With the emergence of the internet as a primary communications medium, it was inevitable that this resource would be exploited for a variety of reasons. Technologies are rushed to market without sound vulnerability testing in the hopes of capturing "market-share"... these same vulnerabilites raise the probability that proprietary data is available to those who wish to compromise same, and networks are available to those who would use them without authorization and a miriad of malicious entities are working feverishly day and night to insure the status quo.
While Internet based attacks are not new, the recent Denial of Service attacks on e-commerce sites provide a "wake-up" call that needs no explanation. The strength of the internet in reaching millions of people worldwide is also its weakness. Just last week, unidentified attackers demonstrated the fragility of the system and quite possibly our digital infrastructure by crashing major sites. The message therefore is simple: it's time to be enlightened... there is no such thing as true computer and information security.
Key corporate and government information weaknesses have also been the topic of explosive news stories that demonstrate computer based proprietary information is vulnerable to loss and theft. Even our most guarded Atomic secrets may have been compromised.
In the case of the e-commerce attacks, is this the work of some individual super hacker or a group? Public law enforcement has no comment for now as it feverishly chases down clues. The frightening fact that has experts concerned is that such attacks are is not rocket science: it is simple use of
readily downloadable software programs designed to ambush any online site on the internet; simply point and click and the user can transmit a tidal wave of data aimed at a particular site which will cause it to crash. If the novice isn't familiar with the basic concept, excellent tutorials are readily available... Using other basic techniques its possible to even hide the identity of the attacker...
According to CNN, last week's anonymous web site attacks caused Yahoo, which receives 8.74 million visitors a day, to crash for 5 hours.
Ebay which receives 1.68 million visitors a day also crashed for 5 hours. Other targets included ZDNet which has 734,000 visitors a day to crash for 3.75 hours, Buy.com which has 122,000 visitors a day to crash for 6 hours, Amazon which has 892,000 visitors a day to crash for 3.75 hours and E*trade which has 183,000 visitors a day to crash for 2.75 hours. According to the "Yankee Group" an internet market research firm, these attacks could cost the victims $1.2 Billion in revenues.
The vandals used a desktop computer at the University of California, Santa Barbara, and an Internet router -- a device that can amplify data traffic -- from Stanford University. Officials at both schools acknowledged the intrusion. There was no indication that anyone at either university was directly
involved, only that the equipment was used. Experts believe dozens of computers nationwide were hacked and had electronic attack software secretly installed. These distibuted attacks open the possibility of civil liability for the universities involved. Not a pretty picture. The current investigation has also lead to an individual in Germany who created the program used to launch the attack..
While some may believe the main threat comes from outside an organization, it is my belief that the most serious vulnerabilities come from within. Recent news clips should only heighten security awareness as to the most overlooked vulnerabilities:
Former CIA Director John Deutsch was found to have over 17,000 pages of classified documents on his home computer. Among the documents were top secret files and some even classified higher with code names that are themselves classified. What were those documents doing there? The documents contained data on covert operations and even dairies of Deutsch's personal daily activities. Apparently, this information was not cleared to be "off-site"
(off CIA premesis).
While Deutsch's conduct should be seriously questioned, who among us does not bring work home? It is a fact of life that the computer has replaced the typewriter and file cabinet. It is no longer necessary for a spy to physically enter a premise at night, photograph confidential documents with a Minox camera and slip off into the night with a company's most guarded secrets.
The Internet has created a pipeline into the offices of almost every government agency and company in the world. It has also created a means of stealing secrets. While governments and corporations generally maintain security teams to probe and oversee vulnerable networks, guard against the latest virii and implement the latest intrusion detection software, how many of them have control over the weakest link: the employee who brings home work; or the telecommuter?
