Business in Vancouver: News that works for you

    The price we pay for better networks is greatly increased security risks--especially from within

    by Alan Zisman (c) 1995 First published in Business in Vancouver ,  Issue #313  October 24, 1995 High Tech Office  column

    If you've got computers in your workplace, the odds are they're connected to some kind of network. Except in the smallest of offices, it's unusual to find a computer that's entirely on its own.

    And perhaps it's no coincidence that as we get more connected, we become more vulnerable to various kinds of attack--break-ins, viruses or data loss from within our organizations. A 1995 study by Ernst and Young, polling more than 1,000 major corporate information officers and managers involved with technology issues here and in the U.S., clearly illustrates the risks involved: more than half of respondents reported that their businesses has suffered losses due to incidents of this type, with a number of the losses exceeding $1 million.

    The reported rate of attacks is increasing. Despite that, the same survey suggests that a surprising 42 per cent of those surveyed believe that security is either "not important" or only "somewhat important."

    More networks and more connected machines equals more targets. At the same time, products aimed at increasing ease of use often result in increased security risks. And with many companies feeling under increased pressure to cut costs, security is often given a lower priority. There are no reliable statistics on the number of incidents affecting Canadian businesses: in many cases, companies would rather not report problems. And while we're most likely to hear about hackers in reports conjuring up images of teenage rebels and groups with names like "Masters of Deception," these make up a minority of the losses. (Still, the clichéd adolescent hacker has some basis in reality: recently, the RCMP in Ontario arrested a 20-year-old who had broken into more than 60 networks, including those of Harvard University, IBM and the Canadian government.)

    But most data loss happens internally--the result of actions by a company's own employees. Most often, these incidents are covered up. RCMP commercial crime investigator Bob Davis says this makes his job harder: "If we continue on the path where victims terminate employees and absorb the losses, then this situation continues in the same fashion, just at a different level," he points out.

    All too often, however, when a company's own employees use the network to steal money or data, infect computers with viruses or damage databases, the business would rather write off the loss than face bad publicity.

    Recently, there was a brief flurry of interest in network security focusing on the reassuringly named SATAN (System Administrator Tool for Analyzing Networks), a program that was released onto the Internet last April 5 by its authors, Dan Farmer and Wietse Venema. While it was purportedly designed to help network administrators probe their own systems for weaknesses, many feared that the free software could just as easily be used by outsiders seeking networks prone to attack.

    The media reports about the SATAN controversy most likely pushed sales of security-related products such as Internet firewalls--combinations of hardware and software designed to act as a barrier between your company's internal network and the wide-open access of the Internet. By restricting what can come in and what can go out, these can help protect your company's data from intruders--but not from your own employees. Probably the biggest single improvement in computer security that most businesses can introduce is password management. And unlike high-tech fixes like firewalls, some of the most effective measures involve no direct costs. Users need to be better educated on how to pick effective passports (don't use easy-to-guess passwords like your middle name, your date of birth, or--please--words like "peace"). Passwords need to be changed often. Most of all, however, users must learn to keep their choices a secret: no technological system can be effective if an employee keeps a password written on a Post-It note stuck to a computer monitor.

    These sorts of behaviour will lead to problems in even the most technologically sophisticated system. Often, however, companies pass over education of their employees for more expensive, high-tech measures that may be less effective. (Of course, the best response will include both better employee training and sophisticated technology.) Between naive users, sometimes malicious or vindictive employees or former employees, and the increased tie-in of networks to international systems like the Internet, no system is safe.

    But if all of us--network users, network administrators, and our companies--start to take data security more seriously, many of these budding problems can be minimized or avoided.

Search WWW Search

Alan Zisman is a Vancouver educator, writer, and computer specialist. He can be reached at E-mail Alan