Networking Leaves Doors Unlocked

As the size and number of computer networks in government grows, so do the chances of a breach in security. Solutions exist, but they are not simple.

by / April 30, 1995 0
May 95

Situation: Computer networks contain security loopholes.

Solution: With proper planning and security tools, governments can minimize security breaks.

Jurisdictions: San Diego, Calif.

Vendors: Novell, Security Integration Inc., Mergent International, TGV Inc., Ernst & Young, Lotus, Banyan, IBM, DEC.

Contacts: Stephen Talnose, Security Integration Inc. (617/861-8800.



By Tod Newcombe

News Editor

Last fall, a virus swept through San Diego County government, forcing hundreds of people to stop working. But no one went home sick. Instead, the virus struck more than 100 computers, disabling access to office automation applications and information on mainframes, and reducing the county's productivity by more than 50 percent for several days.

Going by the name Die Hard 2, the virus had originated from South Africa. No one from the county could determine how it got into the network where it crippled desktop computers and servers. Virus scanners, which can detect viruses and protect computers from similar attacks, were not being used by the county because of budget priorities.

The incident in San Diego County highlights one of the more sobering dilemmas governments face with computing today. States and localities increasingly rely on networks of computers to perform everything from general office activities to mission-critical operations.

But the growing reliance on computers has also increased security risks. In a survey conducted last year by the consulting group Ernst & Young, 79 percent of respondents in organizations with over 2,500 employees believe their information security risks have increased, and more than 80 percent report that risks have increased at a rate equal to or greater than the growth of computing resources.

When computing was done almost entirely on mainframes and minicomputers, security was tightly integrated into the system and controlled by the highly centralized data center. Viruses have been and still are almost nonexistent in this environment, according to Richard J. Connaughton, president and CEO of Security Integration Inc. "Host computers never have virus problems because everything is always authenticated and authorized through the data center and mainframe security tools," he said.

With the proliferation of networks, control and security issues have shifted away from the data center to the individual departments and agencies. Instead of having one large system with one set of security tools, governments now have a variety of systems and a range of security measures. Local area networks, client/server and open systems are all part of the new wave of computing, yet these technologies are often deployed without fully understanding how they impact and alter security.

The number of workers who use computers has grown as well. Governments are allowing greater percentages of users to view and edit information, but are not keeping them informed about the responsibilities associated with protecting data. Public access to government information is another growing trend that increases security risks.



WHERE TO LOOK FOR PROBLEMS

Despite recent news accounts about rogue hackers breaching computer security and wreaking havoc, the majority of security problems come from inside an organization. "Problems occur with the people who know the system," said Connaughton. He and other security experts believe disgruntled workers are responsible for a large share of the breaches in computer security. Break-ins from the outside usually occur because someone is able to get hold of a worker's password, which hasn't been changed, or someone has left their computer on because they don't want to log back into the system.

Viruses can also wreak havoc, but often their prevalence is exaggerated and, when they occur, they can usually be kept at bay by installing virus scanners on computers. To further impede the spread of viruses, last year's crime bill signed into law by President Clinton includes a revised federal computer crime statute that outlaws the transmission of rogue computer code, such as viruses and worms, over the nation's electronic networks.

Security breaches, whether by virus or worker, can cost an agency money. San Diego County not only lost productivity when its computers were felled by Die Hard 2, they also had to commit time and manpower to cleanse the computers of the virus. The Ernst & Young survey revealed that over 50 percent of the respondents reported information security-related financial losses in a two-year period, some exceeding $1 million. Despite these documented losses from security breaches, funding for computer security often takes a hit at budget time. Information system managers complain about the dilemma of running a good security program, which keeps things quiet and running smoothly. Management, in turn, figures the agency doesn't have a security problem, so the budget gets cut.

Passwords have been a key element in controlling user access to information as well as for authenticating who is using the information. Mainframes, with their centralized software and applications, kept password use under control. But computer users on LAN-based systems can end up with a half-dozen passwords, and sometimes far more. Network operating systems, such as Novell, use passwords as do most of the relational databases and workgroup programs, such as Lotus Notes. To keep track of which password to use with which program, many users simply tape a list of their passwords to the side of their computer, defeating the purpose of password security.



BUILDING THE SECURITY FENCE

The first hurdle to conquer in computer security is planning and commitment. Effective planning links security with agency operations rather than treating it as a separate function. This approach forces security administrators to integrate its role into all aspects of information processing, making users more aware of its importance, rather than trying to make staff accept security for its own sake.

Security should have what's known as a continuity plan, so users can continue working through some alternative means of computing, such as hot and cold recovery sites, or through some inter-agency computer sharing agreement, should a breach in security bring computing to a grinding halt.

Good security also needs a commitment from management to ensure plans are developed, resources are made available and users are made aware of security's importance to the agency. Too often, users, as well as management, either lack concern or are uninformed about computer security and assume it always exists.

Presumptions about security among workers stem partly from the layers of passwords and log-on procedures they must contend with on a daily basis. In the world of client/server computing, a user may interact with several applications, each of which requires a user ID and a password. The duplication of security can irritate not just the users but also security administrators, who must contend with changing and deleting user authorizations and authentications, as well as the multiple logs and journals for auditing purposes.