Current estimates put the number of corporate telecommuters at around 20 million in the USA alone. That's a lot of juicy targets out there for corporate spies. How many home PCs are as secure as your corporate network? Not too many I'll bet. Think about your proprietary information sitting on an employee's home computer: Who has access? A spouse? A teenager? It wouldn't be too hard to do a little due dilligence on the target's family. An anonymous corporate spy could send your employee or any family member with access to that computer an innocent looking e-mail or promise a free version of any popular commerical software program. Suppose that communication contained a secret trojan horse program that created a backdoor into the target's computer? You've just opened up your propietary information and access to your network to the eavesdropper.
The "electronic bugging device" of the 21st century doesn't use batteries or have an antenna; you don't have to go back to change the tapes; you just point and click. A cursory inspection of hacker/cracker sites reveal many of these digital spy tools are readily available for download from hundreds of internet web sites. More sophisticated software is available to government agencies that allows remote worldwide monitoring of target PCs and will even crack encrypted messages and files without ever entering the target premises.
The ongoing saga of former Los Alamos scientist Wen Ho Lee is also quite disturbing. The government alledges that Lee downloaded classified atomic secrets from a classified computer at Los Alamos national laboritories to his unclassified office computer. The government also alledges Lee leaked these documents by e-mail to someone in the People's Republic of China. If the allegations are true, and as of this writing they are only allegations, how did Lee have access to these documents? How was he able to download and/or copy these documents without a system administrators knowledge? Who is in charge of Los Alamos computer security? Were they asleep at the wheel ? The technology exists to protect stored electronic documents and notify security personnel of intrusions. Why wasn't it used?
How about the Toronto man who found a Canadian Security Intelligence Service computer diskette in a telephone booth. He claims the disk detailed -- in plain English -- the names of confidential informants and contacts, information about the service's targets and covert operations in Canada and details
about espionage training exercises. As if that weren't bad enough, how about one of CSIS' (Canada's answer to the NSA) senior officers takes top-secret documents on holiday and
leaves them on a laptop in the trunk of her car while she is at a hockey game? The laptop was stolen... and she waits several days after returning from vacation before reporting the laptop containing the sensitive intelligence documents was missing. The technology exists to track and locate lost and stolen laptops: Why wasn't it used? The technology exists to identify and locate unauthorized access to electronic documents: Why wasn't it used?
The laptop of the Mossadís deputy chief, General Amiram Levin, was stolen from his home recently and a local drug abuser tried to exchange it for drugs. The computer contained data regarding troop movements, maps with distinct markings and other top-secret documents. Apparently nothing was encrypted: Why wasn't classified information encrypted? Why wasn't tracking software used? Why weren't the classified documents protected with unauthorized access control software?
The theft late last year of a laptop from Visa International, Inc.'s San Mateo, California office illustrated how lax some firms can be in protecting laptop data. The laptop contained 314,000 credit-card numbers, including those of Visa, MasterCard and American Express. Most of the card issuers were given replacement numbers, but industry analysts wondered why the office didn't have policies against keeping such sensitive information on laptops.
Why was it there in the first place? Why wasn't it encrypted? Was laptop tracking software in place?
Highlights of the "1999 Computer Crime and Security Survey" include the following: "Corporations, financial institutions and government agencies face threats from outside as well as inside. System penetration by outsiders increased for the third year in a row; 30% of respondents report intrusions. Those reporting their Internet connection as a frequent point of attack rose for the third straight year; from 37% of respondents in 1996 to 57% in 1999. Meanwhile, unauthorized access by insiders also rose for the third straight year; 55% of respondents reported incidents. Other types of cyber attack also rose. For example, 26% of respondents reported theft of proprietary information. Perhaps the most striking result of the 1999 CSI/FBI survey is the dramatic increase in the number of respondents reporting serious incidents to law enforcement: 32% of respondents did so, a significant increase over the three prior years, in which only 17% had reported such events to the authorities. For the third straight year, financial losses due to computer security breaches mounted to over a $100,000,000. Although 51% of respondents acknowledge suffering financial losses from such security breaches, only 31% were able to quantify their losses. The total financial losses for the 163 organizations that could put a dollar figure on them add up to $123,779,000. The most serious financial losses occurred through theft of proprietary information (23 respondents reported a total of $42,496,000) and financial fraud (27 respondents reported a total of $39,706,000)".
