Security in the real world-2000-11-15--Jamie Swedberg

It's lunchtime. Do you know where your company's confidential information is? Alexander Kesler, president of Boston's zTrace Inc., knows a company whose executives thought they knew the answer to that question. But during lunch one day, thieves disguised as electricians spirited away three laptops. Panicked, the firm bought five new laptops, but within five days they had been stolen as well. "You would have thought they would have protected them after the first time, but people tend to not do that," Kesler says. "They thought, 'It happened to us once, so it's not going to happen again.'"

What most companies don't know is that physical exploits can compromise computer systems just as easily as more esoteric, Net-borne assaults. Purloined laptops, stolen passwords, "dumpster diving," unlocked doors--all put a company's most privileged information at risk. What's more, the material world opens security loopholes that are aren't available in cyberspace, says Richard Moxley, vice president of technology at Blackbird Technologies, a computer security firm in Herndon, Va. "What we tell our clients is that if an attacker has unrestricted physical access to a system, that's generally sufficient to defeat any security measures you build into the software and configuration."

That's particularly bad news for e-business, where customer data is held in trust and even a hint of physical vulnerability can give investors cold feet. John Klein, president of Rent-a-Hacker, a security consultancy in Fergus Falls, Minn., points out that some users may not realize what sensitive information they hold. The Web design department, for example, often has access to e-business transactions. "When a customer's credit card gets used, that can't be handled internally," he says. "The company has a big problem."

Because of the risks involved, some companies may insist that a potential business partner undergo an independent security audit. In the financial sector, for example, organizations must comply with a set of auditing standards intended to assess both digital and physical vulnerabilities. Moxley says he expects other business sectors to follow suit. "In the future there's going to be more of an opportunity to specify what a partner's obligations are," he says. "I think you're going to see more of that kind of thing, just as a matter of due diligence among partners that are exchanging data."

E-businesses may also be obliged to beef up their physical security in order to secure funding. Moxley describes a case in which an e-commerce firm was seeking venture capital for a Net marketplace. "Before the investors would release the money, they wanted to see an independent assessment of the security of the system." Underwriters also like to see evidence of physical security before a company goes public.

The good news about physical assaults is that, unlike virtual security, most can be prevented by following a few fairly simple security practices.

The enemy within

The easiest way to lose confidential data is to let everyone have access to everything. Unfortunately, that's a fair description of some firms' policies. Many small offices don't monitor access or make sure employees log off computers when they leave. Klein of Rent-a-Hacker says that kind of climate invites security breakdowns. Most perpetrators are employees who want privileged information, but once in a while, competitors break in.

According to Klein, thieves often just sit down at someone's keyboard and start digging. Sometimes they'll do it after hours, but just as often the intrusion will occur while others are walking around, minding their own business. If a computer is secured with a password-protected screensaver or a firewall (see Rent-a-Firewall), it's still not safe. Some screensavers are easily thwarted with a Control-Alt-Delete; whole systems can be laid bare by booting a computer to a floppy disk or CD with an alternate operating system. Or a thief can rely on speed, slipping into a user's chair in the unguarded moments before a secure screensaver kicks in.

By and large, breaches by outside parties are less common than inside jobs (see Who ya gonna call?). But contractors--or people posing as contractors--can also endanger security. That sounds paranoid, but a hardware engineer for a New England networking company who requested anonymity says that a certain degree of paranoia is healthy. "If someone has a reason to want to look inside your systems, they can very easily sneak into a cube farm in a tech company or a departmental office in a university," he says. Generally, if you know what you're doing, it's easy enough to get anywhere you want that's not heavily defended."

The best way to prevent break-ins is to make sure people don't go where they don't need to be by segregating business units and installing a keycard system. Engineers' keycards shouldn't allow access to the accounting department, and Web designers' cards shouldn't open the door to ad sales.

Outsiders can be monitored by traditional security means. "Have it set up so that someone who doesn't belong there stands out, whether that's by requiring that people be escorted, or requiring that there be badges," Moxley advises. "People should have to sign in and sign out." Alarm systems and video cameras can thwart after-hours intrusions.

Above all, employees should be enlisted in security efforts. Vice presidents as well as customer service reps should understand that it's their responsibility to watch for signs of illicit activities: employees using systems in ways that don't seem to relate to their jobs, inexplicable changes in people's work patterns, strange network malfunctions. "As far as actually protecting the computers, it's almost as much the individual's responsibility as it is the company's," says the hardware engineer.

Paper, paper everywhere

Proprietary data has a bad habit of walking away, and companies should never forget it when they take their trash to the dumpster. Moxley says that industrial spies have been known to rifle through printouts, paper waste, and magnetic media to find network diagrams, passwords, and user lists. "Going through trash is a fantastic way of doing target analysis and gathering information that will help them break in," he says. Even a phone list can be problematic in the wrong hands. Thieves can assume the identity of an employee, call the company's help desk, and ask for a new password.

