The CPA Journal

THE CPA AND THE COMPUTER

August 2002

Internet Security and the CPA

By Marc Niederhoffer

More than ever, companies need to commit money and resources to the protection of their network systems. The 2001 Computer Crime and Security Survey, which included responses from 538 computer security practitioners in various institutions, contained some sobering figures:

85% of respondents detected computer security breaches in the last 12 months.
64% acknowledged financial losses due to the breaches.
35% quantified their losses, a total of almost $400 million.
40% detected system penetration from the outside.
91% detected employee abuse of Internet access privileges.
94% detected computer viruses.

Another survey found that U.S. businesses spent only 0.02% of their top-line revenue on data security and that 75% of business networks are wide open to hacking. Although smaller companies seldom see themselves as targets, experts say attackers scan entire networks and view any site as fair game.
A useful way to think of the Internet is as a series of smaller networks that anyone can access. Corporations or governments manage many of these smaller networks but no one has overall control. There are opposing views as to what role the government should play. In the meantime, nonprofit groups such as the Internet Society (www.isoc.org) promote the cooperation and coordination of Internet applications and technologies.

Vulnerable Information

Numerous online databases (e.g., www.anywho.com and www.peoplefind.com) provide access to considerable amounts of information, at no charge:

Names, addresses, phone numbers (even many unlisted numbers), fax numbers, and e-mail addresses.
Location maps of any specified address.
High schools and college alumni.
For a fee, more information is available:
Residential addresses going back 10 years
Descriptions of property owned, past and present
Bankruptcies, liens, and judgments
Professional licenses
Criminal convictions
Driving records
Civil litigation.

With so much information available online, individuals are right to think they need to take steps to protect themselves. Internet users should regularly delete their browser’s history lists and memory caches and use a pseudonym and alternate e-mail address when posting to newsgroups. They should consider using an Internet privacy service, such as Zero Knowledge Systems (www.zeroknowledge.com) or Anonymizer (www.anonymizer.com).

Before entering credit card or similar information into a website, one should be certain that the website is secure. A secure site’s uniform resource locator (URL) will begin with “https” instead of “http.”

Businesses need to safeguard the company’s networks, workstations, e-mail systems, and software. A substantial loss in any of these areas could have a material effect on the value of the company’s goodwill. Properly designed safeguards will protect business data, customer lists, employee identities, bank data, proprietary information, account numbers, and financial assets.

Security Threats and Defenses

Networks need to be protected from both outsiders (hackers and crackers) and insiders (employees and other individuals with access to the network). The industry defines hackers as individuals with extensive computing knowledge that look for internal and external system holes, some for fun, others for a purpose. Crackers are individuals that try to break into a system by guessing or cracking user and system passwords. There are a variety of ways a hacker can attack a computer system:

Denial of service attacks prevent legitimate users from entering a website. The most famous was the 1998 “Ping of Death” attack that crashed a wide variety of machines at several large public companies.
Distributed denial of service attacks happen when a hacker uses multiple computers to overload a network’s bandwidth. Yahoo was recently shut down by such an attack.
Denial of access to applications occurs when a hacker overwhelms a computer with requests for a response.
Viruses, one of the best known forms of attack, rely upon destructive programs that infiltrate networks and workstations. These attacks can bring systems down by damaging information and preventing software from operating correctly. Recent viruses include Code Red, Love Bug, and the Love viruses.

Hackers use the following tools to enter networks:

Trojan horse programs allow hackers to enter a network through the e-mail system. When an infected e-mail is opened, the hacker’s program can be executed.
Footprinting occurs when the hacker obtains information about a computing environment, such as its IP address or domain, server, and Internet names.

Creating a secure network begins with the network architecture, which should include the following:

Authentication methods, of which passwords are the most common. Password policy should specify that passwords based on actual words or names are not allowed. Strong passwords, which use upper and lower case letters along with numbers, are recommended.
Encryption transforms an electronic message so that only a proper encryption key can decrypt it. The main types of encryption are private key encryption, which uses one key to encrypt or decrypt information, and public key encryption, which uses two different keys. Although public key encryption provides greater security, it is slower and costs more to maintain. The best approach is to use a public key to exchange keys and authenticate the connection and a private key to encrypt the traffic.
The proxy server can be a software or hardware package that provides security by having the server look like the originator of the point of request of information. It resides between the Internet and a company’s internal network. Proxy servers have high administrative requirements in larger networks.
Firewalls are hardware or software that act as a protective barrier around an internal network. They keep track of connections and analyze incoming information and accept them if they are in direct response to an active session. Certain types of firewalls require skilled personnel to maintain them. Firewalls usually reside first in the network design and are particularly important for high-speed, always-on connections.
Routers, somewhat similar to firewalls, allow or deny traffic to their intended destination based on packet-level information.
A “demilitarized zone” is an area of a company’s network that is separate from the local area network (LAN). This design allows the company to set permissions for the web server and lock down the rest of the network.
A “dead zone” is a network segment between two routers that is not running the TCP/IP (transmission control protocol/Internet protocol) suite.
Virus protection software, which should be updated regularly.

With the advent of the home office, many companies are creating virtual private networks (VPN), which are used to communicate with remote sites, usually over private leased phone lines. Information is kept secure, but the system is expensive and slow. The current trend is to move the VPN to network lines; however, they need to be properly designed to keep the information from being available through the Internet.

Setting Security Policy

A company security policy should establish employees’ use of the following:

E-mail, including a description of what messages can come in and go out (e.g., whether all incoming mail with executable attachments from unlisted e-mail addresses is blocked)
Internet use (e.g., whether hosting a personal website or usenet group is permitted)
Use of the company’s computers and network for playing games or storing personal information
Use of business data (e.g., what information is and is not available for employees’ use).

The policy should define acceptable behavior and provide for adequate training and a method of monitoring adherence.

Detection Systems

Detection systems fall into two basic categories.

Host-based internal detection systems (HIDS), whereby the HIDS reside on a particular host and look for indication of an attack on that host.
Network-based internal detection systems (NIDS), where the NIDS reside on a separate system that watches network traffic, looking for indications of an attack that traverses that portion of the network.

Although an NIDS can be more cost-effective, an HIDS may be more appropriate for organizations more concerned about legitimate information than about hackers.