In order to prevent cyber attacks and protect information security, systems administrators and security personnel need a high-level understanding of the methods attackers use to penetrate computers and compromise proprietary data. You cannot effectively fight a war without some knowledge of the weapons of your enemy. By researching the tricks used by unauthorized intruders to gain access, we hope to educate the public on how to stop them.
The Internet contains vast resources that enable intruders to penetrate computer networks. You can find detailed software vulnerability information publicly discussed on newsgroups. A search of Usenet archives at Deja.com will produce literally hundreds of documents. Attacking tutorials are also available that describe how to write automated programs that penetrate computers by taking advantage of these vulnerabilities. Thousands of automated software attack/hack/crack tools have been written and are available that enable anyone to launch computer attacks. These tools are no longer found only on obscure pirate bulletin boards but rather on publicly available commercial Web sites whose sole purpose is to serve up this information to anyone.
These computer attack/hack/crack programs are freely available to anyone on the Internet. Besides being readily available, these attack programs are becoming easier to use. Until recently, Unix was needed to run an attack and one had to know how to compile source code. Today, attacks with user-friendly graphical user interfaces (GUIs) can be run on Windows boxes by script kiddies. Attack scripts are easy to use and dangerous. It is vital that systems administrators understand the danger these attacks pose and how to protect their networks against them.
Classifying Computer Attacks
When we say "computer attack," we're referring to the programs run by people to gain unauthorized control over a target computer. These attacks take a variety of forms but generally fall in the following categories:
- Remote Penetration: Programs used on the Internet (or a network) to gain unauthorized control of a computer
- Remote Denial of Service Programs that are used on the Internet (or a network) and shut down another computer or a service provided by a target computer
- Local Denial of Service: Programs that shut down the computer on which they are run
- Local Penetration: Programs that gain unauthorized access to the computer on which they are run
- Vulnerability Scanners: Programs that search the Internet looking for computers vulnerable to a particular type of attack
- Network Scanners: Programs that map a network to ascertain which computers and services are available to be exploited
- Password Crackers: Programs that discover passwords in encrypted password files. Computers and password cracking software can now guess passwords so quickly that many seemingly complex passwords can be exposed.
- Sniffers: Programs that listen and read network traffic. Ocasionally these programs have features that automatically extract usernames, passwords, or credit card information.
Popular Internet Attacks
The most popular attacks found were Sendmail, ICQ, Smurf, Teardrop, IMAP, Back Orifice, Netbus, WinNuke, and Nmap.
Descriptions are discussed below. Security personnel should become intimate with the nomenclature of these attacks
Preventing Computer Attacks and Safeguarding Proprietary Data
- Sendmail: Sendmail is a very old program that has had numerous vulnerabilities throughout its history. Sendmail is proof that complex software is rarely completely patched because developers constantly add new features that introduce new vulnerabilities. Recent attacks against sendmail fell into the categories of remote penetration, local penetration, and remote denial of service. Numerous vulnerabilities and patches can be found at CERT
- ICQ: ICQ is a sophisticated chat program that stands for "I-Seek-You." It is currently owned by America Online and used by over 26 million users. In the past year, several ICQ attacks were developed that allowed one to impersonate other people and decrypt "encrypted" traffic. An attacker uses this attack by going to a chat room and finding two people that are friends. The attacker pretends to be someone's friend and sends them a Trojan horse (malicious code embedded into a legitimate program) via ICQ.
- Smurf: The two main components to the smurf denial-of-service attack are the use of forged ICMP echo request packets and the direction of packets to IP broadcast addresses.