Passwords, the most common and cheapest form of computer security, are the stuff of life for material-world hackers. Most computer users choose generic, simple passwords that can be easily guessed or cracked with brute-force programs freely available on the Web. In response, many companies require users to combine upper-case letters, lower-case letters, numbers, and symbols in their passwords. But this creates another problem--when a password is difficult to remember, people tend to write it down--the Post-it notes syndrome. Administrators should try to strike a balance between the simple and the obscure.

An even worse password infraction is sharing accounts. That's bad enough in a company where everyone has his or her own cubicle, but it's a massive headache in a shared-terminal environment. One of Klein's clients is a magazine subscription fulfillment company where only three out of 2,200 employees have their own computers; everyone else shares. "The call center manager has to enforce that they don't give each other usernames and passwords," he says. "If one guy's logged in for three weeks at a time and everybody uses it, then we don't know who did what when something goes wrong."

Employers can best reduce password abuse and loss by setting and enforcing policies. The IT department needs to communicate with the frontline managers and explain to them why security policies exist, so the company's security isn't compromised by lax behavior.

Trouble on the move

It's common practice for thieves to stroll through unlocked offices with impunity, picking up one or two computers for the road. Many companies stymie such thefts by tethering machines to the desktop with cables, but that tactic doesn't work for portables. Notebooks left lying around the office can be waltzed out the door under a coat. And traveling laptops are the easiest pickings of all.

"Most laptops are stolen at conferences, expos, hotels and airports," Kesler says. "Then, thieves resell them through Internet auctions or want ads in the newspapers." Insurance statistics show that the average stolen laptop costs a company about $80,000 in lost productivity, corporate secrets, and irreplaceable data. Kesler's company markets software that resides invisibly on a computer until the owner reports the unit stolen. Then, if the computer is used to log onto the Internet, zTrace's server homes in on it and notifies police. Sometimes the data is intact; Kesler says that most computer thieves are in it for the 70-cents-on-a-dollar resale value, and usually don't bother to delete files.

But if the thief is a hacker, or knows a hacker, look out; hooked up to a DSL or cable connection, an employee's notebook can function as a back door into the network for Trojan horses (the type of hacking program that attacked Microsoft), worms, and humans bent on destruction.

Digital fortresses

A company's servers, repositories of its most precious information--client lists, credit card numbers, contracts, sensitive e-mails, software source code--are not immune to tampering. Most small and to mid-sized businesses don't have the resources to guard the crown jewels around the clock, which explains the growing popularity of Web hosting in Internet data centers (IDCs). Data centers, the digital equivalent of Fort Knox, provide both redundancy (to guard against lost data) and secure space (to keep intruders' hands off the goods).

Steve Urquhart, a branch manager at Firstworld, a Denver company that operates a nationwide network of IDCs, says that any downtime, whether accidental or malicious, is poison to a computer-based company. "Not only do you lose sales that night, but you probably lost that customer, because he's going to go somewhere else," he says. "If it hasn't happened to you, it's probably going to."

Data centers like Firstworld aren't impregnable, but they're as close as you can get in an insecure world. They employ human security guards, keycards, escorts, identity cards, off-site monitoring, video cameras, two-way mirrors, and a variety of other measures to protect data. It's worth touring a state-of-the-art IDC even if you plan to take responsibility for your own server security; you may pick up a few tips.

Jamie Swedberg is a freelance technology writer in Nashville, Tenn.

