Barbarians at the gate

Computer network security is critical to you firm’s survival
When the administrative assistant for a small Milwaukee law firm got wind of the fact that she was about to be let go by her employer, she decided to get even.
On her last day, the disgruntled woman went in and deleted five years’ of the company’s history, including its backup records. Then she changed the password needed to enter the firm’s computer network, effectively locking everyone else out.
The damage was done.
The firm’s failure to build the proper security into its computer system cost it dearly, and it could cost your business as well, warns Kelly Hansen, principal of Sun Tzu Security, Ltd., a Milwaukee network solutions provider.
Not convinced? Take the case of Citibank, which lost $400,000 when a computer hacker got access to the bank’s network, and acquired the credit card numbers of Citibank cardholders and committed credit card fraud.
OK, so Citibank is a big national bank, and those kinds of things just don’t happen here, right? Guess again.
Hansen says Wisconsin banks are especially behind the times when it comes to network security, using only a password to protect unwarranted entry into their system. Consider that password systems can be broken 80% or more of the time, according to Ernst & Young.
And it’s not just the banks which are leaving themselves open. According to Hansen, 95% of Wisconsin companies have no network security in place, leaving them open for security breaches which can put them out of business.
“Basically, without some sort of network management tools in place, you’re inviting someone to come in and take your information,” says Hansen, who got her master’s degree in comparative literature at Harvard University before starting the business in 1996.
“You can’t trace what people are doing on your system, because there is no recorded evidence. It’s very sad. In terms of sophistication, I would say we’re about three years behind the coasts.”
According to Hansen, who makes it her business to know such things, 80% of all computer hacking attempts are internal – they come from your own employees during off hours.
Installing network security, otherwise known as building a firewall, will set off an internal alarm when someone goes where they are not supposed to go, such as an unauthorized trip into the company’s proprietary financial information. This is called intrusion detection.
You can install a network firewall that maintains a log and tracks all activity on your computer network. Essentially, logging records the comings and goings of people on a computer system.
Even after they have incurred serious breaches, local companies are often reluctant to spend on network security. They place a cap on what they are willing to spend, not willing to go as low as $1,500.
Hansen says what she is offering is like another form of insurance. Therefore, you need to place a monetary value on what your company’s information is worth. Say it’s $6 million. Also consider that you might get sued by your customers if the breach affects them. Now weigh that cost against the money it would cost to get the necessary security in place, Hansen says.
“You don’t want to go out and get insurance after your beach house has been swept away by a storm,” Hansen says. “You want to have it beforehand. Once a breach has occurred, it takes four times as much effort. Consulting hours go way up because we have to go through everything to find out where the breach has occurred.”
Computer espionage has replaced the old man in the trench coat meeting his contact out on the corner as the preferred method of spying. Last year, there were more than 250,000 attempted computer hacks on the U.S. Department of Defense, and 60% were successful.
“Hacking is not hard,” Hansen says. “Everyone thinks you’ve got to be an evil genius. There are tons of software tools available on the Internet, anything from a packet sniffer to a war dialer, to help these people get in.”
Year 2000:
The gates swing open
Computer spies are everywhere, as the phenomenon trickles down to the level of small business. What is particularly insidious these days is the Year 2000 computer bug, which requires that businesses bring in outside consultants to go over their systems to detect the bug.
The problem, Hansen says, is that most of the qualified engineers and programers are long gone, sucked up by the big corporations, and leaving a dearth of talent in their absence. What
“Without network
management tools in place, you’re inviting someone
to come in and take
your information.”
– Kelly Hansen, Sun Tzu Security
small to medium-sized businesses who are coming late to the party are left with are people who are not qualified to perform this kind of work, Hansen says.
“Here we’ve got people who are really worried about the Year 2000, and they want to make the necessary changes, but they’re not a major player, so they can’t afford a Big Six consultant, so they go for a local firm. But they are finding that the good local firms are booked up, so they are probably going to start picking up individual consultants.”
This is where the trouble begins, as the majority of small businesses will throw open the keys to the kingdom to a complete outsider .
“It’s a great opportunity for corporate espionage to pick up proprietary information,” Hansen says. “You know, send them a would-be Y2K consultant.
“And virtually all businesses will throw open the keys to the kingdom,” she says. “They will say, ‘Here, fix this,’ and no one will watch because they are probably short-staffed and not concerned about security issues. And you don’t know who he is or where he’s going.”
Essentially, under this scenario, a firm is giving carte blanche to go through their entire network and take anything they want. This can be accomplished by building in a so-called “back door” to the computer network through the Internet, which allows them to come back in and download proprietary information.
At the very least, get references from other businesses for whom your Year 2000 consultant has worked, Hansen says. And ideally you should have your firewall in place before the consultant comes in, so you can trace his movements, if need be.
“Without network management tools in place, you’ll never know where they went or what they did,” Hansen says.
Online danger
Hansen says her firm gets calls from big companies which have T-1 lines coming in, asking her if they need to get firewall protection. The answer is yes. Because, with Internet access, it’s like a two-way connection, which means people can come in as easily as your own employees can go out onto the Internet. Hansen says it’s like walking out the door at the end of the day and leaving it unlocked.
Simply by linking all of your computers through a local area network and then connecting through the Internet, you could be giving anyone on the Internet access to your company information.
“If you don’t connect to the Internet through a firewall, then you shouldn’t really be connecting to the Internet at all,” says James O’Brien, vice president of information technology for Sun Tzu. “This is called ‘open door,’ because it’s like saying ‘Come on in.'”
As a growing number of firms seek to engage in electronic commerce, what Hansen and O’Brien see is that the vast majority of these firms are not implementing any form of network security. Not only are most of these firms unaware that they need to allow for encryption to make these online transactions safe, but they also need to put a firewall in place to protect that financial information once they receive it.
“It will sit there in a database, and if someone can break into the server, they can get not just one credit card, but the credit card number of everyone who has ever ordered,” O’Brien says.
April 1998 Small Business Times, Milwaukee