Computers Today, June 1-15, 2000; Master File; Securing the Corporate Gate

Was your organisation hit by the 'ILOVEYOU' virus? Was it hit with Melissa? What, if anything, are companies learning about Internet security to ward off virus attacks? Suddenly, when networks are vast, labyrinthine, global systems that can be penetrated easily from anywhere, what does one do to foolproof the corporate gateways, from inside and out?

A few weeks ago, the seductively-named "Love Bug" swept through corporate and government computer systems around the Internet, replicating itself by E-mail through Microsoft Outlook, the widely used scheduling and E-mail program. It was coded in Visual Basic, the Microsoft-developed programming language that helps programmers easily write applications for Microsoft's Windows operating system and link to other programs. The same friendly style that helped make Microsoft products so universally popular has gained currency among hackers and virus creators, at the expense of security. The cost of the "Love Bug" is estimated to be a staggering $15.30 billion all over the world.

Viruses are truly the dark and dangerous side of the IT industry. They can be written in commonly available code by teenagers for any widely used platform, and they can replicate at tremendous speed over a variety of E-mail clients, often reaching millions of sites around the world within hours. Fighting the virus creators by creating vaccines is a full-time industry made of active anti-virus companies. Their task is to perpetually keep updating their product architecture. But in the Internet era, they also have to be in a response-time game. It took just three hours for millions of users to get the Melissa virus through the E-mail spamming. In order to survive, not only do the anti-virus experts have to trap the virus, they must also put out the cure faster than users get affected by it.

"A Small Bruise"

Hindustan Lever Ltd.
IS Chief: Lalit Swahney
CIO: Prabuddha Ganguli

Threats: ILOVEYOU left a small bruise. Out of the 230-plus servers of the company, only one was partially affected on day one of the virus outbreak. Immediate information and high awareness among the employees checked its advance pretty fast. Also, we recently discovered that some external agency was trying to hack into the site.

Strategy: The Internet as the solution to everything is now being questioned. Though we managed to put in a filter on the main gateway (Bangalore ITPL), with the ILOVEYOU attack remote monitoring facility needs to be upgraded.

We have three layers of security in place. Since our servers are linked through VSATs, the main gateway has to be protected strongly. Then the servers are protected individually and the last stage are the individual desktops and laptops. DAT files are updated every week. An external virus help-desk monitors the network round the clock. It downloads DAT files, loads them in CDs. These CDS are then send to all the server sites. A special software helps in automatically loading the DAT files into each machines logged on to the servers. The system administrator maintains a log and can pinpoint a node that seems to signal a possible hacking. To ensure that the servers are properly configured with certain security protocols like secure socket layer and point-to-point tunnelling, an enterprise security management system has been put in place. We had recently invited an European company which specialises in hacker checking, and entrusted it with the job of trying to break into the network internally as well as externally.

Tools: We have installed the latest version of Mcafee 4.0477. Further, the company changes the virus engines three-four times a year. We have also installed checkpoint as a firewall mechanism and has been tested positive by the parent Unilever.

Abhrajit Gangopadhyay in Mumbai

In a less network-dependent decade in the past, information systems (IS) managers could count on systems management tools (such as those from IBM, Computer Associates, Hewlett-Packard and others) to safeguard their networks. But now, every Internet-dependent business is also highly vulnerable to devious and unpredictable attacks, no matter how strong the defence. The stakes have changed enormously with electronic commerce. Suddenly, networks are vast, labyrinthine, global systems that can be penetrated easily from anywhere. As more people convert to E-commerce, they will demand instant personalised response from any business site, and inevitably, the associated cost of network downtime has risen exponentially.

With Internet-savvy customers and business partners expecting round the clock service, network downtime is now instantly apparent, leading off to a multitude of tangible and intangible business losses. It is difficult to assess precisely the intangible effect of downtime on the value chain-on sales, market branding, customer loyalty and for that matter competition.