Here are the topics we cover computer certification computer careers computer training computer games consulting data recovery data security digital entertainment emerging technology gadget reviews handheld computers hardware reviews home automation home networks home office how-to advice internet linux local companies local news local profiles macintosh mp3 players network security online music online security open-source small-business technology soho software reviews technology books technology dictionary vpn web site reviews wi-fi windows wireless technology tech articles tech news press releases tech dictionary education resources career solutions create your personal blog upload your videos become a writer usergroups special interest group SIG 3com cipts adobe adobe certified expert apc ncpi apple achds acpt acsa actc avaya bea 8.1 certified administrator 8.1 certified architect 8.1 certified developer 9 certified administrator bicsi rcdd checkpoint ccmse ccsa ccsa ngx ccse ccse ng plus with ai ccse ngx cisco access routing and lan switching ccda ccdp ccie ccip ccna ccnp ccnp old ccsp ccvp crmam ip communications optical proctored exams for validating knowledge sales specialist storage networking vpn and security wireless lan citrix cca 3.0 cca 4.0 cca 4.5 cca xp ccea 3.0 ccea 4.0 ccea xp ccia ciw ciw associate ciw certified instructor master ciw admin master ciw designer master ciw enterprise developer security analyst comptia a+ network+ security+ server+ computer associates ca cusa cuse cwna cwna cwsp dell eccouncil cea cep certified ethical hacker chfi e-commerce architect emc emc specialist implemenation technology foundations enterasys ese eta exam express exin exin itil extreme networks ena ens filemaker f7cd f8cd fortinet fortigate foundry cne fujitsu fujitsu guidance software ence hdi css hda hdm hdsa hitachi hitachi certified professional hp ais apc app aps ase certified systems developer csa cse master ase huawei hcne hyperion hcp ibm advanced deployment professional advanced technical expert application developer business process analyst certified administrator certified advanced system administrator certified advanced technical expert certified associate developer certified enterprise developer certified solution designer certified specialist certified systems expert database administrator db2 deployment professional enterprise developer eserver certified specialist ibm on demand business solution advisor solution designer solutions developer solutions expert storage administrator system administator iisfa cifi intel isaca cisa isc cissp sscp iseb itil ism cpm juniper jncia jncis legato lcaa lcea lotus clp lpi lpic level 1 lpic level 2 lpic level 3 macromedia mcafee mcdata csnd microsoft crm mbs mcad .net mcdba mcdst mcitp mcp mcpd mcsa longhorn mcsa 2003 mcsa 2008 mcsd .net mcse mcse 2000 security mcse 2000 to mcse 2003 upgrade mcse 2003 mcse 2003 messaging mcse 2003 security mcse 2008 mcts microsoft business solutions microsoft partner competency mile2 cnsa network appliance nac-na nac-nie naca nace nacp network general sniffer certified professional nokia nokia security administrator nortel ncde ncds ncse ncss ncts novell5 cna 5 cne 6 cna 6 cne 6.5 cne cne upgrade omg ocup oracle 10g dba 10g oca 11i 8i dba 9i dba 9i internet application developer oca ocp8 to ocp8i dba upgrade exam pmi project management professional polycom pcve redhat rhce rhct sair sas institute sas scp saas scp snia snia certified architect snia certified professional snia certified systems engineer snia storage networking certification program administrator professional associate symantec scse scsp scta scts teradata tca v2r5 tcad v2r5 tcda v2r5 tcis v2r5 tcm v2r5 tcp v2r5 tia ccnt ctp tibco tcp trusecure ticsa veritas infraguard chamber of commerce vcp vmware certified professional webex linkedin facebook myspace Professional page layout, image editing, vector illustration, and print production Website design, development, prototyping, and blogging Creation of rich interactive content Industry-standard visual effects and motion graphics Video capture, editing, and production; DVD titling; and digital audio, Adobe Photoshop CS3 extended, Adobe illustrator CS3,Adobe indesign CS3,Adobe Acrobat 8 Professional, Adobe Flash CS3 Professional, Adobe Dreamweaver CS3,Adobe Contribute CS3,Adobe Fireworks CS3,Adobe After Effects CS3 Professional, Adobe Premiere Pro CS3,Adobe Soundbooth CS3,Adobe Encore CS3,Adobe OnLocation,Adobe Bridge CS3,Adobe Version Cue CS3,Adobe Device Central CS3,Adobe Stock Photos, Intel Pentium 4 (1.4GHz processor for DV; 3.4GHz processor for HDV), Intel Centrino, Intel Xeon, (dual 2.8GHz processors for HD), or Intel Core, Duo (or compatible) processor; SSE2-enabled processor required for AMD systems Microsoft Windows XP with Service Pack 2 or Microsoft Windows Vista Home Premium, Business, Ultimate, or Enterprise (certified for 32-bit editions) 1GB of RAM for DV; 2GB of RAM for HDV and HD; more RAM recommended when running multiple components 10GB of available hard-disk space (additional free space required during installation) Dedicated 7,200 RPM hard drive for DV and HDV editing; striped disk array storage (RAID 0) for HD; SCSI disk subsystem preferred Microsoft DirectX compatible sound card (multichannel ASIO-compatible sound card recommended),1,280x1,024 monitor resolution with 32-bit color adapter Blu-ray burner required for Blu-ray Disc creation OHCI compatible IEEE 1394 port for DV and HDV capture, export to tape, and transmit to DV device QuickTime 7.1.2 software required to use QuickTime features Broadband Internet connection required for Adobe Stock Photos* and other services

