Internet security on a budget

Internet security on a budget

Computers & Security, Vol. 77, No. 2 corresponding solutions. Allowing even those with limited security expertise to resolve problems, Netective secu...

243KB Sizes 0 Downloads 15 Views

Computers & Security, Vol. 77, No. 2

corresponding solutions. Allowing even those with limited security expertise to resolve problems, Netective security software from Netect Inc. simulates network attacks, ranks the importance of the holes it locates and directs administrators to Web sites where necessary fixes can be found. Netective carries software that can run on Windows NT or Sun Solaris servers. It contains an updatable database of security breaches and fixes; agent software on each server that checks system files, patches, permissions and passwords; and Java software that graphically displays system status and test results on Web browsers. Netective’s biggest advantage is its automated update feature, which reports on the latest network hacks via E-mail or CD-ROM each month. Unfortunately, Netective’s major drawback is that it does not come with a mechanism to [email protected] end users that tests are taking place. Data Commtrnicutions, February 1998. A security architecture for the Internet Protocol, PC. Cheng,].A. Gaq, A. Herzberg, H. Krawczyk. IBM’s firewall products offer a new design and rationale for security architecture that ensures protection and secrecy of data traffic at the Internet protocol (IP) layer. The design can be broken down into three components: (1) a security policy for determining when, where and how security measures are to be applied; (2) a modular key management protocol (MKMP) which establishes shared secrets between communicating parties; and (3) the IP security protocol, as it is being standardized by the Internet Engineering Task Force, for providing security measures. Together, these three components establish a secure channel between any two communicating systems over the Internet. IBM Systemsjouma2, Id. 37. No. 1. 1998. No SET commitment, yet, John Evan Frook. Despite credit card associations’ best efforts to push the technological advantages of Secure Electronic Transaction (SET) protocol, direct merchandisers are reluctant to develop SET applications until there is a concrete demand for it. Clothing marketers Land’s End and Spiegal both currently use Secure Sockets Layer (SSL) encryption to collect credit card data from their customers. They report few problems with SSL and little desire for SET, which extends beyond SSL to

provide identity validation. Without widespread distribution of SET-enabled digital wallets to consumers, merchants have little reason to build Web site applications that take advantage of the SET protocol. Spiegel officials say that the key to Internet commerce is customer choice, not necessarily new technologies. Internet Week, 19junuary 1998, p, 29. Study: security audits often neglected by many, Rutrell Yasin. IT managers are faced with the tasks of securing mission-critical corporate data while opening up the corporate network for Internet access. According to industry consultants Zona Research, these conflicting aims are causing many IT managers to overlook key security vulnerabilities.Very few managers are conducting penetration tests to help reduce these vulnerabilities. The report, Desperately Seeking Security, presents a snapshot of how IT managers are deploying security tools. 58% of 212 companies surveyed expect security related spending to increase in 1998. But the report warns that many IT managers are adopting a ‘head in the sand’ mentality when it comes to bringing in outside security auditors. Internet Week, 26_lanuury 1998, p. 3 1. Online security leak, Kim Girurd. America Online’s admission that it violated its own privacy policy by giving the US Navy personal information about a subscriber could serve as a wake up call for corporate information system managers and users concerned about privacy on the Internet. Observers note that the case could make corporations more wary of using the Web or push them to tighten their existing security policies. Potential customers could also think twice before posting private information on Web sites. The lesson for information systems departments is to keep sensitive customer or client information off the Web or behind a secure firewall until better security and encryption methods are available. Computerworld, 26 January 1998, p. 2. Internet security on a budget, Clure Tristrum. Are you worried about Internet security, but don’t have the budget flexibility to invest in a high-end firewall? Rest assured, you will find it comforting to know that no amount of money can buy complete, guaranteed security. For the average organization, cheap, easy-to-

155

Abstracts of Recent Articles and Literature

implement solutions can provide most of the security that is required. Observers point out that highly secure technology such as encryption adds undue complexity and cost beyond its benefit, unless the organization is a high-risk target. Instead, security managers should watch what they put on the network every network application brings with it security holes. When resources are scarce, concentrate security efforts on areas where information is at most high-risk, by monitoring them frequently, putting stringent backup rules in place, and introducing physical security measures such as entry passwords. Keep local area networks local. Publish a clear, uncomplicated security policy. Beyond these steps, managers should deploy a server that sits between internal networks and the Internet, acting as an applications layer gateway. Lan Times, 2 February 2998, p. 30. New antivirus packages get serious, Lawa DiDio. Several new antivirus packages are on the market that embed antivirus detection systems programs within the application and automatically check for macro viruses and clean them off the system. Until now, traditional desktop virus protection packages have not provided adequate protection against macro viruses. The latest desktop packages scour the Internet and Email for problematic code, making it easier for information systems managers to establish a defence around the entire network perimeter, rather than attempting to secure every individual desktop. MIMESweeper 3.1 from Integralis, which can be installed on remote Windows NT and Windows 95 machines, dismantles inbound and outbound E-mail and attachments, inspecting for viruses. Trend Micro Devices’ MacroTrap package offers rules-based technology that detects and cleans macro viruses. Recent research finds that the rate of viral infections has tripled during the last year - macro viruses accounted for 80% of new infections. Computerworld, 2 February 1998, p. 4 1. Target: NT, Deborah RadCIiJ Cult of the Dead Cow is a group of hackers that is targeting Microsoft in the hope of bringing attention to security holes in the corporation’s products. When they find a hole, these hackers share their knowledge with the rest of the world. Microsoft, they say, is more interested in mar-

156

keting new systems than securing them. The hackers say that Microsoft is breeding systems administrators who are so reliant on friendly, point-and-click interfaces that they fail to set basic security settings. Cult of the Dead Cow members have exposed weaknesses in Microsoft’s file management system, showing that it allows files to exist on the network in easy access to hackers, and have developed a program that tests a dictionary of known passwords against those stored in NT’s Lan Manager until it finds a match. Computerworld, 2 February, p, 73- 74. Banking on a secure Internet, Nicholas Hammond. Security First National Bank (SFNB), one of the world’s first Internet-based banks, faced considerable risks from hacking. The bank had to ensure that it could securely link its central database to a public network while protecting the data from attacks and the risk of inadvertent data corruption caused by system glitches or natural hazards. The bank had already detected an attempted cookie-switching attack as well as IP and username spoofing. To address its security concerns, the bank called on the expertise of system software architecture from SecureWare. An informational Web server now acts as the point of entry for the bank’s customers, while a separate server with data on accounts resides behind a firewall.To control all network operations, SFNB uses multilevel HP/UX CMW+, also known as a trusted operating system, which in the past has been used only by high-security government installations. When users attempt to send the bank data, it must first go through a filtering router. Security policy ensures that only a limited number of bank staff have authorization to back up files, upgrade or add software, apply patches to fix glitches, change files and review auditing logsThe system authenticates each transaction. Meanwhile, the data centre resides in a high-security room. By May 1995, SFNB became the first FDIC insured institution to offer banking services across the Internet. Security Management, February 1998, p. 69- 70. US rethinks Net security plans after hijack plot, David BickneU. An attempt to seize control of the Internet by temporarily diverting its address system has provoked fears over the Internet’s security. Jon Postel, head of the Internet Assigned Numbers