October 2001
Security Issues on the Internet
By Frank J. Grippo and Joel G. Siegel
Security is only as strong as the weakest link. One must always be aware of the security of each transaction when sending and receiving information over the Internet. There will always be unscrupulous people who will steal whatever they can get their hands on.
The accountant’s scope of concern with security over the Internet encompasses corporate intranets, partner-to-partner transactions on extranets, and website transactions. The accountant can provide advice on how to keep systems, sensitive files, passwords, and financial data secure. When considering security mechanisms, a cost/benefit analysis should also be undertaken.
No matter how secure a computer is, once it is attached to a network or the Internet, the risks of subterfuge increase. Properly protecting a network from attack requires various and several security layers; the more layers, the greater the degree of security. The main purpose remains protecting and securing a company’s assets.
Security Vulnerabilities
How vulnerable is a network? A vulnerability is a flaw in the computer system that can cause a security problem. Vulnerabilities can come from a variety of areas, such as encryption, policy oversight, a logic error, internal spying, deficient passwords, sabotage, theft, network protocol design, and eavesdropping. Unauthorized access may be gained through deficient application or operating system code. An architectural problem or deficient security design may be at fault. A specified action must be formulated for each vulnerability, and security features properly implemented and configured.
Proper and effective network security provides the following:
The simplest forms of security are password control and firewall protection. The best type of password is one that incorporates letters, numbers, and punctuation; allowing simple or predictable passwords (such as birthdays) creates a security risk. A firewall is software or hardware that limits certain kinds of access to a computer from a network. By forcing all traffic to and from the Internet to flow through a firewall, risks to the local network are decreased.
Nevertheless, malicious scripts and applets can be used to infiltrate firewalls, intercept passwords, and wreak havoc. Spam is one common way malicious code can enter a computer system. Spam is nothing more than unsolicited e-mail messages, usually advertising a product, but it is sometimes a conduit for transmitting viruses. A virus is a program that “infects” other programs. When an infected program is executed, the embedded virus is also executed, causing system damage and further spreading the virus. Blocking software can be used to prevent viruses from entering a system in the first place.
A computer security vulnerability has serious implications, including unauthorized access to the system, destroyed information, and damaged websites. If a security breach occurs, the security hole must be found and closed. Damages must be evaluated and the system restored. A minor security hole may be corrected by a patch. Adequate backup procedures ensure that damaged or destroyed files can be restored. Special attention should be paid to protecting and backing up proprietary or privileged data.
Attacks vary in severity depending upon the level at which the security breach occurs. A security breach at the manager or supervisor level can have disastrous consequences, since those individuals generally have access to the system configuration and sensitive or privileged files. A breach at the individual user level, though serious, will generally lead to less damage, possibly contained in one area or machine.
Attacks by hackers, malicious or otherwise, can involve a variety of techniques:
A majority of computer crime comes from internal sources. Insiders are the most significant threat to intellectual property.
Some Trojan horses (e.g., Net Bus, Back Orifice) can furnish remote users with complete control over a user system, including changing passwords and rebooting the system. Anti-virus software can identify and remove most Trojan horses. Keystroke monitoring can track what is typed and send it to another computer before either encryption occurs. Protection can be found in packet analyzer programs or through restricting physical access.
Spam inundates servers with junk e-mail. In the case of HTML-based spam it can be used to identify and profile users. To prevent this threat, block Internet access from HTML messages. Another approach is to block all transmissions from known spam sites.
Cookies keep a record of web usage so sites can trace user behavior and compile a user profile. Cookies may be abused by advertisers in keeping track of your online shopping and preferences. Software programs can block ad servers from using cookies to extract personal information.
Security Planning
Attacks against a computer system may be intense, persistent, and frequent. In network and online security, beware of abnormal modem and disk activity. Isolated servers can provide greater security.