3PAR, Accellion, Acronis, Actional, Active Endpoints, ActiveGrid, activePDF, ActiveServers, ActiveState, Actuate, Adaptec, Agile Software, AGiLiENCE, Agilysys, Akorri, AlachiSoft, Alter Logic, Altor Networks, Altova, AMD, AMDAHL, Amentra, Amyuni, anacubis, Apani, APC, Appcelerator, AppSense, AppStream, Array Networks, Ascential, Astaro, Attune Systems, Autodesk, AutoVirt, Availl, Avanade, Azul Systems, Barracuda Networks, BEA Systems, B-hive, Black Duck Software, Blackbaud, Blade Network Technologies, Blue Coat, Blue Lane, BlueArc, BlueNote Networks, BluePheonix Solutions, BMC Software, Borland, Bristol Technology, Brix Networks, BroadVision, Brocade, Burton Group, Business Objects, CA, CalAmp, Cassatt, Cast Iron Systems, Catbird, Cayenne Technologies, Ceedo Technologies, Cenzic, Certeon, CiRBA, Cisco Systems, Cision, Citrix Systems, ClearApp, ClearCube Technology, CollabNet, Compass America, Composite Software, Compugen, Compuware, Configuresoft, Continuity Software, Coraid, Courion, Coyote Point Systems, Crescendo Networks, CSC, DataCore, DataSynapse, Dell, Desktone, Digipede Technologies, Double-Take Software, Ecora Software, EDS, eG Innovations, Egenera, Elastra Corporation, Electric Cloud, Embotics, EMC Corporation, Emulex, Endeavors Technology, Enigmatic Corporation, Enterprise Management Associates, Entuity, EqualLogic, Ericom Software, ESRI, EVault, eXludus Technologies, F5 Networks, FalconStor, FastScale Technology, Foedus, Force10 Networks, Fortisphere, Forum Systems, Fujitsu, GemStone Systems, Getronics, GlassHouse, Green Hills Software, Grid Dynamics, GridGain Systems, GT Software, Hitachi, HP, Hyper9, Hyperic, IBM, ICEsoft, IGEL Technology, Illumita, ILOG, IMEX Research, Information Builders, Ingres, InstallFree, Integrien, Intel, Intellium, International Computerware, iTKO LISA, JBoss, Juniper, KACE, Kidaro, LeftHand Networks, Leostream, Lifeboat Distribution, Liquid Computing Corporation, Liquid Technology, Lynux Works, Mainline, ManageIQ, Managed Methods, ManageSoft, Marathon Technologies, McAfee, Mellanox Technologies, Microsoft, Mid-Atlantic Computers, Mindbridge Software, Mindreef, MKS, MonoSphere, Motorola, MQSoftware, mySoftIT, NASTEL, Ncomputing, NEC, Neocleus, NeoPath Networks, Neoware, NetApp, Netegrity, Neterion, Netuitive, Neverfail, Nexaweb, NextAxiom, Nimbus, Nimsoft, Niyuta, NoMachine, Novell, ONStor, Opalis Software, Open Kernel Labs, OpenSpan, OPNET Technologies, Optaros, OpTier, Oracle, Pano Logic, Parallels, Parasoft, Perforce Software, PHD Technologies, Phoenix Technologies, Phurnace Software, Pillar Data Systems, PlateSpin/Novell, Progress Software, Prolifics, ProSync Technology, Provision Networks, QLogic, Quest Software, Racemi, Raritan, Raxco Software, Red Hat, Reflex Security, Resolution Enterprises, RingCube Technologies, Riverbed Technology, Rogue Wave Software, RSA Security, Sagnet Solutions, SanDisk Corporation, SAP, SAVVIS, ScaleMP, Scalent Systems, Seanodes, Secure Command, Secure Computing, Sentillion, Shavlik Technologies, ServInt Internet Services, Silpion IT Solutions, SIMtone, Skytap, Skyway Software, Software AG, Sonasoft, SourceGear, Splunk, StackSafe, SteelEye Technology, StillSecure, StoneFly, Stonesoft, Stoneware, StoreVault, StrikeIron, STT WebOS, Sun Microsystems, SunGard, Supermicro Computer, Surgient, SWsoft, Sybase, Symantec, Systar, TBD Networks, Tenfold, TheInfoPro, Thinstall, Third Brigade, TIBCO Software, Tidal Software, Tideway Systems, TOA Solutions, TRANGO Virtual Processors, Trend Micro, Tresys Technology, Trigence, Tripwire, Ulteo, Unisys, United Devices, VaST Systems, VDIworks, VeeAm Software, Verari Systems, Verio, VeriSign, Vicom Computer Services, VirtenSys, Virtera, Virtual Iron, VirtualLogix, Virtugo Software, Virtutech, VisionCore, Vizioncore, VKernel, VMLogix, vmSight, VMware, Vordel, vThere-Sentillion, Vyatta, WaveMaker, Web Age Solutions, WSO2, Wyse Technology, XDS, XenoCode, Xiotech, xkoto, Xsigo Systems, Zenith Optemedia, Zeus Technology.