napster, Gnutella clones, and Morpheus—that left open holes in the company's firewalls.

"It was commonplace for traders, general users, and executives to give their passwords out freely to help-desk, desktop-support and trader-support personnel. Because of the complicated password policies at Enron, many users hid a piece of paper under their keyboard or mouse pad with the user names and passwords to the different applications run throughout the course of the day," says Turich. "It was not uncommon to find them stuck to the monitor, either, with a Post-it Note."

Security fixes and patches were applied in an equally haphazard manner, Turich adds. During his tenure Enron was hit twice, extremely hard, by the Code Red and Nimda viruses, he says. Contractors and information technology employees spent many hours installing a new software configuration on hundreds of machines that could have been patched and protected by the timely application of a critical update beforehand, Turich says.

If a company is under immediate threat of both internal and external attack, the best way to minimize risk is simply to cut all wires to the outside world, says David Raikow, an independent security consultant in San Francisco. "It would be best to just clamp down on outside connections," he says.

This would involve taking down existing firewalls and replacing them with new, completely different ones; physically pulling the plug on all PC dial-up connections and wireless ports; changing all passwords and cleaning out authentication databases; and shutting down any unused machines, Raikow says. Once the dust has settled, the company should look at performing an audit with the help of a professional security-monitoring firm to search for places where internal or external hackers might have tried to lay traps or create back doors that would allow unauthorized access, Raikow adds.

Gartner Inc., the Connecticut-based research firm, estimates that more than 70% of unauthorized access to information systems is committed by employees, as are more than 95% of intrusions that result in significant financial losses to a company. Yet a fundamental challenge for any company like Enron, with so many internal technology contractors and external trading partners, is discerning who has and who needs various levels of access to internal systems. Companies that are changing rapidly as a result of multiple mergers—or layoffs—particularly face this problem.

"How do you identify who an insider is, these days?" asks Mark McClain, president of Austin, Texas-based Waveset Technologies, an identity-management software and services vendor. "A non-employee can sit on site every day, and an employee can work at home and never come in. There are non-employees who might have higher access levels to data inside a company than do employees."

At the same time, companies often are not sure which employees have access to what. As a result, they are left unable to properly shut the door and halt access to a system. Enron IT staff, for example, wrote a piece of code designed to shut off the network access of laid-off employees upon termination, says Turich. But were administrators aware of all the permissions held by each and every severed IT employee?

Companies need to prioritize the "three A's" in internal security: authentication, authorization and administration, says McClain. Otherwise, he noted, when companies lay off employees en masse, "you're going to get hacking, defacing of Web sites, posting of employee social security numbers—the electronic version of going postal."

Security experts say they aren't surprised by any of this. Enron's situation highlights the importance of securing not just a company's externally facing systems, such as its Web site and business-to-business hubs, but its internal systems, too. And there's not a moment to waste. "Enron (sounds like) a security basket case. They need to do things that give them security now. Not in six months," says Bruce Schneier, founder of Counterpane Internet Security, a managed security-service provider based in Virginia. "It's not the time for vulnerability studies, or policy development, or product deployment. It's time to post a guard, and quickly."

Security, from the Inside Out

  1. Create a centralized system for detecting and reporting unusual activity that could signal a security breach
  2. Maintain backup systems that can be switched on if your main systems are compromised
  3. Train all employees on how to prevent compromising of systems
  4. Protect your facilities physically so intruders can't just walk in

Source: Plural, IT professional services firm