How Public Networks Threaten Corporate and Home Computer Users




Background

Data access security practices were traditionally viewed by corporations as a vital tool for protecting their information assets. Casual computer users working in the privacy of their own home viewed access security as unnecessary. When the same casual user was put in the corporate workplace, they typically saw no need to protect their corporate PC. It was the job of Installation Security Officers (ISO) to worry about security.

Most employees are unaware of the security measures used by their company to protect the organization's private computer network. ISOs traditionally perceived the real risk to be where the bulk of their data was stored and processed, ignoring the personal computers.

Rapid changes in technology suddenly put a significant number of home users and virtually all corporate users (and the corporations themselves) at risk. Corporations can not now rely solely on their ISOs to deal with security needs. Every individual computer user in the company needs to understand some basic security practices, whether the work is done at the office, on the road or at home. Below is a discussion on how both home users and corporations ended up in the same security mess.


Green Zone: Glass House

Most corporations with a lengthy computing background kept most of their computing power and data at a central site. This could be viewed as a large glass house within the green zone, since communications technology allowed physical separation of the powerful mainframes and access to corporate data was easily controlled. The green zone was relatively peaceful and self contained.

Then came the PCs, LANs, WANs, and other platforms. The corporate data processing center was forced to open their glass house to all of their computing resources, even the renegade LANs implemented by independent-minded departments or divisions.


Yellow Zone: Private Networks

This was a time of growing caution, hence the yellow zone. As the movement of mission critical data began its migration from the mainframe glass house to the mid-range and LAN systems, computer security departments began seeking solutions. The recognition of the need to secure data across the entire organization was reflected in the change of titles from ISOs to Network Security Officers (NSO). If the stand-alone mainframe was viewed as a glass house, NSOs now attempted to put bars on the windows.

NSOs focused on securing their burgeoning private enterprise systems. They partially succeeded in protecting themselves from a serious attack on their systems, but they also felt the enormous administrative burden of implementing and maintaining a cohesive security policy across all platforms.

Many data security vendors are proposing solutions by providing an enterprise-wide security product. Computer Associates International has its UNICENTER and UNICENTER/STAR initiatives. IBM put forth NetSP and DCE. The list of newcomers to the enterprise security market is quite lengthy. While these initiatives can address the security needs of a large private internal network, NSOs and software vendors are now scrambling to address another new development: access to public networks.


Red Zone: Public Networks

Public networks, such as the Internet, are not owned and controlled by a user or a corporation. Networks such as CompuServe, Prodigy and America On Line are private to their owners, but must be viewed as public by all of its users. You are now in the red zone, where new computer access security problems are invented (or discovered) each day.

Public networks are deemed "un-trusted" by NSOs. Proprietary networks such as CompuServe, Prodigy, and AOL provide trusted services, but you are no longer in control of your PC once you are connected. It is easy to test this theory out for free: Contact AOL to receive a trial diskette (which allows you 10 hours of free connect time to preview their services). Install the diskette on your PC and watch AOL perform. I challenge anyone to browse their services and NOT have new artwork downloaded to your hard drive. The same applies to CompuServe and Prodigy.

Other public networks such as the Internet are working definitions of "un-trusted". The Internet has no owner. It is a network of thousands and thousands of network servers and millions and millions of connected PCs. All you need is an $80 modem. Similar to the proprietary public networks, the Internet uses advanced communication protocols such as TCP/IP. These protocols allow for packets of information (data and commands) to be exchanged between two partners across a vast network.

Even at an intuitive level two additional problems can be spotted in the already difficult modern business environment. First, after identifying all the systems between you and your partner, does any one of them have a chance to view and/or alter your packets of information? Second, can you trust the partner is really the system that they claim to be?


Home and Corporate Users Find Common Security Threat in the Red Zone

This ease of access to the red zone has two profound effects. First, and obvious to the NSOs, is the ease by which private networks can be connected to public networks. In many organizations, users are assisted in making these connections due to user demand or sloppy network configuration. Second, and more far reaching, is the extreme vulnerability of the casual home PC user to security threats.

Loss of Corporation Control - NSOs have lost their ability to control their private networks. A centralized enterprise-wide security implementation becomes exponentially more difficult to create and maintain. Worse yet, the shaky access controls in place today were only prone to attack from employees. Now all users of the Internet and other public networks must be considered potential threats.

The birth of firewall systems is an attempt to deal with this problem. In time, private networks will have enough armor to effectively prevent unwanted intrusions into their more guarded components.

Casual User "Insecurity" - The vulnerability of the casual PC user is a far more serious problem and has yet to be readily understood, let alone addressed. The very communication technology that makes access to the Internet possible for everyone also opens up each of their shiny new 1GB hard drives for the world to access. The casual user will quickly comprehend their security needs in the red zone once their hard drive is accessed for all their personal information - especially data on "borrowed" software.

Home PC users are also at a severe disadvantage to their corporate PC counterparts. Corporate users can rely on an existing security infrastructure to support their security needs, both through financial and education resources. The vast majority of home PC users simply do not know where to begin.


