TECH TRENDS: Tech Files
Battling the Cyber-Terrorist
Internal Breaches Pose Greatest Threat
New York Law Journal
November 10, 1997BY ALAN COHEN
ON OCT. 7, Robert Marsh, chairman of the President's Commission on Critical Infrastructure Protection, delivered the keynote address before the 20th National Information Systems Security Conference in Baltimore. For more than a year, Mr. Marsh and his fellow committee members had been studying the vulnerability of the nation's critical infrastructure, its telecommunications systems, energy resources, transportation and vital human services. A final report would be submitted to the White House later in October, but at the conference, Mr. Marsh summarized what he found.
Computer systems were indeed vulnerable, and growing ever more so. "Global networks create somewhat of a double-edged sword," he told the audience. "They enable us to communicate around the globe instantaneously, but they can create pathways for access to targeted systems, thus introducing new vulnerabilities." New "weapons of mass disruption," such as Trojan horses, viruses and E-mail attacks, made any computer linked to the Internet a potential target. Data could be stolen or distorted; services crippled.
These were legitimate concerns, and all would be discussed in the committee's final report (a summary of which is available at www.pccip.gov). But as every nation and army has discovered, often the greatest threat to security comes not from beyond the castle's walls, but from within. "We could spend millions on technology to protect our infrastructures," Mr. Marsh said, "but a well-placed insider or disgruntled employee could render nearly all protection useless."
Indeed, interviews with technical and security experts, as well as law firm technology directors, reveal that security breaches are much more likely to originate from within the office than from without. Vulnerability via Internet pathways remains an issue, but one that has been mitigated by increasingly sophisticated technology. Firewalls, encryption, virus checking software and improved operating systems and Web browsers work to keep data safe from prying eyes and covert keyboards. Yet maintaining effective security within the firm has proven more elusive.
"The Web scares a lot of people," explained Todd Mattson, an attorney and director of practice systems at Weil, Gotshal & Manges. "But the risks of someone losing a laptop with a bunch of sensitive stuff on it, or the disgruntled employee problem where they erase [material] before they leave ... these are much greater than someone dialing in [to the network]."
As firms are discovering, the best security technology in the world can be foiled by the employee who writes his or her password on a Post-it note stuck to the computer screen, or the server room that is left unlocked and unattended, or the user who goes to lunch and leaves the PC running. Effective security means more than simply stocking up on the latest electronic bells and whistles. It means in-house policies, procedures, education and awareness.
External Threats
Without question, computer networks that allow access from beyond the office raise important security concerns. "Anytime you create an opening from outside, there is a chance someone can get in," explained Ron Friedmann, an attorney who serves as director of computer applications at Washington, D.C.'s Wilmer, Cutler & Pickering. But that risk, he noted, was "infinitesimal." Two factors function to limit the vulnerability of computer networks: technology and design.
As a growing number of lawyers begin to use laptops on the road and PCs at home, remote access has evolved from a perk to a necessity. At Wilmer Cutler, for example, all attorneys can access E-mail from outside the office. The design of the system prevents unauthorized users from gaining access to important and often confidential internal files.
Wilmer Cutler maintains a dedicated server for E-mail messages. Attorneys working at home or on the road dial in to this machine via modem and enter a password to retrieve their mail. The server is isolated from all other internal computers and databases. "If someone hacks in," said Mr. Friedmann, "the most they can do is take over my E-mail. They can't get to the network files."
While the limited connection protects sensitive materials, the disadvantage to such a setup is that it is, indeed, limited. Increasingly, attorneys want to do more while out of the office than simply read and write E-mail. But full-scale remote access means that if an unauthorized user gains access, they will be able to do more than read the mail.
"If someone can hack in," explained David Useloff, a senior associate at Boston-based Micro Modeling Associates, "they would have the rights and access of that user [they are impersonating]." Most networks are backed up every night, so chances are any data that is deleted can be restored fairly simply. But hackers can also infect systems with viruses, some of which, noted Mr. Useloff, can permanently damage hard drives and other system components. In addition, there is always the risk that confidential information, such as deal documents and memos, will be disclosed.
