THE CPA IN INDUSTRY

January 2000

THE NEWEST TECHNOLOGY TOOLS: (UN)LIMITED ACCESS?

By Julia B. Earp, Laura R. Ingraham, and J. Gregory Jenkins

While the benefits of engaging in e-commerce may be significant, the risks are also substantial. Technological innovations will pose additional security concerns and, ultimately, decide the future of e-commerce.

Technological Innovations

Pentium III. The latest addition to Intel's family of microprocessors is the Pentium III, which delivers slightly better performance (no more than eight percent for most business applications) and improved capabilities for the 3-D applications and graphics increasingly found on the Internet.

Perhaps the most interesting characteristic of the PIII is its unique processor serial number (PSN). Touted by Intel as an advanced security feature, the PSN provides a new form of identity authentication. Intel claims that the PSN enhances Internet security by allowing certain websites to run a program on the user's computer that "reads" the user's PSN and authenticates the user's identity. (Users retain the right, however, to prohibit websites from reading their PSN.) The PSN may also enhance the security of a company's internal information system by providing an additional tool for combating misallocation or misappropriation of funds or assets.

The PSN is not without its problems. Although it is unique, the PSN is read and recorded by other computers; and it is only a matter of time until IP-type spoofing programs will be able to duplicate the PSN, allowing a user to appear as someone else. This raises obvious concerns for businesses--with a fake PSN, a hacker could purchase goods in a company's name, direct the bill to the company's address, and receive the goods at another location. A hacker could also pose as a vendor, submitting fictitious invoices to the company.

Windows 98. Since its release, Windows 98 has been beset with a number of security glitches. One such wrinkle was discovered by Richard M. Smith, a computer programmer and the president of Phar Lap Software. Smith discovered that a computer's Ethernet address was transmitted directly to Microsoft during the Windows 98 registration process. If intercepted by an unauthorized individual, this information linking a computer's owner and Ethernet address could facilitate an attempt to access a company's confidential data.

What the average user is unaware of, however, is Smith's other discovery. Microsoft's Office 97, a software suite used by many companies and organizations to create sophisticated documents with embedded spreadsheets, presentations, and databases, links each file using the computer's Ethernet address, which is then electronically inserted into the document. Since Office 97 also documents author information, an author's name and Ethernet address could be linked. A link would then be created to other vital data (e.g., employee names, Social Security numbers, passwords, and vendor and customer information) stored on that author's computer.

To combat these potential risks, Microsoft has announced plans to make available a unique identifier patch and unique identifier removal tool for users of its office suite. In addition, the company has announced that its new suite, Office 2000, will not insert Ethernet addresses in documents.

Jini. Sun Microsystems' Jini networking software is designed to simplify the addition of new hardware and software onto a network. The new software tracks all electronic devices--from computers to cellular telephones to digital cameras--that are connected to the network and creates a protocol for all hardware and software attached to the network. Jini makes it possible to add and execute new services effortlessly. However, the facility with which they work also makes Jini-enabled devices vulnerable. When a Jini-enabled device is connected to a network, it automatically broadcasts its presence and sends information about itself to any party with authorized or unauthorized access to the network.

A Frightening Scenario. Assume for a moment that an experienced hacker has obtained a database containing the PSNs of millions of PIII computers. This "cybercriminal," could engage in financial espionage, selling the information to the highest bidder. Having heard that the black market has bid up the price for information in a particular industry, the hacker singles out the industry leader, XYZ Corporation, as his next target. He intercepts an innocuous Office 97 document from Jane, a high-level executive in XYZ Corporation. While the document itself provides no valuable information, the hacker can obtain the author's name and Ethernet number from the document. Once he circumvents the firewall, the hacker can go directly to Jane's computer, peruse his files, gain the Ethernet numbers of other high-level executives from documents sent to Jane, and proceed directly to their computers.

Security Measures

Taken individually, the threat posed by any one of these new technologies does not appear significant. However, collectively the new technologies' problems exemplify a need for increasing awareness of threats to an organization's data. New security measures are merely one step ahead of the computer hackers--as soon as a new security measure is developed, cybercriminals begin looking for its weaknesses. A business with insufficient protection from the Internet can inadvertently provide the means for cybercriminals to access proprietary information stored in the business' server or mainframe. The following is a partial listing of security measures companies should consider:

Firewalls. A firewall limits access to a computer network by electronically screening all network traffic, both internal and external (See the Exhibit). Firewalls can be in the form of software, hardware, or a combination of the two. Recently, businesses have started installing firewalls onto internal servers within an intranet, an Internet-like network within an organization, to increase internal security of critical files.

Many organizations erroneously feel that, because they have installed a firewall, their data is impervious to attacks. Yet, while firewalls are certainly a vital part of network security, any weakness can be exploited by an experienced hacker. For example, hacker tools can systematically scan hundreds of corporate networks and computer systems for vulnerability to various attack methods in less than an hour. Organizations need to be realistic about the capabilities and limitations of firewalls and avoid being lulled into a false sense of security.

Encryption. Encryption is essentially the encoding of any form of information-- text, video, animation, or graphics--so that it is only readable by persons holding the encryption key. Encryption techniques are a primary element of e-commerce. These techniques protect sensitive data traveling across the Internet by making it more difficult for a hacker to recover the original data. Encryption techniques rely upon keys to transform the data into an unrecognizable form and then back again. The keys consist of a string of random bits that must be stored somewhere, usually on a computer's hard drive. Everything else on the hard drive is filed in a logical, ordered fashion; unfortunately, because these chunks of randomness stand out, a new strain of computer viruses is being tailored to scan a hard drive and destroy the encryption keys.

Other Measures. There are other inexpensive security procedures a company should consider. For example, a business should take an inventory of its data to determine what needs protection and place sensitive data on a server that has limited access or is physically isolated from the outside world. In addition, businesses can institute a policy that requires that computers be turned off during non-business hours--this reduces the opportunities outside parties have to connect to the system. Finally, business managers need to stay abreast of the changing technological landscape. Managers should be aware of potential risks posed by new software such as the popular pcAnywhere, which enables users to remotely access their office computers.

When all else fails, there is insurance. A number of large insurance companies now offer protection against loss (e.g., Lloyd's of London, St. Paul, Cigna, Reliance National, and AIG), but claims must be substantiated by proof that losses were caused by hacking and not by a computer glitch. Given that hackers can destroy evidence of their presence using log modification tools by imitating a disk crash, such claims may be difficult to substantiate.

Catch the Cybercrooks

There is no question that as e-commerce continues to expand cybercrime continues to proliferate. In response, there will be a call for increased law enforcement and regulations, but the wheels of bureaucracy move slower than the wheels of progress. Management cannot afford to bide its time, awaiting the day when "cyberbusiness" is safe. *