December 1997

BY DAVE POWER, SECURITY DYNAMICS

Passwords have long been the front line of defense protecting information systems and networks. The security of passwords has come under considerable scrutiny in recent months as a result of several wellpublicized security breaches of information systems networks. The problem is, however, that even well-composed passwords are vulnerable to being intercepted and “stolen” by today’s more sophisticated system attackers. The Internet, a global web of thousands of networks, is under nearly constant assault from a wide range of advanced system intruders. With the overwhelming growth of the Internet, the time for reusable passwords has passed.

In recent months, unidentified system “crackers” have deployed passwordgathering programs and have succeeded in collecting tens of thousands of passwords. The attacks on the Internet are particularly worrisome because a growing number of commercial and nonprofit organizations are now eyeing the Internet as a new avenue for conducting business. It’s worth noting that although the Internet break-ins have received most of the publicity, the problem of illegal access cuts across networks of all types, especially the local- and widearea networks (LANs and WANs) that are in widespread use today.

INTERNET SECURITY ISSUES
The vulnerability of reusable passwords has been made shockingly apparent in recent months following a rash of computer break-ins linked to the Internet. Several Internet service providers were attacked in an orchestrated effort to gather passwords that could be used to penetrate still other computers with Internet links. An unknown group of system crackers planted programs designed to capture the passwords of users as they logged into the penetrated systems. It is estimated that the intruders managed to harvest a great many passwords before their illegal programs were discovered. Such illegal escapades worry companies because the massive network is destined to become a cornerstone for the nascent “information superhighway.” In something akin to a modern-day gold rush, commercial organizations are scrambling to get a stake in the Internet.

As the number of networks, hosts, and users on the Internet has mushroomed, so too have security incidents.

The rapid increase in commercial traffic is also making it more difficult to track and stop breaches. Although there is yet little hard evidence of companies with Internet links having suffered significant losses as a result of security breaches, it is only a matter of time, according to many security experts. The Federal Bureau of Investigation, for example, says that the Internet is used to break into systems in more than 80 percent of the computer crime cases it investigates. For the most part, these attacks have been aimed at universities, research centers, and other non-commercial sites. Obviously, such attacks have financial implications associated with them, but they are still difficult to quantify. One reason is that many victim organizations are reluctant to report securityrelated incidents to law enforcers.

Still, it is easy to envision what some of the potential consequences of a security breach via the Internet might have on a commercial organization. Given the enormous reliance most organizations now place on information systems technology, unauthorized tampering with those systems or the theft of the information they contain could have serious financial impact. In addition to data loss, organizations are faced with computer and/or network downtime, lost productivity, and the possibility of negative publicity in the marketplace. In a survey conducted this year by Infosecurity News, 49 percent of the more than 1,200 respondents reported that their system security had been breached by at least one of the following: successful unauthorized system access by an outsider; abuse of access privileges by an employee; abuse of access privileges by an authorized user; leakage of confidential information; or destruction of data.

Not surprisingly, the lack of adequate security is also hindering many organizations with Internet protocol networks that could otherwise conduct business on the Internet. The Internet Society estimates that about half of all networks are not tied into the Internet primarily because their network administrators are too fearful of the security risks.

THE GROWTH OF THE INTERNET
Dataquest, a market research and consulting company, estimates that by the year 2001, nearly 268 million users worldwide will be accessing the Internet, while less than 10 years ago, there were only an estimated half a million users.

One of the Internet’s key strengths, and one of its weaknesses, is that no one agency or organization is responsible for its overall management. Thus, it has been free of bureaucratic control and burdensome regulation. Conversely, management is decentralized and informal, residing primarily at the host site and the individual network levels. Early in the Internet’s development, responsibility for managing and securing host computers was given to end users — the host sites, such as college campuses and federal agencies, that owned and operated them. It was believed that the host sites were in the best position to manage and determine a level of security appropriate for their systems. Each of the Internet’s thousands of networks maintains operational control over its own network, whether it is a backbone network, regional network, or LAN.

THERE’S GOT TO BE A BETTER WAY
There have been a multitude of cases where the systems of some service providers have been compromised by a group of unidentified intruders. System crackers are able to capture passwords and login IDs for thousands of systems across the Internet, using a variety of network packet-sniffing programs, according to the Computer Emergency Response Team (CERT), an Internet security watchdog organization. “Intruders can use the captured information for subsequent access to those hosts and accounts,” CERT explained in a security advisory. “This is possible because the password is used over and over and the password passes across the network in clear text.”

The short-term solution, according to CERT, is for all users on sites that offer remote access to change their passwords frequently. In addition, sites that support a so-called “promiscuous network interface” are advised to disable this feature or implement a policy that permits only authorized users and programs to access this particular feature. However, this is only a quick-fix solution.