When a corporate network of a well-known Internet site crashes, its damaging effect hits national headlines, wreaking havoc on the company's bottom line and causing great consternation for the IS managers in charge.

As the Internet provides almost universal access, a company's assets must be protected against misuse, whether accidental or malicious. At the same time, that protection should not compromise a site's usability or performance nor make its development too complex.

There is also another security issue-since electronic commerce systems enable the collection and usage of sensitive information about individual customers, companies also need to protect the privacy of their customers.

Whenever IS managers get exposed to a virus or a hacker infiltration, they must trace the disaster path, find out what damage the virus actually did, and whether it left behind a hacker agent in the network. The new trend in hacking appears to be collaboration, again made easy because of the Internet. Virus writers, hackers and E-mail vandals used to be in different camps. However, now there are mixed attacks, in which a number of camps are collaborating.

One example is a virus called Back Orifice. This "peeping tom" combines a harmless looking E-mail bomb, a virus-spreading mechanism and a software agent. It does not do any traditional serious virus damage, like destroying a hard drive. It sits on the network so that it can steal important information and send it back to the hacker over an extended period of time. The hacker gains permanent access to every important file available.

"We Were not Loved"

DBS internet Pvt. Ltd.
CEO and IS Chief: Sanjay Shetty

Threats: The firm was not affected by the recent ILOVEYOU and Melissa viruses.

Strategy: Security cannot be an afterthought. Organisations have to plan for security of their systems at the time of designing their systems/applications. It's foolish to create an application and then talk about securing it; applications have to be designed with security in mind.

The only solution the corporates are aware of is to 'put up a firewall'. Maximum hacking occurs as firewalls are not configured properly. Security is an ongoing exercise, especially in terms of computers. New bugs in software reveal new loopholes for which patches are made available by vendors. But patches have to be applied to systems regularly.

Security policies have to be enforced to take care of upgrades and new application installations. Also, breach of your system from the inside is as much a possibility as from the outside. Multi-level security policies should be present depending on levels of people in the organisation.

Tools: Smart card systems, which help in identifying an individual online, is in place. Also, there are various software that issue software-based security certificates, can be used to allow individuals to gain access to parts of the system. Use encryption software, which can help encrypt your files, such as PGP (pretty good privacy). On the other hand, there are different protocols which are available, such as SSL (secure sockets layer). I have seen instances even in India where a major B-to-C cybermall has SSL-enabled system, but one part of the site contains SSL 1.0, while another contains SSL 2.0. Having different versions definitely undermines the security and stability of the system.

Suggestions: Create a security policy within the organisation. Work out a budget for securing your information just as you would for software/ hardware. 'Constant monitoring of your systems is necessary, security is not a one-time job': get this ingrained in your head. Don't keep users in the dark about a breach. Knowing about a breach will encourage an open policy, and make them more open to initiatives.

Abhrajit Gangopadhyay

Corporate networks are built assuming certain levels of trust in how the information passing through them is accessed and used. When they are hooked into public networks, for example the Internet, the safest, and more intelligent, approach is called for. The premise is that effective security administrators should trust no one from the outside as well as from within.

It is evident that commercial sites that depend on the Internet are highly vulnerable to invasive, crippling attacks. All too often, the IS manager is held responsible for what is a systemic weakness that hackers have learned to exploit.

The "denial of service" event in recent times, which saw many E-commerce portals (eBay, Amazon and a number of others) crippled for many hours due to a concerted attack by hackers, has underscored the importance of network uptime in an accelerated electronic world. Companies are spending exorbitant amounts of capital and manpower to strengthen their networks. Still, the potential for a network breakdown is undeniable. No network is safe from plain technical disaster or premeditated hacker attacks; however, IS managers can study companies that have endured severe episodes of network downtime, and greatly improve their chances for recovery.

Vulnerabilities are problems that are universally thought of as "vulnerabilities" in any security policy, software flaws that could directly allow serious damage or security breaches, and specific known vulnerabilities in operating systems, utility and network programs. Exposures are problems that provide stepping stones to successful hacker attacks. Examples include the running of services such as finger, poor logging practices or software misconfiguration problems.