The Internet Control Message Protocol (ICMP) is used to handle errors and exchange control messages. ICMP can be used to determine if a machine on the Internet is responding. To do this, an ICMP echo request packet is sent to a machine. If a machine receives that packet, that machine will return an ICMP echo reply packet. A common implementation of this process is the "ping" command, which is included with many operating systems and network software packages. ICMP is used to convey status and error information including notification of network congestion and of other network transport problems. ICMP can also be a valuable tool in diagnosing host or network problems.
On IP networks, a packet can be directed to an individual machine or broadcast to an entire network. When a packet is sent to an IP broadcast address from a machine on the local network, that packet is delivered to all machines on that network. When a packet is sent to that IP broadcast address from a machine outside of the local network, it is broadcast to all machines on the target network (as long as routers are configured to pass along that traffic).
IP broadcast addresses are usually network addresses with the host portion of the address having all one bits. For example, the IP broadcast address for the network 10.0.0.0 is 10.255.255.255. If you have subnetted your class A network into 256 subnets, the IP broadcast address for the 10.50 subnet would be 10.50.255.255. Network addresses with all zeros in the host portion, such as 10.50.0.0, can also produce a broadcast response.
In the "smurf" attack, attackers are using ICMP echo request packets directed to IP broadcast addresses from remote locations to generate denial-of-service attacks. There are three parties in these attacks: the attacker, the intermediary, and the victim (note that the intermediary can also be a victim).
The intermediary receives an ICMP echo request packet directed to the IP broadcast address of their network. If the intermediary does not filter ICMP traffic directed to IP broadcast addresses, many of the machines on the network will receive this ICMP echo request packet and send an ICMP echo reply packet back. When (potentially) all the machines on a network respond to this ICMP echo request, the result can be severe network congestion or outages.
When the attackers create these packets, they do not use the IP address of their own machine as the source address. Instead, they create forged packets that contain the spoofed source address of the attacker's intended victim. The result is that when all the machines at the intermediary's site respond to the ICMP echo requests, they send replies to the victim's machine. The victim is subjected to network congestion that could potentially make the network unusable. Even though we have not labeled the intermediary as a "victim," the intermediary can be victimized by suffering the same types of problem that the "victim" does in these attacks.
Attackers have developed automated tools that enable them to send these attacks to multiple intermediaries at the same time, causing all of the intermediaries to direct their responses to the same victim. Attackers have also developed tools to look for network routers that do not filter broadcast traffic and networks where multiple hosts respond. These networks can the subsequently be used as intermediaries in attacks.
- Ping of Death: The Ping of Death uses a ping system utility to create an IP packet that exceeds the maximum 65,536 bytes of data allowed by the IP specification. The oversized packet is then sent to an unsuspecting system. Systems may crash, hang or reboot when they receive such a maliciously crafted packet.
- Teardrop: Teardrop exploits weaknesses in the reassembly of IP packet fragments. During its journey through the Internet, an IP packet may be broken up into smaller chunks. Each fragment looks like the original packet except that it contains an offset field that says, for instance, "This fragment is carrying bytes 600 through 800 of the original (nonfragmented) IP packets. The Teardrop program creates a series of IP fragments with overlapping offset fields. When these fragments are reassembled at the destination host, some systems will crash, hand or reboot.
- LAND: Some implementations of TCP/IP are vulnerable to packets that are crafted in a particular way (a SYN packet in which the source address and port are the same as the destination--i.e., spoofed). Land is a widely available attack tool that exploits this vulnerability.
- IMAP: The Internet Message Access Protocol (IMAP) allows users to download their e-mail from a server. Last year, IMAP server software was released with a vulnerability that allows a remote attacker to gain complete control over the machine. This vulnerability is extremely important because a large number of mail servers use the vulnerable IMAP software. Numerous vulnerabilities and patches can be found at CERT
- Back Orifice: Created and distributed by the hacker group, Cult of the Dead Cow. Back Orifice is a tool consisting of two main pieces, a client application and a server application. The client application, running on one machine, can be used to monitor and control a second machine running the server application. The operations that the client application can perform on the target machine (e.g., the machine running the server application) include the following: Execute any application on the target machine.
