 
 
Master
File
Country
Buzz
Chief
Guest
Networking
The
Net
Front
End
Managing
IT
Tech
Trends
Columns
Circuit |
Securing the Corporate
Gate
Contd...
Sharing Knowledge
|
"Twin
Strategy for Attacks" |
Duncans
Industries Ltd.
Vice President (IT): Dipanjan Bosu
Threats: In the recent
past, we have noticed virus/Trojan attacks mainly through E-mails,
which can be largely tackled by the latest anti-virus and
anti-spamming tools. But it is difficult to adopt absolute
security for newer viruses like the Melissa and ILOVEYOU.
Strategy: Internet
security has to ensure the two basic functions: that of preventing
unauthorised access and authorising proper personnel to use the
same. To protect against security threats to corporate networks in
India there has been an increasing use of cryptography to encrypt
and decrypt messages, and to authenticate parties and messages.
Internet security is also taken care of by a firewall (combination
of hardware and software) and security policy to safeguard the
corporate network.
Tools: RSA SecurID
provides an electronic identification combined with secret PIN of
the users. This ensures two-factor identification solution for
getting access to corporate network. Further, Norton anti-virus
(Symantec), Total Virus Defence/Virus Scan (Network Associates),
Innoculate IT (Computer Associates) are used. We also use PGP
6.5.3, which is a cryptographic tool, for enhanced security.
Indrajit
Basu |
Recently, MITRE hosted an Internet service
provider security summit meeting that drew together a working group of
technical experts from companies that provide the backbone of the
Internet, as well as vendors supplying products for the Internet. Among
those participated were Bell Atlantic, Cable & Wireless, Cisco
Systems, the United States Department of Defense, Lucent Technologies and
the SANS Institute.
The group met to share the knowledge of
network vulnerabilities, focusing on the recent denial of service attacks
experienced by several major Internet companies. The summit's primary goal
was to pull the Internet community together to develop technical solutions
that will prevent future service interruptions.
One outcome of this summit was the
development of simple guidance that can be followed by every organisation
connected to the Internet. It is now available at the Cyber Resource
Center on MITRE's Web site, and on the SANS Web site (www.sans.org).
Specifically, it will address the two most common techniques used in
denial of service attacks on the Internet today: an attacker's ability to
hide by using a forged Internet protocol (IP) address, and an attacker's
ability to use another's site to amplify an attack.
Specific Measures
One of the reasons why cyber attacks can be
deadly is that millions of users can become unwitting, innocent
participants in attacks when the attacker furtively uses their system as a
host to multiply the barrage of hits on a targeted system somewhere else.
At this point of technology evolution, the only reasonable approach is
through collaboration, since everyone who uses the Internet is part of the
chain. And as hackers themselves are tending to collaborate to make their
attacks more crippling, it makes all the more sense for the user community
to combine forces in initiatives such as the CVE. While these protective
measures are being evolved for the industry, what can the individual IS
manager do to safeguard his resources? The major security checkpoints that
may be considered fall under five general categories:
|
"Checkmate
at Firewall" |
RS
Software Ltd.
Network Support Chief: Anindya Sengupta
Threats: The corporate
sector in India is not aware of the security threats that face
their information systems. That is because only a few companies,
barring the large ones, use computers that are critical to their
operations. Most consider that at worst viruses or hacking can
affect a personal desktop, which can do little harm to the
organisation per se.
Strategy: The
organisation has a robust network that is immune to any kind of
security threats. However, the company follows an elaborate
security policy, which constantly protects its systems from any
undesirable intervention/hacking. Basically, this protection comes
from the elaborate firewall that is built in its system. This
firewall has a multi-layer checking that uses the latest software
and hardware solutions.
Indrajit
Basu |
Interception. This is simply good
old-fashioned virus protection using antivirus software available from
many vendors, for files that reside on desktops, servers and gateways.
Checks. Access controls, authorisation
and authentication for both users and devices, especially on the Web.
There are now specialised tools, such as single sign-on software, which
allows authentic users to log in and log out.
Alarms. Every network must have
intrusion detection, scanning and logging capabilities that are repeatedly
tested and strengthened based on up-to-the-minute techniques.
Encryption. This covers anything
relating to the transmission of E-mail and data files, not to mention
public key infrastructure (PKI) certificates and virtual private network (VPN)
protection.
Firewalls. With E-commerce and Web
access growing, there is a tremendous need for corporate security tools
(called firewalls) such as packet filters and application proxies. There
are many vendors offering such solutions, and tailor-made ones can be
implemented for each system.
|
"Onus
Lies on End-user" |
ITC
Ltd.
Manager, Corporate MIS: Arun Mitter
Threats: We face
significant security threats in three distinct areas: hacking into
the private network, revelation of confidential information to the
world outside and virus attacks leading to IT/network service
disruption and data loss resulting in adverse effect on business.
Few users are fully aware of the various sources of security
breach-virus attack, Internet cookies, chain mail and hacking.
Strategy: ITC does not
expose its network to external access like the Internet, which is
accessed from stand-alone computers. Moreover, users are regularly
educated and updated about security threats that emerge
intermittently. Other measures include keeping PCs and servers
updated with latest security solutions like anti-virus software.