A file integrity assessment (FIA) tool can appraise files and produce unique signatures for each, which are then stored in a database. Content determines the file signature. Once the file content is changed, the signature changes. An FIA tool can be used to assure that a file has not been modified.
Computer security consists of prevention, detection, and recovery. Prevention encompasses establishing a password policy, and using firewalls. Detection concentrates on ascertaining the details of a security failure. Recovery is getting the system back to where it was before the security breach, such as reinstalling programs and backed-up data.
There must be an integrated and comprehensive security plan that is fully operational and promulgated. Considerations in setting security policy include identification of users, authentication, suspicious software, and password rules-of-thumb.
Physical security. Physical security consists of the following:
Logs. System logs should be monitored closely. Suspicious patterns or unusual IP addresses in log files could indicate a hacker at work. Unusual occurrences in logs should be thoroughly investigated.
Audits. Network security should be audited periodically to test its functionality. The auditor should determine which physical and financial assets and data files are at risk. The company is responsible for evaluating, protecting, and managing information resources. How easily can the company detect and deter computer-related attacks?
The auditor should assess the entity’s data assurance profile and records. Policies and procedures should protect “key” physical and information resources. There should be an integration of security steps with physical and human resources to assure that a consistent and effective plan exists.
Security Software
There are a number of software packages available that provide computer users with additional security. No one program is foolproof, and using several in combination can increase the level of protection.
Symantec’s (www.symantec.com/ scanme) Norton Internet Security 2000 protects users from Internet attack. It prevents hackers from accessing a system and protects against web-spread viruses. Norton’s Internet Security 2000 finds vulnerability holes in a computer system and closes them. Symantec’s Norton Anti-Virus program protects servers and PCs against virus attack.
Computer Associates’ (www.ca.com) eTrust Security Suite provides the following features: anti-virus tools, audit, access control, firewall, administration, mission control, appraisal of content, directory, single sign-on, intrusion identification, encryption, scalability, and a virtual private network.
PentaSafe Security Technologies’ (www.pentasafe.com) e-Business Security 101 performs a security audit of operating systems, applications, and web servers. It also prepares password strength reports. PentaSafe’s Cross-Platform Security Auditing VigilEnt Security Manager provides host-based information technology security auditing and application configuration. VigilEnt diagnoses security deficiencies with company-wide reporting. Problems are reported on and evaluated. PentaSafe’s VigilEnt Security Agent recommends appropriate modifications to the setup configuration, user accounts, and file permissions. A feature allows for automated backup to other equipment. If the system has been compromised, VigilEnt Security Agent can automatically restore a corrupted file and provide for forensic analysis of the intrusion.
Network ICE Corporation’s (www. networkice.com) BlackICE Agent is an extension to a firewall rather than a substitute. The software provides information concerning attacks directed toward a network. If a transmission has penetrated the firewall, the product will identify questionable behavior. There is a database of signatures and patterns of possible hacker attacks. There is a feature that blocks or restricts transmissions from particular sites. When BlackICE believes an attack is occurring, it terminates the connection between the initiating IP address and the computer system. The product provides data about particular attacks, including the identity of the intruders.
Axent’s (888 44-AXENT) Enterprise Security Manager manages risk and evaluates computer security. The product measures, monitors, and enforces security policy compliance. The product checks security daily and notes vulnerabilities. Security policy can be assessed and controlled over multiple platforms and applications. Network Associates’ (www.mcafee. com) McAfee Internet Guard Dog provides anti-virus, filtering, and privacy services. It traces and controls outgoing transmissions.
Risk Watch’s (www.riskwatch.com) Risk Analysis Software evaluates computer security risk exposure. It determines if a system has been infiltrated, and to what extent.
Tripwire Security Systems’ (www. tripwiresecurity.com) Tripwire is a file integrity appraisal tool. Tripwire identifies and corrects files that have been altered during a security breach.
CyberSafe Corporation’s (www.cybersafe.com) Centrax software protects and monitors a network.