Log keystrokes from the target machine. Restart the target machine. Lockup the target machine. View the contents of any file on the target machine. Transfer files to and from the target machine. Display the screen saver password of the current user of the target machine. The creators of Back Orifice also claim to be able to display "cached passwords" for the current user, but no other passwords were displayed during our analysis.
- Netbus:NetBus is not a virus, but it is considered to be a trojan. It is also quite widespread and used frequently to steal data and delete files on peoples machines. NetBus is a remote administration tool, much like the infamous Back Orifice tool. However, Netbus predates Back Orifice by several months and is also capable of working under Windows NT in addition to Windows 95 and 98. Netbus allows a hacker to access data and gain control over some Windows functions on remote computer system. NetBus features: Open/close the CD-ROM tray once or in intervals (specified in seconds); Show optional BMP or JPG image (full path allowed) Swap mouse buttons - the right button gets the left button's functions and vice versa; Start optional application (full path allowed)
Play optional WAV sound-file (full path allowed); Point the mouse to optional coordinates; Show a message dialog on the screen and allow the user on remote system to answer it; Shutdown Windows, reboot, logoff or power off; Go to an optional URL within the default web-browser; Send keystrokes to the active application on the target computer; Listen for keystrokes on remote system and save them to file; Get a screenshot from remote computer; Return information about the target computer; Upload any file to the target computer or update the server part of NetBus; Increase and decrease the sound-volume; Record sounds that the microphone catch - to listen what happens in the room where remote computer is; Make click sounds every time a key is pressed; Download and deletion of any file from the target system; Blocking certain keys on the remote system keyboard; Password-protection management of the remote server; Show, kill and focus windows on remote system.
- WinNuke: WinNuke freezes a Windows 95 host by sending it out-of-band TCP data. The exploit uses a bug in the Windows TCP/IP stack which relates to TCP packets with the URGENT or Out-of-band flag set in the packet header. When a Windows system receives such a packet it expects a pointer to the position in the packet where the URGENT data ends. Windows crashes when the URGENT pointer points to the end of the frame and no normal data follows. Windows expects normal data to follow.
- Nmap: Nmap is designed to allow system administrators and curious individuals to scan large networks to determine which hosts are up and what services they are offering. nmap supports a large number of scanning techniques such as: UDP, TCP connect(), TCP SYN (half open), ftp proxy (bounce attack), Reverse-ident, ICMP (ping sweep), FIN, ACK sweep, Xmas Tree, SYN sweep, and Null scan. Nmap also offers a number of advanced features such as remote OS detection via TCP/IP fingerprinting, stealth scanning, dynamic delay and retransmission calculations, parallel scanning, detection of down hosts via parallel pings, decoy scanning, port filtering detection, direct (non-portmapper) RPC scanning, fragmentation scanning, and flexible target and port specification.
Protecting one's networks from computer attacks is an ongoing and non-trivial task. Simple common sense security measures will stop the majority of network penetration attempts. For example, a well-configured firewall and an installed base of virus checkers will stop most computer attacks.
Information security is quite another matter and requires eternal vigilence by security personnel. Here is a list of security measures that, if implemented, will help secure a network and proprietary data.
- Computer Usage Policy
The first step to true computer security is the computer usage policy. Computer, Internet and e-mail use policies can range from a few paragraphs to lengthy documents. A handful of underlying priciples should always be emphasized: (i) The computer belongs to the agency/business; (ii) Permitted use of computer system is outlined; (iii) Prohibited use of computer system is outlined; (iv) The employee has a duty not to waste computer resources; (v) The employee's expectations of privacy should be outlined; (vi) Monitoring and supervision of company computers and/or proprietary information is allowed; (vii) Care should be taken in drafting e-mail; (vii) Avoid inappropriate content; and (viii) Employees must signoff the network system.