Traditional user authentication by means of reusable passwords does not provide strong security in today’s networked environment — with or without encryption. Information systems protected by advanced methods such as tokens or smart cards (which are used to generate one-time passwords) are far more secure.

ELIMINATE RELIANCE ON REUSABLE PASSWORDS
The best long-term solution to prevent these and other sorts of attacks is to eliminate or reduce the transmission of reusable passwords in clear text over the network. The only effective long-term solution is to not transmit reusable passwords on the network. As a means of eliminating reliance on stand-alone passwords, today’s information systems managers may choose from several access control technologies, such as dialback systems, biometric devices, and a series of “token technologies” including challenge/ response “calculators,” smart cards that require card readers, and time-synchronized “super” smart cards that can be used without a card reader. Each of these authentication systems offers its own unique advantages.

However, dialback systems can’t authenticate users on the road and can be rendered useless by convenient telephone features like call forwarding. Dialback systems aren’t designed to secure Internet access and are therefore not a comprehensive solution. Also, these types of technologies often authenticate terminals only — not users. And while biometric devices may be highly effective in authenticating user identity, their cost and lack of portability may preclude their use in today’s mobile computing environments.

Information systems that deploy chal-lengeresponse technology require that the user accurately respond to a challenge or request for a password from the host computer. The response or password may be generated by a calculator carried by the user. Some tokens are somewhat bulky and may require the user to proceed through a number of steps (anywhere from 4 to 8) before allowing system access. This is a time-consuming process that tends to lead to user frustration. Smart cards requiring card readers restrict those users who travel and may be expensive for host end and application software support. In contrast, the timesynchronized super smart card contains a microprocessor that generates and displays a new password every time it is used or within a predetermined period of time (usually every 60 seconds).

The premise of using a smart card for security applications is based on a long recognized notion that there are three ways for a user to authenticate himself or herself:

• Something the user knows, such as a PIN or reusable password.
• Something the user has, such as a smart card or a token.
• Something specific to the user, such as his fingerprint or voice.

More advanced security technologies employ at least two of these three factors of user identification and authentication. The first factor is a memorized personal identification number; the second factor is a smart card with its displayed code generated at a programmed interval. The two factors combine to produce a onetime password.

FIREWALL OPTIONS
Commercial organizations who are considering conducting business on the Internet are turning to electronic firewalls that insulate the organizations’ vital information systems from outsiders, yet permit the organizations to securely transfer and receive information via the Internet. These firewalls offer varying degrees of security, however. A screening router firewall, for example, can be configured with a set of access rules that will filter out many wouldbe intruders. Using a router as a screening firewall is convenient because it is usually already in place. But this method of controlling access cannot be customized to specific network environments, does not authenticate users, and has no audit capability. If not properly set up, the firewall may have trapdoors through which intruders can surreptitiously enter.

A UNIX-based firewall — a server with UNIX programmed filtering, security, and auditing — is effective in allowing users to telnet directly to an application server: however, the network administrator must create and maintain the security architecture, programming for every possible exposure. Application-level firewalls allow users to telnet to an applicationlevel prompt, and include a high level of preprogrammed, customizable network and security functionality. Applicationlevel firewalls can be configured to be virtually impenetrable, but may be expensive and difficult to administer.

Most firewalls still rely upon static passwords as a means of authenticating a user’s identity. An unauthorized user may gain access to a system using a dummy password and then create a “backdoor” for future access, thus reducing firewall security levels. In summary, firewall security technologies can be highly effective in controlling Internet access. However, they are most effective when combined with two-factor authentication procedures that utilize one-time passwords.

CONCLUSION
All the recent attacks on networks (whether LANs or the vast Internet) have one thing in common: The intruders were able to penetrate those networks and expand their illegal activities by exploiting reusable passwords, thus rendering all other controls useless.

Traditional user authentication by means of reusable passwords is no longer adequate for providing strong security in today’s networked environment. It has become increasingly obvious that information systems protected by advanced methods, such as super smart cards which are used to generate one-time passwords, are far more secure. Today’s network managers should evaluate their enterprise networks and implement policies and procedures for controlling access to networks through all access points. Organizations facing the challenge of securing Internet access should take action immediately by installing proven, highly secure access control products that will eliminate the threat of unauthorized network access through reusable passwords.

Dave Power is senior vice president of marketing and corporate development, Security Dynamics Technologies, Inc. Security Dynamics designs, develops, markets, and supports a family of security products that protect and manage access to computerbased information resources. The company develops software and hardware products that verify the identity of authorized users and prevent unauthorized access to information on computers and networks. For more information, visit the company’s Web site at www.securitydynamics.com.