Trend Micro Incorporated’s (www. antivirus.comm) InterScan Applet Trap identifies harmful Active X controls and Java applets. Mobile code is appraised as it goes through the HTTP proxy server. If a security problem is noted, the transmission may be stopped. Acceptable code passes through to the web browser and is executed. Malicious applets are noted and listed.
Firewalls
Firewalls use various methods to identify, check, and filter packets into and out of a network. Routers provide the initial level of security by examining IP addresses. A firewall filters incoming and outgoing packets by their source and destination addresses and the nature of the payload. Firewalls are the primary line of defense, protecting local area networks and servers from the Internet.
Hardware-based firewalls scan packets expeditiously and reject those appearing to be part of an attack or those that do not conform to a security policy. Stand-alone firewalls filter incoming packets by type, source, and destination address on the network level, using user-determined guidelines. An application proxy firewall looks for unsuitable requests between a client and the server. A stateful inspection firewall monitors and substantiates client-server requests.
Firewall software requires workable firewall policies and strategies to be fully effective. The firewall should be configured for maximum security possible given the network’s necessary connectivity with the rest of the world. One costly and rare solution is to employ two firewalls from different vendors running different software in combination. It is very unlikely that the two will have the same bug. Selecting a firewall is more crucial where a virtual private network (VPN) is employed. VPN software allows for secure branch connectivity and remote user access. VPN connections should be encrypted to minimize the setup’s security risk.
Axent’s [(888) 44-AXENT] Raptor Firewall provides perimeter security by furnishing full control of information transmitted over the network. Information is substantiated at all levels of the protocol stack, providing a high level of security.
Webtrends Corporation’s (www. webtrends.com) Firewall Suite monitors and reports firewall activity in real time. The package also identifies outgoing usage and protocol distribution, and balances bandwidth.
Zone Labs’ (www.zonelabs.com) Zone Alarm 2.1 is a stand-alone firewall used in conjunction with other security software. It monitors and regulates transmissions between the network and the outside, and provides controls to access files and applications.
Watch Guard Technologies’ (www. watchguard.com) Live Security System 4.1 is both a hardware firewall and content-filtering system.
Aladdin Knowledge Systems’ (www. ealaddin.com) eSafe includes anti-virus software, firewall protection, and content filtering. It can prevent Active X and Java-Script attacks.
Check Point Software Technologies’ (www.checkpoint.com) Check Point VPN-1 provides security protection, URL filtering, spam safeguards, and anti-virus scanning.
Cisco Systems’ (www.cisco.com) Cisco Secure PIX Firewall appliance products are designed for high-performance, scalable firewall protection.
Sonic Wall (www.sonicwall.com) Pro offers strong security protection. It is good at deflecting denial-of-service attacks and provides an anti-virus option.
The eSoft Incorporated (www.esoft. com) Interceptor incorporates both firewall and e-mail protection. It also includes site-blocking tools and an Internet access router.
Systems involving e-commerce are particularly vulnerable to disruption through e-mail. In particular, attachments to e-mail messages should be viewed with suspicion; they may be the carrier of a virus. End-to-end encryption, through programs such as S/MIME and PGP, is recommended. Certified Mail (www.certifiedmail.com) is a free e-mail service which can be used to securely transmit e-mail messages with attachments using secure sockets layer (SSL) technology. The sender is notified when the recipient has read the message. Messages can be password-protected and tracked through the delivery process. Even with electronic transactions as simple as e-mail message, there is no such thing as being too cautious.
Editors:
Paul D. Warner, PhD,
CPA Hofstra University
L.
Murphy Smith, DBA, CPA
Texas A&M University
The
CPA Journal is broadly recognized as an outstanding, technical-refereed publication
aimed at public practitioners, management, educators, and other accounting professionals.
It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting
professionals with the information and news to enable them to be successful accountants,
managers, and executives in today's practice environments.
©2009 The New York State Society of CPAs. Legal Notices
Visit the new cpajournal.com.