So what is the solution to the universally vexing problems of vulnerability and exposure? While there are any number of vendors and researchers offering fixes and protection schemes, a concerted effort to deal with the problem has been taken up by the MITRE Corp. (an independent, not-for profit organisation working in the public interest; its site can be accessed at www.mitre.org).

MITRE has taken up the common cause of security in the infotech industry last year by announcing the new "common vulnerabilities and exposures (CVE)" initiative, the first publicly available dictionary that provides standardised names and descriptions for more than 300 known information security vulnerabilities and exposures.

"Lotus Saved Us"

Modi Xerox Ltd.
IS Chief: Ajay Patil

Threats: We were not affected by the ILOVEYOU virus, mainly because it had targeted Microsoft Outlook Express, while we use 'Lotus Notes mail'. We were lucky that the virus, spreading through mails, spared us.

Strategy: We have a very stringent 'Internet/mail' policy. All Internet mails are routed through the Delhi server and are scanned for content and viruses. We have asked users not to subscribe to any 'mail subscription sites' that send jokes and pornographic contents and not to use the Xerox mail ID for purposes other than business. Every server or PC is loaded with the latest update of anti-virus software and users are provided information of the latest update. No machine is connected on the network unless it is authorised by the IT department. No user is allowed to connect directly to any ISP through the office network. Every rented PC, before being connected on the network, is formatted and the OS reloaded. No pirated software is allowed to be installed on the system and the PCs are regularly audited for any such violations. We discourage use of floppies unless very essential.

Abhrajit Gangopadhyay

Historically, each security tool and vulnerability database used its own names for vulnerabilities and exposures. Without a common language to correlate pieces of vulnerability-related information, it was a nightmare trying to manage the output from the multiplicity of security tools that IS managers used. CVE is expected to boost cyber defences by making it easier to share data across separate vulnerability databases and security tools. The CVE list has been evolved in cooperation with 19 major security organisations that make up the CVE editorial board, including CERT Coordination Center, IBM Research, Cisco Systems and Internet Security Systems (ISS).

In addition to facilitating data sharing among Intrusion Detection Systems (IDSs), assessment tools, vulnerability databases, researchers and incident response teams, CVE also aims to provide a basis to achieve security tool interoperability and comparisons across vendor platforms and facilitate vulnerability research.

Most of the industry experts agree that the CVE naming standard developed by MITRE represents a significant leap forward for the information security industry and end user community. The comparative research made possible by CVE is expected to lead to enhanced security tools and further innovations in information security. CVE is available to the public through a MITRE-managed Web site (cve.mitre.org).

"Public Face is at Risk"

Allindia.com
Network Security Expert: Bhaskar Sarkar

Threats: A corporate network generally has three broad facets where there could be a public presence: in which anybody from anywhere is allowed access; private presence for use by authenticated internal users only; and mission-critical application for restricted users. Naturally, when a corporate network has public presence, security threat becomes high both in terms of frequency and magnitude. There are innumerable examples of security attacks on Indian Web sites like those of VSNL, BHEL and BARC.

Strategy: Allindia.com does not depend on detection systems or anti-virus tools as none can assure foolproof protection. Generally, there is at least a few hours' delay before an anti-virus vendor comes forward with a patch that has been developed to combat or remove a new threat. By then, a system could get affected. A proper security, therefore, comes from awareness among the users, and thus, security awareness forms the backbone of Allindia.com's policy for prevention. In the instance of the ILOVEYOU virus, a circular was issued to our internal users, followed by implementation of a 'subject line' filter in mail server as soon as we received the news about this new virus. Other measures like downloading the patch from Web came afterwards.

Tools: Anti-virus tools from Network Associates and Trend Micro. Cryptographic tools like RSA obtained from HCL Comnet.

Indrajit Basu in Calcutta