Cybersecurity Picked Locks Open Windows

May 23, 2005
Print
Text Size:
A A
GRAND RAPIDS — The workday was all but over when CPR engineer Scott Montgomery arrived onsite for an IT assessment. Dressed in shirt and tie, frazzled, he apologized for his lateness to the first person he saw.

“Hi, I’m Scott,” he said. “I understand you have a computer running slow. If you let me take a look at it, I can tell your manager he needs to buy you a new one.”

The employee, perhaps even the client’s network administrator, walked Montgomery into the office and sat him down.

“Could you tell me your password?” Montgomery asked, making himself comfortable at the workstation. “Thanks. Don’t worry about sticking around. I can let myself out.”

A week later, Montgomery sat down with the company’s executive management and board of directors. Montgomery, director of security for CPR, had with him a copy of the board’s latest presentation, an e-mail from its CEO to its chairman, and a list of suggestions to improve the company’s network security.

“It never ceases to amaze me how willing these people are to help me,” Montgomery said. “Sometimes I just call on the phone and ask for information. I say I’m trying to help someone who forgot their password and ask them to reset it.”

Montgomery gains access to clients’ IT systems 90 percent of the time.

“Lots of people don’t know who’s coming into their organization, and it only takes one. I’ve proven time and again that it only takes so long for me to sit down and get what I need.”

Meet 31-year-old Grand Rapids musician Rich Vogel. A lot of what he finds on peer-to-peer networks makes its way onto his Web site (www.10eastern.com), but Vogel isn’t posting pirated music. In his “Found Photos” gallery are hundreds of pictures of people at parties and pulling stupid stunts, unwittingly exposed to the world via file-sharing services like Kazaa, Grokster or Soulseek.

While embarrassment may be the worst that Vogel’s gallery causes, Rick Wallace’s blog, www.seewhatyoushare.com, paints a bolder picture. As an educational tool, the site collects tax returns, credit card statements, revealing photos and government documents, posting each with the pertinent data blacked out.

“One of the things we’ve discovered is that major breaches are not generally the hardware or software, but the human user,” said Anthony Wojcik, director of Michigan State University’s Cybersecurity Initiative. “The vast majority are because of people not protecting themselves in the first place.”

Most local companies prohibit downloading music for concerns of bandwidth, malware and on general principle. Imagine a pedophile finding pictures of a child in his soccer uniform along with a roster and schedule. Imagine an identity thief with a tax return. What might a search for “rolling averages” or “fourth quarter” produce?

“It starts with every individual,” added Dan Lohrmann, chief information security officer for the state of Michigan. “Security should be part of every employee in the company’s role, not just the IT department or the security guy. The most difficult thing to do in any company is be aware of the risk and protect themselves in a prudent way.”

The state’s new cybersecurity Web site was originally designed as an internal training aid before it was expanded to include the general public. The same online awareness course now required of state employees is available there.

“If we’re going to have an environment where small businesses can thrive, cybersecurity is going to be a part of that,” Lohrmann said.

Montgomery, Trivalent Group/Remex Systems President Mike Noordyke, and Kore/Hi-Com President Steve Hickel all agree that the first step toward a secure IT infrastructure is cultural.

“The first thing you have to look at is your security policy,” Noordyke said.

Employees should be made aware of security policies and procedures, he said. Small and medium-sized businesses should be especially wary, as they are less likely to have formal policies.

Employees shouldn’t share their passwords with anyone, even administrators. Montgomery notes that if an employee is suspected of wrongdoing, it will be difficult to prove in court if others had access to his or her account.

Leaving equipment with the default password is dangerous, as these are readily available for malicious use. For example, an extensive list of default passwords is available at www.phenoelit.de/dpl/dpl.html. Passwords should be complicated enough that they can’t be guessed but not so complicated that they need to be written down. For his own computer, Montgomery uses a biometric sensor to read his thumbprint for access — the upgrade cost $150.

At the end of the day, all users should be logged off. Montgomery has set up “honey pot” accounts to demonstrate this at offices and seminars. He leaves them logged on overnight and then tracks use. The next morning, the report often shows that the overnight cleaning crew had been using the computer.

As for the network itself, a layered approach is necessary, Noordyke said.

“Having virus protection on your PC is really the last layer,” he said. “If it gets that far, all somebody needs to do is click on it and it’s in there. You want to have protection in front of your e-mail server and your e-mail gateway to scan those packets before they get into your network.”

The same concept applies for filters against adware, spyware and spam, Noordyke said.

Hickel, a captain in the U.S. Navy Reserves, compares network security to a military base.

“The firewall is your equivalent of a fence,” he said. “You’ve got a gate in there somewhere to let things in you want. It’s monitored and guarded; you need to show an ID card to get past.”

An intrusion detection system equates to a roving patrol, searching for holes in the fence. There are other checkpoints after that — seven layers total for a normal network — with each presenting its own vulnerabilities. Hickel suggests a freeze product for the PC itself that will return it to a pristine state after each session — viruses, spyware and the like are instantly erased.

Open ports other than the accepted entryway are no different than unguarded windows, Montgomery said. Malicious individuals scan the Web for such opportunities. Once inside, a hacker will often find unlimited access. He can create his own user account and come and go as he pleases.

Montgomery has seen incidents where the hacker erased all the administrative passwords, creating a minor inconvenience. Often the hacker uses the company network to store downloaded movies or videos. In some extreme cases hacking is done for extortion, he said. There have been well-publicized cases where a group held the company hostage. If the checks kept coming, the network stayed running.

“Lots of people spray-paint buildings just to say they’ve done it,” he said. “The worst thing is never knowing if you’ve erased the hacker’s footprint. Chances are if there is one way to get in, there are three or four ways.”

Hickel believes that any security system much be cognizant of internal threats.

“The assumption is that anything leaving the fence is OK,” he said. “The biggest threat is internal. Someone could bring a virus in from home with them or they could be e-mailing company information out. Maybe they want to start a company of their own.” (See related story.)

In the end, Hickel said, companies have to sacrifice either security or convenience. The more security measures a system has, the slower it will be. Data doesn’t get old, so slower networks are only an inconvenience, but it could be problematic for companies adopting Voice over Internet Protocol phone systems.

Noordyke believes a better question is one of investment. One client went barebones on its virus protection and was hit with a total system failure one Friday afternoon. Trivalent was able to get the three-state manufacturing operation up and running before the weekend was out, but at a cost of $70,000. The antivirus package cost a fraction of that.

Even with the right software package in place, Noordyke said, companies must be constantly aware of updates to filters and operating systems.

“It’s difficult for the public to understand how complicated it is to develop a software product,” Wojcik said. “I can’t think of any other industry where we buy a product knowing it is going to have problems. We are in the mindset where we just expect them to eventually fix it. That is where we get vulnerabilities.”    

Recent Articles by Daniel Schoonmaker

Editor's Picks

Comments powered by Disqus