It could have been a scene from Poltergeist. Only instead of angry ghosts invading a television screen, an unidentified intruder took control of a networked computer and rendered it almost useless.
It was the middle of the night in May 1999 when a computer hacker infiltrated the PC of Jim Jarrard, president of Cinema Networks Inc. (cinenet.com), a film and stock footage library in Simi Valley, Calif. The intruder had sniffed out Jarrard’s IP address, gained access to his hard drive over his digital subscriber line (DSL) connection, and began downloading a piece of file transfer protocol (FTP) software onto Jarrard’s machine.
Once installed, the software would allow the hacker to index Jarrard’s hard drive and to steal whatever he found, including the lifeblood of Jarrard’s company: the digitized cinemagraphic images Cinema Networks licenses to TV companies, ad agencies, Web designers, and film makers. Among these images are ocean scenes for some Barbie doll packaging and clouds for a Chevy Tahoe advertisement.
Fortunately for Jarrard, his computer crashed while the hacker was going about his nefarious business. The crash froze the PC, leaving evidence of the intrusion right on the screen for Jarrard to find the next morning. “Unfortunately for us, however, the installation of the FTP software was successful enough that we couldn’t find and remove all traces of it,” recalls Jarrard.
The hacker, who had stolen the software and deleted the serial number, had modified the program to allow it to be installed in several obscure places on his target’s hard drive. The standard “uninstall” command was useless. As a result, the possibility that the hacker–who was never apprehended–could return on the sly at any time and peruse his hard disk hung over Jarrard’s head.
Jarrard spent days on the telephone with the FTP software manufacturer trying to find a solution. “I would be talking to a technician on the telephone, and he’d be saying, ‘Yup, I can see your c: drive, and here are the names of your files.’ It was scary,” Jarrard says. “In the end, we just had to go ahead and reformat the entire drive.”
High price to pay
While it is difficult for Jarrard to estimate the financial impact of the hacker’s work, his company spent two weeks making calls, doing research, and working with technical support people to determine how to uninstall the FTP software. Hoping to avoid a repeat invasion, Cinema Networks also asked developers at the third-party FTP software firm to try and gain unauthorized access to its system.
Next, the company spent a day backing up its data, and another two days reinstalling software and reconfiguring the system. Finally, Cinema Networks spent several days researching firewall technology, a headache-causing experience due to incompatibilities between at least one firewall solution and the shared DSL software it was using.
Soon after going through this labor-intensive process Jarrard purchased and installed Sybergen Secure Desktop (formerly SyShield), a $29 personal firewall software program from Sybergen Networks Inc., of Fremont, Calif. Next, he mandated that all company computers connected to the Internet via DSL or cable modems be equipped with firewall protection.
In the end, Jarrard was one of the lucky ones, relatively speaking. Apart from a couple of weeks of lost time and productivity, his company’s assets were unaffected. But not all companies escape hack attacks so unscathed. Even as security practices in medium and large corporations are tightened and as firewalls become ubiquitous on corporate servers, new holes are opening up all the time. The biggest culprits: telecommuters and mobile workers.
“The security picture is getting worse for two reasons,” notes Mike Paxton, senior analyst with Cahners In-Stat Group Inc., in Scottsdale, Ariz. “First, there are more telecommuters every day. Second, they’re increasingly employing DSL or cable modems, which are vastly more susceptible to being hacked than dial-in connections. The risks are tremendous.”
The U.S. Department of Labor estimates that fully 34% of the U.S. workforce is mobile, meaning they work at least part time outside the office. Those roughly 60 million workers routinely carry around vital corporate data, often in nearly unprotected fashion. In addition, those who employ high-speed “always on” connections like DSL or cable modems generally have a static IP address, making them vulnerable to hackers, who sniff out such addresses and then target them for attack.
Thanks to several well-publicized, large-scale hacking jobs, such as the distributed denial of service (DoS) attack that temporarily crippled sites including eBay and Yahoo! in March 2000 and epidemics of viruses like May 2000’s “ILOVEYOU” bug, security issues are now top priority for many corporate IT professionals. That concern is sparking a boom in the security services and tools market, according to Abner Germanow, research manager for Internet security at International Data Corp. (IDC), in Framingham, Mass.
IDC forecasts the firewall appliance market alone is expected to grow to $1.4 billion by 2005, from $306 million in 2000. The portion of that market encompassing personal firewalls, the tool of choice for telecommuters, “virtually didn’t exist six months ago,” Germanow says. These tools, which in general work by alerting users to unauthorized attempts to access the computer and its programs, soon will be “a given” on all PCs not protected by a corporate firewall, he says.
