Four out of five data crimes are inside jobs. Are you protected?
July 1, 2000
Recent news coverage of hackers such as “mafiaboy” — the 15-year-old charged in connection with a cyber attack that jammed CNN.com and up to 1,200 CNN-hosted sites — has reached the hearts and minds of IT professionals. The overarching lesson for the industry is that valuable data can be accessed and compromised unless protected.
Yet the portrait of the hacker as an outside enemy is not entirely accurate. Industry analysts estimate that in-house security breaches account for up to 90 per cent of the attacks on corporate computer networks.
According to Information Week’s recent Global Security Survey, “41 per cent of IT managers blamed authorized users and employees for their security problems and more than a third considered contracted service providers as being a security hazard.” Seventy-six per cent of the companies surveyed had experienced a security breach in the past year and a full 64 per cent said their organization experienced system downtime due to malicious activity — numbers that pinpoint hacking as a very real hazard.
Think about how much information crosses your network in simple text — emails, web pages, attached documents, business reports and accounting information. In most cases, none of the emails or attached documents you send to colleagues are encrypted. As such, protection must extend from external enterprise network security features including firewalls, network address translation and proxy servers, to essential internal features.
The solution is to ensure that even if network traffic is intercepted, it is completely worthless to a hacker. This involves encrypting all information that crosses your server, to ensure that all sensitive corporate information remains secure.
IT IS ALL ABOUT THE MESSAGE
The contents of ordinary web pages are, for the most part, text files — with the exception of graphics or executable content like Java applets. Yet, the World Wide Web or your business’ intranet servers are not the only places where business-critical plain text traverses the local area network (LAN). Incoming or outgoing email is typically non-encrypted. Even worse, the default mode for passwords that email clients use for authentication with their email server is also sent in plain text. This can be easily compromised if those passwords are intercepted. Even some of the electronic messages sent between network devices and network-administrators’ consoles are plain text and can be intercepted or forged.
Using commonly available software, such as protocol analyzers or even free tools on the Internet, any PC can be set to nab messages coming across its network interface card. In a shared LAN, with each PC hooked up via an Ethernet hub, every PC can see — and capture — every packet.
A switched Ethernet LAN appears less vulnerable, because individual end-user stations might only see traffic being sent to their own PC. Unfortunately, it is not difficult for an unscrupulous person — such as a corporate spy or disgruntled employee — to place remote PCs in key points where a lot of traffic traverses, such as between a router and WAN access point, and copy packets from there. And, if the miscreant has (or steals) the administrative access codes to routers or other network infrastructure equipment, packets can be stealthily copied or redirected to where they do not belong. By encrypting all network traffic, end-to-end, you can avoid this scenario.
Each message traversing the LAN, WAN or Internet using the Internet Protocol is broken down into many small parts, or packets. Each packet consists of two parts: a header, which contains routing information including the destination IP address, and the payload, or the actual data being sent over the network (a portion of an email message, a file being sent to a file server, or a login request for a network service).
Every device on the network, including PCs, servers, hubs, switches, routers and proxy servers, must be able to read and understand the IP header information. However, the payload must be understood by only two entities: the PC sending the message, and the device receiving the message. If the payload is encrypted, the packet’s ability to traverse the network is unimpaired — the only effect is to make the message more secure.
There are several widely used standards for encrypting network traffic — and ones which many Internet servers and browsers already understand. Those standards are all based on the concept of public key cryptography, where the factors of very large prime numbers are used to create extremely secure communications.
The most important standard is IPSec, or the IP Security Standard, which sets up encrypted sessions by making sure both network devices are using the same encryption algorithm, or method of encoding and decoding the payload. It then exchanges encryption keys between the two devices. IPSec is widely accepted by the Internet community, and IPSec support is built into nearly every modern web server and web browser.
Microsoft’s new operating system, Windows 2000, has incorporated IPSec encryption technology. Without even realizing that your emails are being encrypted, your correspondence remains safe. You can tell when your web browser is engaged in a secure session using IPSec and DES: Microsoft’s Internet Explorer displays a small yellow padlock at the bottom right of the screen; Netscape’s Navigator places a padlock at the bottom left.
Although IPSec is used to ensure that both parties in a secure session are using the same encryption algorithm, the IPSec standard itself does not define those algorithms, but can use any that is available to both PCs. These days, the most widely used encryption method is known as DES, or the Data Encryption Standard. Worldwide, the most common version of DES uses either 40-bit or 56-bit binary numbers as its encryption key. Support for DES is also built into many clients and servers.
MAKING ENCRYPTION PRACTICAL
The problem with securing network traffic is that the extra processing required to encrypt and decrypt every network packet is substantial. The heavy-duty mathematics it takes to apply a 40- or 56-bit DES encryption algorithm to each packet would make a noticeable difference to a PC’s performance. Every network transaction would appear sluggish and the PC’s ability to do other work, such as word processing or graphics, would be reduced. The effect is even greater on servers, which might be carrying on dozens or hundreds of simultaneous conversations with different PCs and with other servers.
You can instruct certain operating systems to engage in total end-to-end IP encryption across the LAN and WAN, but that is just not feasible without paying a high price in performance and usability. And the more the network is used, the worse the performance is. Studies by 3Com Corp. have shown that such encryption can reduce a desktop PC’s throughput by up to 77 per cent –when there is heavy use of secure sessions. That is like downgrading a 600MHz Pentium III-based PC to a 133MHz computer.
The solution may be to outsource — outsource the IPSec and DES cryptography, that is, to a dedicated microprocessor designed specifically to do that “heavy lifting,” without impacting the computer’s primary processor. Such a solution provides the best of both worlds: end-to-end IP encryption and full PC or server performance.
PROTECTION INSIDE AND OUT
Protecting a corporation’s valuable assets, both inside and out, from threats like hackers and frustrated or curious employees is now a strategic necessity. Firewalls, passwords and other defenses against information robbers are a good beginning. However, keep in mind that four out of five information crimes are initiated from the inside. End-to-end network encryption should be a top priority in keeping a company safe and secure. CS
Tony Mastroianni has more than 12 years of experience in the networking industry. He has been with 3Com Canada in Montreal since 1996 and is currently the company’s Director of Technology. Previously, he was one of 3Co
m’s channel network consultants, supporting reseller and distribution partners in Canada.