|
Safety Technologies:
Only five more years for the Internet?
COMPANIES NEED GREATER INFORMATION SECURITY AWARENESS
The attitude adopted by a company and its employees is the
most important feature of data security; mere technical safeguards
are not enough. The importance of information has to be understood
and preparations made for problems.
A good reputation and a highly regarded brand are increasingly
important to companies, and they want to hold on to them.
Once a reputation has been damaged and embarrassed, it is
always difficult to win it back.
A reputation may, for example, be based on customers’
confidence in a company to be a reliable supplier. A tale
told about a German bakery at a data security seminar arranged
by three Finnish data security companies, F-Secure, SSH Communications
Security and Stonesoft, provides an excellent illustration.
The bakery had decided that it would not invest in data security,
because the computers linked to the network did not hold information
worth stealing, and, on the other hand, stealing would not
inconvenience the bakery greatly. Sure enough, a hacker broke
into the computers, and quite right, he did not take anything
of importance. However, he threw the computers into so much
confusion that the bakery could not even access its own recipes
for several days.
When the bread could not be made, regular customers started
becoming annoyed. Shopkeepers finally made the bakery’s
management an offer: because your bread is good, we’ll
buy it from you in the future, but you must be able to guarantee
that it’ll be delivered, and we’ll pay you 20 per
cent less than the present price.
What else could the bakery do but agree, even though the offer
meant that for the next three years it would be making no
profit on its deliveries? And, of course, when the computers
were finally repaired and the bread could once again be delivered
to the customers, the company managed to find the money to
arrange data security even though it was not making a profit.
Protection before a crash
“The case of this bakery is a good example that it’s
worth investing in data protection before something happens,
because otherwise it becomes expensive. On the other hand,
you have to remember that technical safeguards won’t
solve everything; the most important thing of all for companies
is a risk analysis. You must also make a conscious decision
about how the company will function if something happens,”
says Professor Hannu H. Kari at the Helsinki University of
Technology.
Besides his academic career, Kari is actively involved in
the business world. He is a background influence at SSH Communications
Security and Nixu, both of which focus on information. Before
moving to the university, he worked at Nokia and was one of
the main designers of the GPRS standard. Kari holds more than
20 patents and is applying for about 20 more. Some of the
patents are directly linked with information security on networks.
The ways of keeping information secure at companies depend,
of course, on what information the company has and how it
is accessed. These days most data is on computers, but computers
are not necessarily linked to a network.
Some companies on a network have only a static presentation,
and computers linked to an outside network are not critical
to the operations. In this case it is probably enough if what
protection there is prevents the computers from being mixed
up and destroyed. But when a company’s operations are
based entirely on a network, the protection must be absolutely
impeccable.
In order to protect data adequately a company must realize
that the information assets are really valuable and assess
which data is the most important of all. Three important matters
need to be evaluated: integrity, confidentiality and availability.
Integrity means that the information in the data systems
is in the form in which it must be i.e. it has not been changed
without permission or altered by accident, and the files have
not been corrupted. Confidentiality means that the data is
not used by anyone who is not entitled to do so. Availability
specifies who may use what data in order to do their work
and that this information is always at hand, even during absences
from the office.
The importance of information and, following on from that,
protecting it is shown very well by the IBM Global Services
Unit and a survey it carried out in the spring of 2003 into
the cost of computer crime in Great Britain. In 2002 damage
to the value of 240 million euros was incurred by companies.
The survey showed that the biggest costs came from thefts
of information, and not from damage caused by viruses, as
has often been thought. This research covered crime relating
to 3,000 computers.
Only five years more
Information security on networks must take into consideration
three different levels. Most of the attention is fixed on
protecting data transmission. “You must remember, however,
that protecting the protocol level is a very small part of
the total picture,” Kari points out.
For example, on networks based on the Internet technology,
data is transmitted using the tcp/ip protocol, and that is
why we talk about protecting the protocol level. The data
is transmitted in small packets along the network, and the
packets are compiled back on the receiver’s machine into
the same message that the sender transmitted. The purpose
of the protocol is to ensure all the data packets reach the
destination intact.
“But what if a hacker attacks the infrastructure, breaks
the systems or blocks the computers, making them inoperable?”
Kari asks. Then the traffic on the network is impeded and
the payload cannot be transmitted. Although the intruder does
not get his hands on the actual information, he can in this
way totally paralyze the operations of a company using the
network.
In addition to the hardware infrastructure, attention should
also be paid to the content itself. It must be possible to
ensure that nobody can change information at any point between
the sender or recipient without either of the latter two noticing,
and that data on a company’s computer is not changed
because employees make mistakes or data banks are corrupted.
These are, in truth, big problems for companies.
The protection of the protocol level is certainly important
and it must operate correctly. “Although it’s almost
impossible for an outsider to find out what’s travelling
in data packets between two users, it’s very easy to
find out which users are communicating. Then a conversation
between the two can be confused by inserting strategic packets,”
Kari points out.
In less than ten years the Internet has revolutionized many
things, but because of information security problems Hannu
Kari suspects that its prospects are poor. “I predict
another five years for the Internet in its present form. The
reason for this will be that proper users’ dissatisfaction
will have reached such heights by then that some other system
will be needed, unless the Internet is improved and made reliable.”
Content requires attention
One major problem with the Internet is the lack of confidentiality.
For example, an e-mail cannot be trusted unless it has been
authenticated.
“A couple of years ago a forged e-mail came to Paavo
Uronen, the principal of Helsinki University of Technology,
in the name of Maija Raski, the minister of education. The
message had been written in a very nasty tone, and when the
principal sent a request for an explanation to the ministry,
it became clear that no message had been sent. This caused
an awful hullabaloo. The perpetrator was never caught. The
only thing that was clarified was that the message had come
from an Internet terminal in some general library,” Hannu
Kari relates.