Companies often release software patches in order to fix coding errors. Unfixed, these errors often allow an attacker to penetrate a computer system. Systems administrators should protect their most important systems by constantly applying the most recent patches. However, it is difficult to patch all hosts in a network because patches are released at a very fast pace. Focus on patching the most important hosts and then implement the other security solutions mentioned below. Patches usually must be obtained from software vendors.
- Virus Detection
Virus-checking programs are indispensable to any computer network security solution. Virus checkers monitor computers and look for malicious code. One problem with virus checkers is that one must install them on all computers for maximum effectiveness. It is time-consuming to install the software and requires updating monthly for maximum effectiveness. Users can be trained to perform these updates but they can not be relied upon. In addition to the normal virus checking on each computer, we recommend that organizations scan e-mail attachments at the e-mail server. This way, the majority of viruses are stopped before ever reaching the users.
Firewalls are the single most important security solution for protecting one's network. Firewalls police the network traffic that enters and leaves a network. The firewall may outright disallow some traffic or may perform some sort of verification on other traffic. A well-configured firewall will stop the majority of publicly available computer attacks.
- Password Crackers
Hackers often use little-known vulnerabilities in computers to steal encrypted password files. They then use password-cracking programs that can discover weak passwords within encrypted password files. Once a weak password is discovered, the attacker can enter the computer as a normal user and use a variety of tricks to gain complete control of your computer and your network. While used by intruders, such programs are invaluable to systems administrators. Systems administrators should run password-cracking programs on their encrypted password files regularly to discover weak passwords.
- Strong Encryption
Attackers often break into networks by listening to network traffic at strategic locations and by parsing out clear text usernames and passwords. Thus, remote password-protected connections should be encrypted. This is especially true for remote connections over the Internet and connections to the most critical servers. A variety of commercial and free products are available to encrypt TCP/IP traffic.
- Vulnerability Scanners
Vulnerability scanners are programs that scan a network looking for computers that are vulnerable to attacks. The scanners have a large database of vulnerabilities that they use to probe computers in order to determine the vulnerable ones. Both commercial and free vulnerability scanners exist.
- Configuring Hosts for Security
Computers with newly installed operating systems are often vulnerable to attack. The reason is that an operating system's installation programs generally enable all available networking features. This allows an attacker to explore the many avenues of attack. All unneeded network services should be turned off.
- War Dialing
Users often bypass a site's network security schemes by allowing their computers to receive incoming telephone calls. The user enables a modem upon leaving work and then is able to dial in from home and use the corporate network. Attackers use war dialing programs to call a large number of telephone numbers looking for those computers allowed to receive telephone calls. Since users set up these computers themselves, they are often insecure and provide attackers a backdoor into the network. Systems administrators should regularly use war dialers to discover these back doors. Both commercial and free war dialers are readily available.
- Security Advisories
Security advisories are warnings issued by incident response teams and vendors about recently discovered computer vulnerabilities. Advisories usually cover only the most important threats and thus are low-volume and high-utility reading. They describe in general terms the threat and give very specific solutions on how to plug the vulnerability. Excellent security advisories are found from a variety of sources, but the most popular come from C.E.R.T. - Carnegie Mellon Emergency Response Team.
- Intrusion Detection
Intrusion detection systems detect computer attacks. They can be used outside of a network's firewall to see what kinds of attacks are being launched at a network. They can be used behind a network's firewall to discover attacks that penetrate the firewall. They can be used within a network to monitor insider attacks. Intrusion detection tools come with many different capabilities and functionality. .
- Network Discovery Tools and Port Scanners
Network discovery tools and port scanners map out networks and identify the services running on each host. Attackers use these tools to find vulnerable hosts and network services. Systems administrators use these tools to monitor what host and network services are connected to their network. Weak or improperly configured services and hosts can be found and patched.
- Incident Response Handling
Every network, no matter how secure, has some security events (even if just false alarms). Staff must know beforehand how to handle these events. Important points that must be resolved are: when should one call law enforcement, when should one call an emergency response team, when should network connections be severed, and what is the recovery plan if an important server is compromised? CERT provides general incident handling response capabilities and FedCIRC is another incident response handling service.