But Mr. Friedmann is confident that the know-how exists to minimize any security risk. In contemplation of full-scale remote access, Wilmer Cutler is looking at a technology called "Secure ID," which has been implemented in corporations and financial institutions across the country. Each user carries a device that looks like a credit card, but is several times as thick. The card, which contains a battery and a microprocessor, has a small window in which a six-digit number is displayed. The number changes every 60 seconds and is synchronized with a similar device connected to the server back in the office. When a remote user wishes to log in to the network, he or she is prompted to enter the current six-digit number. Once the proper code is input, the user must enter his or her own password and log-in ID.
"Even if someone finds the card, they still need to know your password," explained Mr. Friedmann. "Absent [a user] writing their password on the card, it is secure."
While some users may find the constantly changing numbers annoying (often the code will change as it is being entered, requiring the new number to be keyed in), this feature makes it necessary for a potential hacker to have physical possession of the card. "Otherwise," Mr. Friedmann said, "if someone sees the number, they have all day to hack in." This system gives them 60 seconds.
Security becomes more problematic, however, when the private network is linked to the Internet, whether to give attorneys access to Web sites, or to operate the firm's publicly available Web page (or, perhaps more commonly, both).
"The connection to the Internet is a two-way pike," explained Mr. Friedmann. By allowing attorneys to venture out from beyond the internal network, the firm also provides a route for outsiders who seek to come in. To prevent that, the firm must be able to enforce a boundary between the private portions of its network and the public Internet, to control who can come in and what they can see.
Such a system is known as a firewall. A controlled gateway between the two networks, it acts like a guard post in the lobby of a building, preventing unauthorized users from coming in and reading or deleting files -- or, more troubling, installing viruses. A single point in the network through which all communications between the firm's internal network and all outside, untrusted networks must pass, the firewall uses authentication mechanisms to insure that only those users permitted to access the protected network do.
Firewalls can be complex and do not come cheap. Wayne Spivak, a professor at the City University of New York and president of SBA.NET.WEB, an Internet consulting firm in Bellmore, N.Y.,
estimates that at a minimum, a firewall will cost $5,000 for the software, $5,000 for the consultant to set it up and another $40,000 for the full-time employee needed to maintain it.
But with a firewall in place, a firm can safely segment its network, allowing certain parts to be publicly accessible, while isolating any proprietary sections. For example, Web servers and E-mail servers can be placed in front of the firewall, enabling users from anywhere on the Internet to download the firm's Web pages and send mail to attorneys. But all other services are placed behind the firewall. In this scenario, any user would be able to access a Web page, but in order to access the firm's internal database, document management system or Intranet, he or she would first need to pass through the firewall. Here, software would analyze the access request, determining who is making it and whether to let that user through.
Another benefit of a firewall is that it enables network administrators to control not only who gets in, but who can venture "outside." Firms concerned about employees surfing the Web can restrict Web access to certain individuals and even specific hours of the day.
Malicious Code
Another fear that experts say is overblown is the risk of inadvertently downloading a virus from the Internet. While there is a great deal of free and low-cost software available on-line, none of it shrinkwrapped or labeled, the chances of downloading infected programs have been greatly reduced by a number of technical innovations. Indeed, viruses found on diskettes that change hands still remain a far greater concern.
The latest Web browsers and administrative software contain enhanced security features designed to minimize the chances of downloading malicious code. "Code-signing" technology, for example, enables browsers to identify the publisher of a specific program and verify that the code has not been tampered with, helping users to decide whether or not to download and install the file. Taking prevention a step further, system administrators can use special software to restrict what can be downloaded to the desktops.
Much attention has been focused on the security implications of Java, a programming language used by many Web developers to create small programs that are downloaded to users' machines to add functionality to Web pages (such as a working calculator for a financial site). The worry: Malicious Java code will disrupt data and disable systems. But again, experts say the fear is overblown.
"Security issues were a big part of [Java's] design," explained Dr. David Greenberg, a research staff member at IBM's T.J. Watson Research Center in Yorktown Heights, N.Y. Java does not run directly on a PC's microprocessor, but within an "emulator" built into the Web browser. This, said Dr. Greenberg, restricts Java code from accessing any part of the machine itself. "The exact reach of a Java applet is limited."