BY JUDY KING

For most information systems professionals, security is the controlled absence of disruption to ITrelated business operations. In a perfect world, a secure operation keeps hackers from breaking into your network or servers. Now, understanding enterprise network security is no easy task, and consequently, every vendor takes a different approach to network security. The adage, “If your only tool is a hammer, every problem looks like a nail,” is an apt description of the way many of these security product vendors promote their wares. The truth is, no single product covers every aspect of enterprise network security. Firewalls alone do not provide total security. Neither do encryption, authentication, or virus protection. Good security requires a wide range of integrated products and services.

ENTERPRISE NETWORK SECURITY COMPONENTS
Threats to enterprise network security come from many sources. The following elements are principal means for protecting organizations from digital mischief: a well-planned security policy (including the LAN), firewalls, encryption, anti-virus measures, and methods of identifying and authenticating users. These elements require substantial integration and interoperability to smoothly implement an organization’s security policy.

CREATING POLICY
Security products will not do much good unless they follow a well-thoughtout enterprise security policy. Creating a policy requires cooperation between IT staffers, business unit managers, and senior executives. Generally, a policy should follow one of two philosophies:

• That which is not expressly prohibited is permitted.
• That which is not expressly permitted is prohibited.

The former is less intrusive but will not provide maximum protection. The latter requires discussion and buyin from management because it affects workflow of the entire organization — all the way down to rules for locking offices and filing cabinets, and discarding waste paper. The use of security technology, such as a firewall, generally requires the second philosophy.

LAN SECURITY
Popular local-area network (LAN) operating system software provides many security options — many of which are not used. Network managers can immediately beef up protection by implementing security features such as log-in restrictions on specific workstations, days of the week, and hours of the day. More stringent password policies also create extra barriers, such as increasing the minimum password length and forcing regular password changes. Another overlooked area is share-level security, rarely used with appropriate precision. Rigorous application of LAN security features can bolster protection from internal breaches.

FIREWALLS
Firewalls provide access control. They are usually aimed at preventing external security breaches, but can also provide additional internal security for corporate Intranets. Firewalls are a combination of software and hardware, usually consisting of a fast workstation located outside the LAN but inside the router link to the Internet. To be effective, all network traffic must pass through the firewall, whether going to the outside world or entering the LAN. The firewall permits only authorized traffic to pass either way. And the firewall must be impervious to unauthorized penetration. Premium firewalls run on special versions of the UNIX operating system, although Windows NT-based versions are starting to see some use. Some firewalls also support ancillary special features, such as Web URL filtering.

ENCRYPTION
Encryption is a datascrambling technique that prevents information from being read by unauthorized people. It is used to protect data packets during transmission from one point to another. Encryption can be implemented in two ways: from the PC that originates the data, or from the server or Internet connection device that passes the data outside the LAN. Protected data is decrypted by a reciprocating destination LAN server or PC. Digital key technology is a common means of implementing encryption. A digital key bearing a secret value is used to encrypt data. Decryption can occur only by someone who possesses the same key — much like secret agents passing coded messages from behind enemy lines. Encryption is a common security technique used to protect Virtual Private Networks (VPNs) and standard Intranets.

ANTIVIRUS
Computer viruses are to information systems as biological viruses are to people: disruptive, and sometimes deadly. A computer virus modifies programs and data, sometimes in an innocuous manner and sometimes with malicious intent. Some viruses erase applications and data from systems. Anti-virus protection software can be run from individual workstations or from a network server. This software scans incoming files and attachments to e-mail messages to protect PCs and the LAN from infection.

IDENTIFICATION AND AUTHENTICATION
On the Internet, no one can see who is using the system. Digital identification technology is used to identify who you are before you start using an information system. Authentication is the means for proving to the system that you actually are the person you claim to be. This is similar to the process of signing a check, then showing a driver’s license and a major credit card to a store clerk. Digital identification and authentication employs passwords, keys, physical tokens, badges, and smart cards — even fingerprints or voiceprints in advanced systems. Digital identification and authentication are particularly important for securing electronic commerce, which mostly operates outside the protection of a corporate Intranet’s security infrastructure.

CERTIFICATE AUTHORITY
Applications requiring absolute user identification employ digital signatures managed by a trusted organiza-tion called a certificate authority. Digital signatures are locked and unlocked with electronic keys, and filed in a directory of certificates that identify users owning the keys. A trusted organization, called a “certificate authority,” manages and distributes these certificates with their corresponding keys. A certificate authority can be an in-house department or a third-party service provider. It is responsible for the complex process of registering new users, securing Web servers, distributing and updating private keys and certificates, recovering lost or forgotten keys, and maintaining audit trails.

Security brings peace of mind and allows organizations to pursue their business goals. But, in order to achieve true security, organizations must look beyond firewalls and implement many different elements of network protection.

Judy King is technical marketing manager for CyberGuard Corporation, a provider of network security and electronic commerce solutions. CyberGuard and its subsidiary, TradeWave Corporation, protect networks and online business communications and transactions with award-winning security products, services, and outsourced security management. For more information, visit the companies’ Web sites at www.cyberguardcorp.com.