Kari says that catastrophically little attention has been
paid to ensuring that the content is reliable on data networks.
“It’s easy to appear with somebody else’s identity,
in some other capacity than the sender of an e-mail. So that
nobody can do this, there should be some way of authentication.
For example, the Population Register Centre could give certificates
that will make it possible to prove that certain properties
are definitely right. Then, when there are problems, it would
be possible later to prove what you’ve done and what
you haven’t done,” Kari proposes.
If the Internet is to stay alive, mechanisms for authenticating
the correctness of the information should be built into the
network. The infrastructure of the Internet network is at
this moment too vulnerable and will not withstand attacks
against a router. This, in spite of the fact that initially
the Internet was created for military purposes. It does not
seem that this guarantees the system’s security.
“Even today the router on cordless networks being used
for military purposes and its protocols are totally unprotected
i.e. the enemy can insert his own protocol that will make
all messages nonsense before they reach their destination,”
Kari relates.
Selling is difficult
Selling data security is difficult in the sense that it is
not a tangible product, as, say, a lock is. It is very difficult
for the layman to assess if information security is functioning
properly or not. The purchaser always has to trust somebody
else.
“The only data security that really works is based on
publicity. It’s a little like locking a house: if you
try to make the locking system as unobtrusive and inconspicuous
as possible, somebody will test to see if it works, but if
the system appears extremely difficult to break down as soon
as you look at it, anyone with evil intentions will probably
admit that it’s not even worth trying to break in there,”
Kari explains.
“In the same way a hacker must be given a signal that
we’re protecting our system so strongly that it’s
not worth your while trying to break in. And what’s more,
if we notice that you have tried, we’ll swap these machines
for even better ones.”
Many companies look at the world through rose-tinted spectacles:
“Who’d be eavesdropping on us now or who’d
want our information?”. This is what companies all over
the world are saying, and it means a lot of work for data-protection
companies. Companies must be made to understand the importance
of protection, and also that the protecting must be done correctly
and maintained the whole time.
A company’s information security methods must be reassessed
at regular intervals, because time changes both needs and
threats. Thomas Peltier, an expert at the Computer Security
Institute in the USA, recommends that the situation be re-evaluated
at intervals of six months at the least.
A continuous process of protecting information is split into
three parts: risk analysis, implementing and installing measures
and protection systems, and evaluation.
In the spring of 2003 the Human Firewall Council looked into
management’s methods of conducting data security in companies
worldwide. The Security Management Index (SMI) of 2003 revealed
that most companies do not manage security operations properly
throughout the entire company. Of the more than one thousand
companies taking part in the questionnaire, 80 per cent were
given an unsatisfactory grade, and about half of them could
be considered as failing.
Embarrassment
Awareness of problems and risks increases the protection.
The problem with information security is that when a company
has been the victim of an attack, in general it does not want
to talk about it because of the embarrassment. As no information
is given about the damage suffered by others, further investment
is not made unless you are hit.
Embarrassment or not, every computer on a network is liable
to attack. Professor Kari gives a pertinent example. “Some
time ago we ourselves were embarrassed. A hacker who took
over one of our machines, what we call ‘a smurff’,
used it to attack a certain company. We found out when an
administrator at this company asked us what on earth was going
on. The reason why it was so easy to break in was that I,
in my laziness, had not carried out the latest security updates.”
Attacks are difficult to locate and the situation has deteriorated
since international route connections have speeded up. When
a smurff makes an attack, tracing is very difficult.
The position of the protector is eased by the fact that most
of the thousands of attempts at intrusions worldwide every
year are based on about 20 weaknesses in the programs. A list
of the weaknesses drawn up by the SANS Institute and the FBI
consists of two lists of ten points: the Windows and Unix
operating systems both have their own lists.
It must, however, be remembered that although attacks made
by hackers against computer systems are given a great deal
of publicity, their proportion of all the security problems
relating to information systems is quite small: according
to the Computer Security Institute less than ten per cent.
Internal threats are worst
Companies’ own internal networks are not secure, because
most of the threats come from inside a company. For example,
a questionnaire carried out annually by the FBI and Computer
Security Institute shows how bad the situation is. In 2002
about 64 per cent of the respondent companies indicated that
they had noticed that they had come under internal attack.
The growth over the previous year was five percentage points.
It is easy to tell the truth to an anonymous questionnaire,
but in other circumstances companies are unwilling to talk
publicly about internal attacks. “The most active companies
are already installing internal firewalls, but it’ll
take some years before they’re standard practice,”
Hannu Kari reckons, pointing out that it likewise took some
years before external firewalls became established.
Mere firewalls in an internal network will not be enough.
Misdeeds or thefts of information can take place in many different
ways, including seeming to come from outside, so that experts
recommend using several different security techniques. But
it is not possible to obtain the full benefit if there are
no rules and regulations.
“In the final analysis effective information security
is a matter of agreed operating methods inside the company,”
Hannu Kari states.
Problems can be reduced considerably if a company’s
user control functions well. Access rights must be weighed
carefully in each case and when software is further combined
with human resources management software. User accounts must
definitely be terminated when an employee is no longer working
at a company. Programmes tracking attempts at intrusions have
become extremely useful. These intrusion detection systems
can monitor attacks that are both internal and external.
Photo: Professor Hannu H. Kari predicts that the saga
of the Internet in its present form will come to an end in
five years unless the information security and functionality
of the network are improved.
Published 2002
|
.
Finnfacts is part of