We believe that the best security strategy lies in a clear IT user
norm, over and above technology. This strategy has been successful
in preventing ITC's network from all attacks, including the recent
ones like the Melissa or ILOVEYOU.
Suggestions: Adhere to
the following guidelines strictly while using external and
non-propriety networks like the Internet: don't open any mail from
strangers; avoid opening an attachment unless expected; ensure
that latest anti-virus is loaded in the computer; and keep
necessary backup of all files stored in respective hard disk.
Indrajit
Basu |
Implementing these checkpoints should help in
installing a measure of confidence in customers and partners and everyone
else in the corporate fold. The selection of security tools can be made
using the guidelines set out by CVE. CVE is vital in helping users of
security tools and systems to effectively compare products using an
apples-to-apples approach. There is no longer any need to sort out which
tool tests for which vulnerability. If a tool is CVE-compliant, a user can
immediately determine if a tool tests for the specific vulnerabilities
that concern his system, without poring through the product's
documentation.
Employ Hackers
One of the best methods to ensure total
corporate security is to employ hackers themselves as security
specialists! Hackers are a very special breed of computer programmers,
trained like guerrillas to penetrate security networks. They can be turned
into good corporate citizens, as they are very focused and goal oriented.
Like intelligence agents, they too have a heightened paranoia which makes
them suspect everyone who walks in. Only good hackers will doggedly try
every single way to get into a system.
But hacking is not just mastery of
technology. Very often "social engineering", the exploitation of
a trusting relationship to elicit information, is the weakest links in a
firms's IT defence. A clever hacker can merge into a firm on some pretext,
and he needs no complex hacking tools to pull it off. At least in the US,
former hackers are designing an increasing portion of the corporate
computer network landscape of the future. Sceptics might ask what, if any,
benefit they provide beyond what one could get from a traditional security
consultant.
|
One-up
on the Hackers" |
Tata
Cellular Ltd.
Senior Manager (IS): A.V>Rajendran
Threats: Basically,
there are two types of security threats to any corporate network:
one relates to hacking into the networks and the other to virus
attacks.
Strategy: We have
guarded our network from hacking by putting up firewalls.
Moreover, logs are checked regularly. We have an internal security
policy that discourages sharing of IDs and ensures deletion of IDs
when an employee leaves the organisation. To tackle virus attacks,
we ensure anti-virus software is updated with latest patches. We
regularly educate all our users on viruses and provide immediate
alerts on any new virus. We also advice our users not to share
their drives on the network. The same exercise was also done for
the ILOVEYOU bug as well.
K.
Jayadev in Hyderabad |
Hackers do not follow an outline. They do not
map a system the traditional, plodding way, moving from box to box on a
flow chart. They leap into the flow of the information and swim. They
leave room for possibilities. One example of a recent
hacker-turned-consultant success story is that of a large government
agency that employed a team of ex-hackers to assess its current state of
security by evaluating each part of the enterprise as an individual piece.
There were numerous vulnerabilities, from telephone systems to the
intranet to the extranet. When the team issued a report, individual
departments acted predictably. They defended their turf and blamed one
another.
The team suggested that the agency look at
the entire system as one whole vulnerable unit. They showed the government
agency how all of the vulnerabilities were interconnected. More important,
the event became a catalyst for a team-building project. Individual
managers saw that the only way to develop an integrated approach to
solving security problems was to work on the entire network, the human as
well as the computers, to think, in short, as hackers think!
|
"Let
Them Play Inside Only" |
Global Trust
Bank Ltd.
Executive Vice President: P.C.Narayan
Strategy: Our bank's
private network is not connected to any external network. Our
Internet banking division works on a separate LAN segment by
itself, which is not inter-connected with GTB's private network.
The servers are protected with automatic access locks. The
passwords are frequently changed. Users are constantly educated/
updated on the various security-related issues. In addition, our
internal auditors, on a periodic basis, carry out security audits.
Most importantly, sensitive data sent over our leased line network
are 128-bit encrypted. We Finally, we have a third-party audit
done by a reputed firm in the Internet security area for intrusion
detection.
Tools: McAfee (Total
Virus Defence) anti-virus software is installed on all PCs.
K.
Jayadev |
|
"Foolproof
all the Layers" |
Intelligroup
Asia Pvt. Ltd
Assistant Vice President, MIS: Prasad Kodali
Threats:
Corporates are vulnerable to basically three types of security
threats: internal hacking, external hacking and virus attacks. As
long as a corporate network is private, though global, and is not
open to the Net, it is relatively safe from external attacks.
Strategy: Mere
installation of firewall does not ensure safety of the network.
The performance of the firewall is guided by the company's
security policy, which translates into a set of instructions for
the firewall to function.
About the ILOVEYOU virus
attack, we sent a mail to all our employees, informing them not to
open any attachments. The mail server was under constant
observation to see any flooding of infected mails internally or
externally. Subsequently an update was downloaded and applied.
The company's network has
adequate security features. Floppy drives are disabled on all the
PCs. Network configurations are locked and cannot be changed by
any user. Access to projects data is available only to respective
project teams. Our network is protected from the Internet attacks
with a firewall with clearly-defined security policy for different
types of inward/outward access.
K.
Jayadev |
|