To reduce password frustration while improving security in a network environment, software developers have come up with several new security tools. They include single sign-on solutions, onetime passwords and security software integration.

Single sign-on software uses scripting tools to automate the steps users take to log onto a system. One example is the Single Sign-On/Data Access Control System (SSO/DACS) from Mergent International, located in Rocky Hill, Conn. Script-based, single sign-on tools are known for their ease of use and are better suited for agencies with a large number of users operating in a single network environment, such as Novell or Banyan.

Another attempt to streamline security involves one-time passwords. Sometimes referred to as a token or pass-ticket, the technology allows users to replace traditional password authorization with onetime passwords that are useless if captured by an intruder. Originally developed at MIT, the technology is called Kerberos, named after the three-headed dog that guards the entrance to Hades in Greek mythology.

Kerberos is security software for distributed networks and is becoming a de facto standard for remote authentication in client/server environments. Kerberos relies on data encryption and requires a separate security server on the network, which issues one-time password "tickets" to authorized users. The ticket goes with the user, granting him or her access to different applications on the network. When the user leaves the network, the ticket is no longer valid.

Kerberos is available in public domain and commercial versions. A recently announced product based on Kerberos is Secure/IP from TGV Inc., of Santa Cruz, Calif.

Sometimes improving computer security can be done by coming up with a better way of using what already exists. Security Integration Inc., has developed Security Bridge, a software tool that integrates existing host-based external security products, such as RACF, CA-ACF2 and CA-Top Secret, with host applications.

"Most security built into applications tend to be Band-Aid solutions," said Connaughton. By using an integration tool, such as Security Bridge, a county running a payroll program on its mainframe can use the security provided by RACF, bypassing the layers of security built into the application. Connaughton described security integration tools as a grass-roots response to the frustration users have faced when dealing with multiple passwords and log-on procedures.



NOT ENOUGH ATTENTION

Expect the security issue to grow, not shrink, as decentralized computing continues to expand. Unauthorized access by outsiders will also become an issue as more agencies provide access to the Internet for government professionals and the public alike. For state and local governments, curbing potential problems means allocating time and scarce resources to develop sound security policies, plans and systems.

Senior management must be willing to commit funds and manpower to ensure security doesn't fall behind the exploding use of computers in government. Unfortunately, the subject normally doesn't receive enough attention until it's too late.



----------SIDEBAR----------



BUILDING FIREWALLS IN THE CITY OF SAN DIEGO

Like other cities of its size, San Diego has a plethora of computing systems, ranging from IBM mainframes and DEC minicomputers to thousands of PCs networked together over many local area networks. The biggest growth has been in the latter area. "Distributed computing has definitely made security more complex," said Philip L. Thalheimer, MIS manager for the city. "When everything was controlled through the mainframe you had a good sense of what was going on. But with distributed computing, any PC becomes a door into your system."

To keep up with security needs, the city uses a variety of password systems to control access on the inside, as well as virus-detecting software to scan for any incoming transmissions of corrupt code.

To protect against hackers on the outside breaking in via the Internet, the city has developed a firewall. Its purpose, according to Thalheimer, is to keep anyone from the outside from actually gaining access to the city's computers. "It protects us from outside intrusions," he added. The firewall is a computer that contains city information that is accessible to Internet users on the outside, but is not directly connected to the rest of the city's computer systems. "Someone on the Internet can get information off of it, but they cannot access any of our production systems."

As computing continues to grow in the city government, awareness about security has increased as well, commented Thalheimer. "But there's a constant struggle," he added, "between those people who are trying to be productive and doing their job with computers and those people who are protecting the system."



----------SIDEBAR----------



New Internet Security Risk

PITTSBURGH (NB) -- The Computer Emergency Response Team, a government-funded group based at Carnegie-Mellon University, has warned of a new way to vandalize the Internet through a technique known as "spoofing." The center posted a message on the Internet, describing attacks in which intruders create false Internet Protocol (IP) addresses and then take control via "any open terminal or login session from users on the system."

To gain access, said the center, "intruders create packets with spoofed source IP addresses. This exploits applications that use authentication based on IP addresses and leads to unauthorized user and possibly root access on the targeted system."

According to the center, even systems with "firewall" protection are vulnerable "if they are not configured to filter incoming packets whose source address is in the local domain.

"Once the intruders have root access on a system, they can use a tool to dynamically modify the UNIX kernel. This modification allows them to hijack existing terminals and login connections from any user on the system."

According to the New York Times, the first known attack using spoofing occurred on Christmas day against a security expert at the San Diego Supercomputer Center. Intruders took over his computer for over a day and stole security programs he had written.

As more commerce flows to the Internet, security becomes much more important, particularly as credit card information flows over the network. Computer security experts have long warned that the Internet is designed to be open and, thus, is prone to intrusion.

According to the center, the best prevention of spoofing is "to install a filtering router that restricts the input to your external interface (known as an input filter) by not allowing a packet through if it has a source address from your internal network. In addition, you should filter outgoing packets that have a source address different from your internal network in order to prevent a source IP spoofing attack originating from your site."

Information about the spoofing attacks and other center material is available by anonymous FTP from info.cert.org