But handing your telecommuters a piece of firewall software isn’t nearly enough, warn security experts. “It’s far too easy for the average user to misinstall or misconfigure software,” says Laura Taylor, research director of security at TechnologyEvaluation.Com Corp., an IT research firm in Woburn, Mass. “You really must have someone trained in security issues get the telecommuter up and running.”
In addition, Taylor says, corporate IT must be aware that good security is a multilayered, multiproduct process. Besides firewall software, everyone outside the organization’s walls should be equipped with anti-virus software, and someone in the IT department must be charged with making sure the never-ending stream of updates are passed along to users, experts say. Also, industry observers say a stringent authentication system should be in place to prevent hackers from “eavesdropping” on log-in procedures and stealing passwords to the corporate network.
Finally, Taylor also recommends installing a messaging security program, such as New York-based Lexias Inc.’s LexiGuard messaging encryption software. LexiGuard is a public key infrastructure (PKI) program that uses two keys–a public one that encrypts messages and another that decrypts them. In order to exchange messages, both the sender and receiver need the software installed.
R. Gordon Parker, for one, has become a staunch advocate of strong and well laid-out security practices. Parker is president of Dynamic Solutions Group (DSG), an IT consulting and services group in Edmonton, Alberta. Like a growing number of companies these days, DSG is pervasively decentralized; in essence, all employees are telecommuters. It’s one of Parker’s jobs to ensure the data bouncing between his 115 widely dispersed associates remains secure.
Parker will vouch for the need for a multilayered approach to security. In the spring of 1999, an associate from Europe inadvertently forwarded the “PrettyPark” worm to him via e-mail. The worm was designed to infiltrate a hard drive and release confidential information such as dial-up passwords and system information. Further, it compromised companies’ security settings by allowing the remote receipt, creation, deletion, and execution of files.
Because the worm was a new one, Parker’s anti-virus software wasn’t equipped to detect and reject it. The worm was programmed to attach itself to all applications on the victim’s computer that are capable of accessing the Internet, thus insidiously finding a way to replicate itself. Parker’s computer would have been turned into a launch pad for the worm.
Fortunately, just a week before the attack, Parker had downloaded ZoneAlarm, a free personal firewall package made by Zone Labs Inc., of San Francisco. The firewall was configured to restrict access to applications from the outside and to alert the user when access was requested. Thus, the worm couldn’t get in.
“It was a close call,” Parker says. “By the next day, I’ll tell you, every one of my associates had the program installed. In addition, we created a rule that stated that every e-mail attachment had to have a note attached to it that, by its tone and content, would signal to the recipient that it was legitimate and safe.”
A cat-and-mouse game
Unfortunately, in larger, more traditionally structured corporations, managing and monitoring security may not always be as simple.
“Most medium to large corporations have at least a working understanding of security needs,” says Richard Karon, a Plano, Texas-based analyst with Perot Systems Corp., who consults with companies on security issues. “Security is far more than just technology; it’s a process and it’s diligence. Sure, corporations have firewalls on their servers. But are they watching the logs every day? Do they have written security procedures and policies for their employees? Even more, are they actually making sure employees understand the procedures?”
Karon stresses the need for companies to take a centralized approach to security, no matter how decentralized their environments, thereby removing the onus for software installation from busy users with other things on their minds. For that reason, he promotes the use of firewall software that can be installed and monitored from a central location, such as VPN-1 SecuRemote from Check Point Software Technologies Ltd., of Redwood City, Calif.
“By setting policy centrally and pushing it to the desktop through the corporate VPN, you avoid much of the human factor,” Karon says. “You’ll always have users who are not adept at installing software, are too lazy or busy to, or who are downright rebellious. With centralized installation, you can often make it entirely transparent to them; they don’t need to know how to configure it,” he says.
“The hard fact is that security will always be a cat-and-mouse game. You can come up with a new fix for a security breach, but the bad guys are always finding new ways around it,” says Karon.
Connectivity marches on
None of the industry experts expect security concerns to reverse the movement toward greater use of technologies like DSL or cable connections, or to prompt companies to cut back on telecommuting. They do expect, however, to see security features bundled into other products and services and to become nearly ubiquitous.
“Soon, IT managers will be able to say to users, ‘Here, take this piece of software and use it to connect to the corporate network from anywhere via any sort of connection,'” says IDC’s Germinow. “That software would encompass a VPN client, a personal firewall, intrusion detection, and file encryption.”
In addition, Germanow predicts that by 2005, the cost of providing security technology to remote users will decrease dramatically or disappear, as security features increasingly are bundled into connectivity solutions offered by Internet service providers or cable-service providers.
“The real reason IT managers have to think about providing firewall technology is because whoever they’re buying connectivity from isn’t providing it,” Germinow says. “But that will change. Soon, users will receive the technology as part of an integrated solution, first for an extra fee, but eventually just as part of the base price.”