- Security Policies
The strength of a network security scheme is only as strong as the weakest entry point. If different sites within an organization have different security policies, one site can be compromised by the insecurity of another. Organizations should write a security policy defining the level of protection that they expect to be uniformly implemented. The most important aspect of a policy is creating a uniform mandate on what traffic is allowed through the organization's firewalls. The policy should also define how and where security tools (e.g., intrusion detection or vulnerability scanners) should be used in the network. To obtain uniform security, the policy should define secure default configurations for different types of hosts.
- Denial-of-Service Testing (for firewalls and Web servers)
Denial-of-service (DOS) attacks are very common on the Internet. Malicious attackers shut down Web sites, reboot computers, or clog up networks with junk packets. DOS attacks can be very serious, especially when the attacker is clever enough to launch an ongoing, untraceable attack. Sites serious about security can launch these same attacks against themselves to determine how much damage can be done. We suggest that only very experienced systems administrators or vulnerability analysis consultants perform this type of analysis.
- Periodic Forensic Examination
Digital evidence acquisition tools and techniques should be employed on a periodic basis to ascertain employee compliance with computer usage policy. The searches should determine, for example, if employees are (i) working, or playing games and surfing the Internet; (ii) accessing your confidential files; (iii) leaking proprietary data by E-Mail; (iv) downloading illegal files or images; (v) storing personal info on company PCs; (vi) committing fraud against the company; (vii) juggling the company payroll records; (viii) using E-Mail for "Flames" or sexual harassment; or (ix) to gather evidence of any other violation of computer usage policy.
- Theft Protection & Recovery Software
According to Safeware Insurance, there were 756,000 Laptops and PCs stolen in the USA in the last two years, costing owners $2.3 billion dollars. According to the FBI, 97% of all computers lost or stolen will never be recovered. Besides the price of the hardware, consider the potential cost for the loss of proprietary data, R&D, customer lists, etc. What would happen if your data fell into the wrong hands? What do you do? How do you protect yourself and your company from catastrophic losses? Software technology exists that will sit silently on your PC or laptop and allow you to track and locate your computer anywhere in the world in case of loss or theft. This is something you can't afford not to have installed on every computer in your organization.
- Electronic Document Protection
Unauthorized access to, and theft of, proprietary information is a huge problem. The technology exists to "tag" electtronic documents. These "tagged" files can be used in "Honeypot" or other "sting" operations. This method of intrusion detection will assist security personnel in identifying and locationing intruders. These "tagged" documents allow security personnel to track "tagged" documents to their eventual destination and also track the chain of custody and chain of command. These files identify and locate the initial document thief and subsequent readers of the stolen electronic document.
- Supervisory Software
Supervisory software exists that will monitor all employee activity on a company computer. Supervisory software should be used in conjuction with a banner warning that alerts the computer user to such monitoring. This banner warning is outlined in a C.E.R.T. advisory dated 1992 that was updated and revised in 1997. The advisory warns that system adminstators " may be civilly and criminally responsible if monitoring software is used without a banner warning"...
- Remote Access Supervision of TeleCommuters
If a company employs telecommuters (employees or outsource personnel that perform their company tasks from home or off-site) it should be a condition of off-premises employment that the company may utilize such monitoring software to remotely supervise any computer (and/or person or company) that has access to the company's proprietary data. Company personnel should also be allowed to check the integrity of the remote computer's security.
Needless to say, computer security is an ever vigilant work in progress. In addition to the technical aspects, security personnel must deal with the human element which may be far more difficult. Human beings by their very nature are inquisitive and far from perfect.
The best laid security plan is only as good as the people who implement it and systems users who must follow it. Nothing is absolute... Remember... Anything that man can invent... Man can defeat...
Codex Data Systems, Inc.
167 Route 304
Bardonia, New York 10954 USA
© Copyright 1999-2000 CodexDataSystems, Inc
All Rights Reserved