While a second programming language, Active-X, accesses the microprocessor directly, and is thus less secure than Java, code-signing technology allows the browser to verify the identity of the author and determine that the code has not been modified. This, Dr. Greenberg noted, raised a more subtle issue: "You have to trust that if [the code] is signed by Company X, Company X would not do anything malicious."
But the real virus threat, according to Mr. Mattson of Weil Gotshal, can be surprisingly low-tech. It is not the Internet that poses the greatest danger, but word processing documents that come from clients and co-counsel. Viruses, he said, can be imbedded in a Microsoft Word macro or document template. Anti-virus software can catch many of these viruses, but "it is an administrative challenge to make sure people use it."
Internal Breaches
In fact, it is the employee at the desktop who poses, often unwittingly, the greatest security risk. Professor Spivak cited one study that found that 80 percent of computer break-ins did not originate on the Internet, but on the local area network. "Someone walks away from their desk and leaves the machine on. People don't lock the server room." One associate at a large international law firm recalled finding a system password written on a sheet of paper taped to a remote-access terminal.
Disgruntled employees, noted a systems administrator at another firm, are a major source of concern. Mr. Useloff, of Micro Modeling Associates, recommends that firms quickly revoke the access and passwords of dismissed employees.
"All you need is one partner or recalcitrant secretary leaving the firm," added David Romanoff, the chief executive officer and president of SynData Technologies Inc., in Cedar Grove, N.J., and an expert in computer security and encryption software. "Once they are past the firewall, everything is available."
"It's an issue of timing," explained Mr. Mattson. "If you know that this person has high-level access, don't leave him unattended for a week to wreak havoc."
Among firms, one pervasive and frustrating problem has been how to encourage users to follow appropriate password practices. Most passwords, claimed Professor Spivak, can be deduced after one casual conversation. People will use birthdays, names of family members and pets, words found in the dictionary, which, he added, can be cracked by brute force.
"The best password is a nondictionary word. Do you want to have to remember that? No."
Nor do users want to change their password everyday. "These are the tough issues," said Mr. Mattson of Weil Gotshal. "Technology can make [systems] secure, but you still have users who will make their password their first name and never change it."
As part of each employee's computer training, Weil Gotshal offers guidelines on proper password use. "No Jets, Giants or Rangers," Mr. Mattson explained. "Use upper and lower case, nonsense words, mix letters and numbers."
Another effective rule of thumb: Control access. Mr. Useloff advises that users should be divided into groups, with each group given access only to the material they need "and not to anything more."
At Wilmer Cutler, the firm's document management system, SoftSolutions, allows administrators to control user access rights. By default, when a document is created, it is public, available to all users on the network. But the document can also be made private to certain groups of users. "Only they can access it, or change it," said Mr. Friedmann.
Idle, unattended PCs pose yet another hazard. At Weil Gotshal, machines are configured so that they automatically log users off the network after a period of inactivity. Memos from the MIS department caution employees on the hazards of leaving a workstation unattended.
Users have proven resistant to security technologies that, no matter how effective they may be, are not intuitive to use. Encryption software, for example, has yet to take off within law firms, primarily due to the perception that it is difficult to use. "If [the software] was seamless, automatically encrypting and decrypting everything, we would use it," said one systems manager. "But otherwise, it is a pain."
Little surprise, then, that software developers are racing to introduce easier-to-use products. The latest version of PGP, the popular encryption package, offers an enhanced interface and point-and-click tools. Mr. Romanoff's company, SynData, has released a $50 program called SynCrypt, designed to automate the encryption process. The latest versions of the most popular Web browsers, Microsoft Internet Explorer and Netscape Navigator, both feature enhanced security features as well as improved ease-of-use.
Sharing Information
Even with the best technology in place, and full compliance with internal policies, computer security will never be a trivial concern. One recommendation made by the President's commission was the need for improved communication among users to provide warnings and assistance regarding potential breaches and bugs.
Already, firms are learning that they, too, need to pool resources to combat computer crime. In Washington, for example, MIS directors at a number of firms meet monthly to discuss current issues. "There is a lot of informal contact," said Mr. Friedmann. Vendor conferences, technology shows and seminars provide further means for systems managers to interact and share information.
Computer use may not be completely safe, but neither are fax machines or cellular telephones. In the end, Mr. Friedmann asked, "if something is useful, do you not do it because of the risk?"