1 April 2002
Plugging network 'holes'
by Jim Strothman
Long-forgotten business ties, rogue employees threaten security.
During the horrific days following 11 September 2001, businesses and other organizations that had offices in the World Trade Center, including the U.S. Secret Service, scrambled to survive.
Even as rescuers frantically searched for their buried colleagues, employers hustled to find temporary office space elsewhere in metropolitan New York. Many telecommuted as organizations' information technology (IT) staffs labored long hours to reassemble temporarily shattered computer and telecommunications networks.
Lost amid the rubble were not only lives but also much knowledge-including knowledge about vital computer networks. Where were all the servers and routers worldwide? What connected to what?
Suddenly, hundreds of organizations were vulnerable to cyberattacks.
Occupants of the World Trade Center weren't alone, however. Unknowingly, thousands of businesses, including manufacturing organizations, today remain vulnerable to hackers, particularly businesses that have partnered with others in past years. Many have long forgotten those legacy computer interconnections, focusing instead on present and future business relationships.
After 11 Sept., business swelled at network security specialists such as Lumeta Corp., a small but fast growing network security firm born of Bell Labs less than six months prior to the WTC attack. Headquartered across the Hudson River in Somerset, N.J., Lumeta's technology was suddenly in great demand, with 10 global Fortune 500 companies signing up for its services during fourth-quarter 2001.
Much like magnetic resonance imaging maps a human brain or body, Lumeta's security technology can map all, or a defined portion, of an organization's intranet/Internet network. It can find known-and unknown-hosts connected to the internal network, locate potential firewall-bypassing leaks, and generate a multicolored visual "map" that readily shows network managers such as the chief technology officer or chief executive officer where their computer network is vulnerable to unwanted intruders.
"Some of our clients were affected by 11 Sept. at the World Trade Center," said Diane Burley-McGlue, Lumeta director of marketing. "We were able to give them a map of what was lost, where they needed to repair. Afterwards, people telecommuted from home, and companies set up temporary offices. It caused a whole new set of network issues."
Ex-relationships open risks
As dramatic as the events of 11 Sept. and the aftermath were, business organizations, including major manufacturing companies, are beginning to realize that routine but long- forgotten legacy supply chains and other relationships may have also left behind electronic links that could be used for ill gain.
"Companies go through mergers or acquisitions," Burley-McGlue observed. "Large organizations create subsets, then reorganize again. Many manufacturing companies have many legacy partnerships" once interconnected by servers and routers.
How to protect your network assets
What measures can you take to protect your network and information assets? IBM suggests these strategies:
Top management concerned about security sometimes focuses too much on what can happen from the outside, however, she said. "Studies show 70% of security breaches come from within organizations" by rogue employees, for example, or even well-meaning business units that turn their own PCs into servers to bypass their IT department, fearing decision-making slowdowns, she noted.
According to a survey conducted by the Computer Security Institute for the U.S. Federal Bureau of Investigation (FBI), 75% of 563 responding companies said they had been victimized by computer-related crime; 59% of the same companies placed a dollar figure on their losses, which averaged more than $400,000. Nearly half (49%) reported unauthorized use of their computer systems.
IBM offers advice
"The goal is to align security and privacy policies with business objectives," IBM said in an e-business infrastructure white paper titled, "Linking security needs to e-business evolution."
"Businesses thus need to ask further questions," IBM said, "including: What business information and IT resources need to be protected and from whom? What is the cost of a security breach weighed against the cost of protection? What is the likelihood of a breach, and what is the right amount of security and privacy as e-businesses evolve from simply publishing on a Web site to using the Web for full integration of business processes across the enterprise?"
Firewalls can become more vulnerable when companies create "demilitarized zones"-electronic spaces admissible to authorized outsiders but walled by other firewalls so outsiders cannot access the company's other internal systems.
"As companies complete their Internet integration, they view suppliers, partners, and customers [sometimes called 'value networks'] as extensions of their business," IBM's white paper reads. "In fact, core business processes are very tightly coupled with these value networks and are supported by applications run across enterprise boundaries."
Benefits bring challenges
On the plus side, collaboration with supplier partners can speed product development and manufacturing. That same electronic collaboration, however, can "make it difficult to implement security features across enterprise borders," IBM pointed out.
"Whenever possible, organizations should use digital certificates to verify sender and receiver identities, or virtual private networks [VPNs]," IBM advised. VPNs encrypt data transmitted over public networks.
To help mitigate risk, IBM advised the following:
- Creating contracts that clearly define interactions
- Collaborating on configuration management to synchronize vendor fixes and engineering changes for common systems
- Linking notification systems for security alerts and employee changes
- Reevaluating current systems and administration for shared systems to verify they can work with partners and suppliers
Not surprisingly, IBM's approach to securing business networks differs from smaller companies such as Lumeta, leaving users plenty of latitude to make choices.
IBM's e-business security services offerings fit into an all-encompassing continuum that includes assessing, planning, architecting, constructing, managing, and operating secure networks.
Lumeta, on the other hand, starts with a company's network as is. Its patent-pending Lumeta Network Discovery software scans Internet protocol networks from the inside to discover and define end points and interconnection nodes.
The technology was largely designed by a team of former Bell Labs scientists, including network security expert Bill Cheswick, author of one of the most highly regarded security books, Firewalls and Internet Security. It's built on work that began in 1997, when Cheswick and Hal Burch, then with Bell Labs' parent Lucent Technologies, began to collect Internet routing data and designed a treelike map showing more than 65,000 end points and thousands of Internet interconnection nodes.
Another product, Lumeta Firewall Analyzer, translates obscure firewall rules into clear statements of operational policy. A third offering, Leak Detection, looks for hosts connected to a company's internal network and the Internet, bypassing firewalls. IC
Return to Previous Page