How To Protect Yourself

There is a relative easy cure for corporate and home PC users - implement traditional access controls at the PC level. There are a number of reputable PC security products readily available which prevent access to selected directories on the PC's hard drive. It is vital that PC users and NSOs understand that the only solution to this problem is at the level of the PC itself. For the first time, corporate users cannot rely solely on their organization's security departments to address their security needs. For the home user this was always true.

These are the steps to follow to protect your PC:

1. Secure the PC. An access control product allows you to decide which files can be viewed with and without a userid.

2. Establish a userid. A userid, (i.e. NETID) should have only enough privileges to execute the communications software and should contain a download and upload directory.

3. Break connections to your private network. This provides a separation between the yellow and red zones, the private and public networks.

4. Log on to the NETID prior to connecting to a public network. While logged on as NETID neither the user nor, more importantly, the communications software can access the hard drive beyond the permissions established.

5. Return to the normal id. Once the session is complete the user logs back on to their more powerful id to regain access to their hard drive.

It is also advisable to run a virus check on all directories that were accessible during the connection or session in the red zone.


False Sense of Security

Some NSOs and vendors have a mistaken faith in firewalls for access protection between the yellow and red zones. Firewalls filter incoming and outbound network traffic to insulate their organizations and users from the public networks. This is inadvertently circumvented when the user connects a PC to the Internet or other public network directly by phone line.

While connected to a public network, all existing open connections to the private network (i.e. LAN, 3270 terminal emulation, etc..) are available for inspection. Some organizations are increasing the potential problem sources as they deploy mobile computing resources, such as laptops with 14.4kb modems to connect back to the private network. NSOs simply cannot control how the modem is used.

Since it is unlikely that corporations would (or could) remove modems from the modern corporate environments, two implications of openness to inspection are examined further here: LAN drives and automated security tools.

LAN Access. Even with typical security implemented, the user of a PC is usually authorized to access the entire hard drive. When connected to a public network such as AOL, the AOL program is running under the authority of the user. That is another way of saying that AOL could access all of the hard drive. Worse yet, if the user has LAN access, the mapped LAN drives are also theoretically viewable to AOL. This could provide direct access to the private network. To be clear on this point, AOL is not accused of these practices but nothing is preventing AOL or another public network provider from doing this.

Security Administrator Tool for Analyzing Networks (SATAN). SATAN is an example of a new generation of automated security "tools". SATAN is a public-domain software package available free to all users of the Internet. It's primary goal is to test the security of systems connected to the Internet, probing systems to see if there is an exposure.

In the hands of the NSO it is a great tool to see if the private network installation is secure. In the wrong hands it provides an automated tool to seek openings in any computer connected to a public network. All users of public networks, especially the Internet, must understand that automated, highly sophisticated hunters are actively seeking to exploit network connectivity. Automated tools can access and hit millions of systems with very little effort. As corporate systems implement effective firewall systems, the hunters will turn their targets to the more vulnerable PC users who connect directly to the public networks by modem.


What It Takes to Get the Word Out

The private sector, representing millions of computers, is more exposed and vulnerable than the private corporate systems. Security awareness is the most important problem because individual users never had to worry about data access control.

There is a tremendous lack of knowledge. Even seasoned PC users raise their eyebrows when told that there is nothing to prevent their on-line provider such as Prodigy, CompuServe, or AOL from simply uploading a tree, or directory listing, off their hard drive. Imagine what can be done with this information by marketing firms? Or the software police?

Until a few horror stories are told, the casual PC user will not be aware of the potential problem. Publicity regarding recent virus attacks grabbed the attention of many users. During the next assaults, the groups which choose to siphon information from user systems, both corporate and private, will not be so kind as to announce their presence.

And Finally...

Both home and corporate users are at risk. The scope of that risk dictates the response. As stated earlier, there is good news. In both cases the simple implementation of basic security measures can dramatically reduce the risks.

The logical point to combat security exposures when connecting to public networks is the point of first connection.

Home users must protect their PC. Home users simply have to keep their hard drives hidden from the public networks, and there are products available to accomplish this.

For corporate users, the gateway is the logical point to implement security controls (i.e. firewalls). Unfortunately for corporate Network Security Officers, their ability to build a firewall to shield their private networks can be compromised by any unsuspecting user who simply makes a direct connection via modem to public networks. Corporate NSOs must mandate that their PC users implement the same security measures. Once mandated, the NSOs can return to their old problem of how to implement and manage an enterprise wide security policy.

Due to the serious exposures that both communities risk, it is highly recommended that immediate steps be taken to protect the systems that are directly connecting to public networks. For both home and corporate user communities, that is the PC.

Corporations also need to address their high-end network servers as they obviously represent a larger risk. While vendors push for enterprise-wide security management, it is not recommended to ignore the PC while waiting for the ability to manage the security on the entire system.

At one time PCs were viewed as the lowest priority in terms of risk. Now corporations must view each and every PC as a port that can connect their private network to any and all public networks.